Keeping Calm and Carrying on Amid a ‘No-Certainty’ Brexit



By Neil Thacker, CISO and DPO for Netskope

All bets appear to be off in Brexit negotiations with political pundits uncertain about what happens next, and the implications of any decisions.  With the only certainty being uncertainty, many businesses are reaching crunch point when it comes to making strategic decisions – they can’t hold out any longer. 

So, amid all the ‘no deal, deal, no Brexit’ scenarios, how can organisations can deal with the one thing we can be sure of; the ‘no certainty’ scenario?

The benefits of cloud in an uncertain world are obvious – its lack of CapEx and easy scalability appeal to organisations keen to be agile and competitive. But there are residual concerns that often come with cloud purchasing decisions, and no one likes to pile additional worries onto a foundation of uncertainty.

If you need to make decisions about cloud services faster than the UK/EU parliaments are moving, what can you do to mitigate the risks of any potential outcome? 

  1. Data residence and geographic portability 

You’ll already be checking out where your data will be residing under any cloud agreement, but add to this consideration how alternative Brexit outcomes may play out in your own organisation. In some Brexit outcomes your operations may move into alternative jurisdictions in order to continue to be resident in the EU, or for competitive reasons.  If data location is important to you, make sure your cloud provider has the capacity to move your data as political lines move around you.

  • Data transfer agreements

While we are talking about movement of data, I would be remiss not to mention GDPR.  It is important to remember that while there will be no immediate change to the UK’s data protection standards, the country will become a ‘third country’ in the eyes of the EU’s enforcement of GDPR in the case of a No-Deal Brexit. If your business currently processes data between the UK and the EU (whether through your own information architecture or using a cloud service) you will need to make sure you are ready for this relegation of the status of the UK within the EU legislation to avoid falling foul of DP laws.

  • Language support

Bear in mind how your employee base may change in the coming years.  The fallout from Brexit is not the only reason why you may find yourself with a large internal user base in a market you have not previously supported (growth and acquisition often bring this challenge).  If you are looking at services that require interrogation of data (intelligent DLP for instance), make sure your service provider can support a range of languages and characters … as well as syntax and context within these languages. 

  • Support for new work patterns

While you may not currently be catering to a particularly remote or mobile workforce, many Brexit-influenced business decisions may add to a longer-term trend towards new work patterns.  I would argue that support for mobile and remote users is an unavoidable essential in any IT service now, but be careful that you do not jump to enabling access and activity without simultaneously ensuring that you have clear visibility of what those users are doing.   Recently I have seen a number of line-of-business departments turning to cloud services to support mobile and remote users without IT being able to properly see what is being used and the implications for DLP and DP compliance.  This should obviously be very concerning for the DPO!

  • Protection for intellectual property and data ownership

I am including this in my list because, regardless of Brexit, organisations I talk to are regularly not doing enough due diligence when choosing cloud service providers.  The Cloud Security Alliance issues objective criteria for assessment in security, legal, audit and third-party certifications, vulnerabilities and exploits, financial viability, and privacy features.  Netskope’s Cloud Confidence Index uses these CSA criteria to award cloud services a score out of 100. Not all clouds are equal; as an illustration, there’s a well known document storage service which scores just 16/100.   By way of comparison, one of the major IaaS platforms scores a much more reassuring 97/100.

  • Avoiding lock down

My final point isn’t about the finer legalese of data protection agreements, instead it relates to the priorities of Boards of most organisations in uncertain times; competitiveness. There is a real risk that IT teams may respond to the fast shifting and untested lie of the land by locking down unknown services, with ‘block’ the default setting. This could be disastrous for companies that are already being forced to compete with a set of new handicaps. While shadow IT can be viewed as a perpetual nemesis, it is often hugely instrumental in gains around agility and productivity, and heavy-handed blocking is far from ideal.  Instead of blocking to protect against the unknown, focus on efforts that increase visibility. Many imagined monsters vanish in the light, and those that don’t can be defended against much more effectively.