The pen is mightier than the sword is a phrase that can never be truer than in cyberspace, a place where words define your very ability to be noticed in a crowd.
Most of us have some living memory of a time before widespread use of the internet, when knowledge could only be found in endless volumes of encyclopedias and other books which adorned the library shelves. The information age had yet to come into full effect.
Development of the Information Age
It's a stark and almost unrecognisable comparison to today, where access to information is not only easy but the quantity of information vast. The internet has been remarkably successful at removing traditional barriers, this very article for example was written at no cost on the social media website LinkedIn without involvement of a publishing company. It is consumed freely by other users who may have found it while browsing or even found it through keyword search.
Information has greater attainability than in any time in our history. As the cliche goes, with this power comes with great responsibility.
People who read articles relating to a particular subject are for the most part in search of knowledge greater than their own. There is no greater example of this than the GDPR (General Data Protection Regulation) in IT security circles today. A topic which affects all businesses and organisations throughout the UK (and the wider EU) and has sharp punishments for those that ignore or fall foul of it.
Popularity of GDPR
As you would expect, there is a great desire for knowledge to understand the contents of the regulation, which is being met with a proportional number of articles, blogs, webinars and meetings being offered from vendors, distributors and resellers alike.
The response from the industry in offering up opportunities to demystify the regulation is applaudable and I am glad to see the ostrich being dragged from the sand. I myself consume the same content being produced in an effort to increase my understanding of the topic. There is however a small yet worrying tendency to hijack the popularity that the GDPR discussion is enjoying and using it as a buzzword for almost any purpose.
This is nothing new, take the term hacking for example. This term has come to be used to describe any act of computer misuse. It's attention grabbing power as a keyword has lead it to be used in cases when it is has no literal application, it is purely to attract readership. It's true meaning becomes watered down, converting it from keyword to buzzword.
There are two instances I have witnessed which lead me to believe use of the keyword GDPR is taking the same path. Attempts to publicly align security products to a regulation which clearly states in the first two pages that it is designed not to do that; and people citing the potential fines breach victims would incur even when that regulation wouldn't apply. The desire to attached the GDPR hashtag is stronger than the need to be transparent.
The recent Tesco bank breach was a perfect example of the latter. I have witnessed on at least two social media platforms (and disappointingly a well respected media outlet) an accusation that under the GDPR, Tesco would be liable to huge fines. This is simply incorrect based on the information we have at the time of writing. The GDPR is concerned with the protection of direct and indirect personal identifiable information, not the contents of a bank account. Considering that at the time of writing this article we only know that money has been stolen, the GDPR has no jurisdiction.
As experts in our industry and for experts in others, people look to us to help them with furthering their knowledge. We are self-appointed leaders and bear a responsibility to our readers and content consumers. It is easy to play a game of smoke and mirrors for the purpose of a sale but we must always be aware of the bigger picture.
After all, the internet's memory is far mightier than the elephants.