Ole Christian Olsen has more than 10 years of experience in IT Security and IT Audit. He specializes in cybersecurity, compliance, and regulations, and holds certifications in CISA, CRISC, COBIT 5, ISO 27001 Implementation, and ITIL. He has worked for major companies in the Netherlands and Norway.
We believe it’s important to share the perspective of an expert in compliance and regulatory matters. In this interview, Ole answers a series of questions we’ve prepared, beginning with the one below:
What are regulations, and why are they important?
Regulations are rules enforced by governmental agencies. They are important because they establish the standards for what you can and cannot do in business. Regulations ensure that everyone follows the same rules and help protect citizens.
Take, for example, the General Data Protection Regulation (GDPR) in Europe. This privacy regulation protects individuals by outlining their rights and setting limits on what businesses can do with personal information.
Is it important to comply with regulations?
Yes—compliance with the regulations applicable to your industry is always important. The degree of compliance depends on each organization’s risk management approach.
Some regulations, like the GDPR, require you to have adequate security in place when processing personal data. But what does that mean? The regulation itself explains that security measures must be aligned with the level of risk. This means every organization that processes personal data must conduct its own risk analysis.
Based on the level of risk and the organization’s risk appetite, appropriate security measures should be implemented.
What happens if you don’t comply with applicable regulations?
Non-compliance can result in hefty fines, which should be factored into any risk management plan. But beyond the financial penalties, there's also the risk of reputational damage. Who wants to do business with a company that’s made headlines for failing to follow regulations?
Where do you start? What is the first and most important step to ensure compliance?
The first step is to gain a clear overview of the laws and regulations that apply to your organization. These vary by industry. Some laws are universal, while others are industry-specific. Additionally, publicly listed companies may have to comply with extra requirements.
Once you understand what applies to you, conduct risk assessments. The results will help define your governance framework—policies, procedures, and controls—which is how you demonstrate and document compliance.
How important is information security today in relation to regulations?
As society increasingly depends on data and information systems, many regulations now include mandatory requirements for information security. Losing credit card or health data can have serious consequences for both individuals and companies.
However, information security shouldn’t be done just to meet regulatory requirements—it should be done to protect your assets. Today, data is more valuable globally than oil. When most of your assets are digital, protecting them is simply smart business.
A regulation might require an information security awareness program. If you only send out a yearly memo and have employees sign a form, you may be technically compliant—but you’re not secure. If you recognize phishing and social engineering as real threats, you’ll invest far more in ensuring your employees understand and prevent security risks.
How would you start protecting your information assets?
Start by identifying your information assets—what they are, their value, their criticality, and their location. These can be categorized based on Confidentiality, Integrity, and Availability (CIA) and ranked as low, medium, or high in criticality.
Once you’ve completed the valuation, focus your efforts and budget on protecting the most critical information. There’s no point in heavily protecting public data while leaving confidential information exposed on an unsecured server.
Finding and categorizing all information assets sounds like a big job. Is it possible to get a full overview?
It certainly is a big job. Structured data in databases is easier to manage—you know what’s stored, where it’s located, and how it moves between systems.
Unstructured data, like documents, spreadsheets, and files, is much more challenging. Unless you already have a system in place to classify documents when they're created, you're in for a significant task.
Even getting users to understand what “confidential” means can be difficult. For example, a meeting minutes document could be public or confidential depending on the content. Fortunately, there are tools and methods available today to help organizations take control.
Any final words of advice?
Be aware of regulatory requirements, perform risk analyses, understand the value of your information, and protect it accordingly.
Tools like Kriptos can help significantly. Kriptos uses Artificial Intelligence and Machine Learning to automatically classify documents by analyzing their content and context. This gives the security team insights into data sensitivity, location, and critical users or areas, enabling smarter allocation of budgets and tools. In the end, this saves both time and money.
