Natural evolution is ISAS’s preferred path to growth

It’s been a busy few years for ISAS (Information Security Assurance Services Ltd), a company which has significant plans for the future.

The company’s growth has been deliberate and precise, building a core team that is equipped to deal with any manner of data protection and information security issues.

ISAS managing director Conor Flynn said that it was a natural evolution for the company: starting off as an information security entity and now maturing to offer data governance that encompasses information security and data protection.

“What we found is that we, as an organisation, have become more focused on data protection for many years because it was an integral part of protecting information assets for organisations,” he said.

“What brought our customers’ minds to focus on these areas is the introduction of good governance requirements and the new compliance and regulatory environment that they must operate in.”

The crux of these regulations is GPDR, which came into effect at the end of May. Much of the build-up has helped focus organisations’ minds on what needs to be done, including for example the requirement to designate a data protection officer (DPO).

This decision depends on factors such as the type of entity acting as data controller or data processor, the core processing activities undertaken by the entities, and the type of personal data processed.

In certain cases, the appointment is mandatory, in others it is a choice - a visible and demonstrable commitment to data protection.

Not all of the organisations that require a DPO can afford to hire one full time, so one of the services ISAS offers is the provision of an outsourced DPO. Through this arrangement, organisations can get the benefits that come with having a DPO without having to hire one full time.

“The outsourcing of effectively what is a part-time function for a dedicated role is very attractive to people,” said Sinéad McDonald, head of compliance and regulatory affairs and who acts as DPO for a number of ISAS clients in the health sector, public sector, fintech start-up and political arena.

“We’ve had to satisfy these requests from our clients by offering an outsourced DPO role as a lot of these organisations can’t afford to have a dedicated one.”

In addition, some organisations may not realise that certain internal roles would be seen as being in conflict with sharing the role of the DPO, according to ISAS’s head of risk and assurance services Martin Kerrigan.

“Traditionally it would have been quite common for the head of IT or HR to carry a data protection role,” he said. “[Yet] the Article 29 Working Party - which issued guidance and interpretation in terms of the previous Data Protection Directive and is now replaced with the European Data Protection Board since May 2018, stated that the head of IT, legal, finance, human resources, operations and so on can be in conflict with the role of the data protection officer.”

Growing need

The growing need for specialist skills means ISAS has grown its customer base to include some prominent clients.

For one, it has a strong presence in the public sector and counts half of the government’s departments as clients. It also has a strong presence in the regulated financial sector as well as fintech companies, both start-ups and established organisations.

Having joined ISAS in 2018 as a senior data privacy specialist, Julian Smith has also been working in the public sector, regulated financial services sector and the health sector in the delivery of DPO outsourced roles for ISAS. It’s something that has brought a number of opportunities to the company.

“Having joined ISAS as the DPO service sector was developing was a great opportunity to deliver upon the skills built in data protection over many years,” he said.

The reasons for engaging in data governance, data protection and information security aren’t just to satisfy regulations, it can also show stakeholders and customers that a company is serious about protecting the personal data it processes. This can add confidence to both parties, and help the business grow further.

“Companies realise that for their shareholders, stakeholders and customers, they need to demonstrate maturity when it comes to both data governance and information security,” said Flynn. “Getting involved with an organisation like us from the very beginning helps as their investors are asking them: ‘What are you doing about information security, or cyber [and] personal data?’

“Having us onboard has led to increased levels of commitment from their investment partners when they see how seriously they’re taking these principles by having us involved.

“That’s been a really exciting part for us, getting involved with start-ups and organisations who are working in regulated sectors and benefiting by having us involved from an investor’s perspective.”

This reputation is certainly earned, as ISAS is strong in both the general and niche areas of information security and data governance. It has strength in depth - there are 12 on the team and it has strong connections with other teams and companies to ensure it works efficiently - which adds to the appeal.

Flynn mentions that many customers comment on how they came to them for help on information security, but stayed with them because of its service, commitment, integrity and the breadth of its data protection services.

“We’re not just an information security company . . . we’ve grown quite a significant business area as a result of training our own staff and people that have wanted to join us,” he said.

“All our staff working in the data protection area have qualified with diplomas or certificates from the King’s Inn, the Law Society or the ICS and that’s a big investment and commitment from our perspective. It ensures our absolute quality and consistency for our customers.”

ISAS’s unique blend of information security and data protection skills has been a huge benefit to its clients, said its senior data privacy specialist Tom Gilligan.

“In other scenarios, a client may have two different organisations supplying different advice and opinions, sometimes with their own agendas at play,” he said. “With ISAS, the data governance umbrella ensures that both sides are addressed from one organisation and with a consistency that leads to assurance.”

Gilligan is currently delivering a number of key data protection-related projects in the public sector and a high-value retail brand in the automotive sector. His role involves working with businesses to ensure a balance between the rights of the data subjects and the legitimate interests of the business to carry out their activities.

That tends to be the heart of data governance: a balancing act between data protection and information security. While it’s tempting to put all your data into lockdown so you’re protected, that can prevent you from using your data effectively, negating the purpose of having it in the first place.

“One example would be information security professionals saying they want to keep logs and audit trails for long periods of times for investigation, whereas data protection says you can only keep it for as long as its stated purpose, and then after that you must remove it,” said David Hickey, a key member of the ISAS privacy team who has been recently been delivering privacy projects in the local authority sector, the public sector and the health sector.

“Policy definition and adherence are key here and there are huge overlaps as well because to maintain privacy, you have to have security.”

Strength in specifics

One of the areas that this plays out in is that of forensic investigations and the requirement for the preservation of evidence and investigative material.

It’s something that VM Group, which has been a long-term member of the ISAS team, specialises in. Dr Vivienne Mee and her team of forensic specialists have worked with ISAS in investigating many data protection-related breaches and providing recommendations on preventing re-occurrence. These were often not ISAS customers at the time, but subsequently became them.

“There are some differing principles, but there is some strong commonality in the protections of the assets and that’s where I think a lot of our clients find ISAS to be a strong partner,” said Mee.

“Some of our people have come from legal backgrounds, they’ve been in charge of regulatory affairs for multinationals so they’re coming from strong, principled compliance roles and are now looking after privacy.

“That’s a nice complement to the information security technology people that we have always had, and there’s a strong balance of two different skill types there.”

Another area that has grown in prominence is the cloud platforms and solutions like Microsoft Office 365 and Google’s G Suite. While they have brought greater levels of efficiency and collaboration to teams, the way in which businesses can fail to implement security controls is of concern, said lead auditor and platform specialist for cloud solutions Mandy Nicoll.

“The scary part, for me, is the inconsistency with regard to the configuration of the really powerful controls and capabilities that both Google and Microsoft put at the customer’s disposal when it comes to information security and data protection,” she said.

“These platforms are developing their controls on a continuous basis, but customers and their support partners are failing to implement them. The number of business emails compromised as a result of these poor implementations is disappointing as they are so easily preventable.”

That’s where data governance comes into play, something which ISAS says is the answer clients are looking for when trying to be good custodians of personal data. Transparency and having demonstrable evidence at all points in the handling of personal data assets is vital, and this should apply to other critical information assets of the organisation.

Other important relationships ISAS has formed include one with Edgescan, which is responsible for the Edgescan Complete Vulnerability Intelligence platform. The ability to call on a team with the depth and breadth of the Edgescan organisation has been transformative for ISAS and its clients.

Whether it is dealing with client emergencies, performing code reviews or carrying out the most meticulous and detailed of manual application tests, the Edgescan team complements ISAS’s internal skills to give clients the highest level of assurance in relation to websites or other online systems.

Edgescan has grown to be a globally recognised brand in the information security sector, and recent global client wins such as Disney and recognition from the likes of Gartner and Tech Excellence are evidence of this.

Its Continuous Vulnerability Assessment provides ongoing assurance to management of the integrity of online systems and also indicators of performance of service partners in mitigating issues identified.

Regarding key hires to the ISAS team, it recently added Stephen Breen and Dave Crawley to the mix. Both of them are recognisable names in the Irish and international information security landscape, and have added to the depth of talent available.

On top of that, John Mooney, another veteran of the Irish information security market, has joined ISAS as sales director. Handling the increasing volume of activity and complexity of sales and allow the senior management team continue to focus on customer service delivery is his focus.

Then there’s ISAS’ ISO27001:2013 certification, which is something Martin Kerrigan is spearheading and something its team is proud of. Kerrigan has also assisted a number of its clients to successfully navigate through the ISO27001 certification process and achieve certification of their own, tying in with the company’s ethos of helping them ‘walk the walk’.

The other element that sets ISAS apart is its independence. It’s not tied down to any particular vendor, nor does it have to sell any particular software or hardware, meaning it’s free to advise its clients to best suit their needs.

Its ability to help clients mature their SecOps functions are greatly enhanced with these additions and will ensure their information security operations functions are operating at peak performance.

“We don’t sell antivirus, we don’t sell firewalls, we don’t sell anything like that,” Flynn said. “We can be completely independent, completely true and completely transparent from our customers’ perspective. We offer quite a unique proposition, given our data protection, data governance and information security roles and other advisory firms, such as law firms, are seeing the benefits for their clients.

“I am fiercely proud of the team that we have built in ISAS over the last few years and, just as importantly, the strategic relationships that we have forged built on integrity, commitment, loyalty, quality and friendship. These are enduring relationships that can only benefit our clients and give us the capacity to scale out based on customer requirements.”

For further information please email: info@isas.ie