Call us on 03450 21 21 51

GDPR: a question of confidence
The SRM Blog

GDPR: a question of confidence


Written by SRM

18th January 2018

Share this article

In a recent interview with SC Media, Amazon Web Services (AWS) Chief Information Security Officer (CISO) Stephen Schmidt explains how his organisation is set up for full General Data Protection Regulation (GDPR) compliance. Not only does Schmidt say that 72 hour reporting holds no fears for Amazon but that all other requirements of GDPR are well in hand. Yet, leading up to 25th May 2018, few others can have such self-belief. So how can other organisations achieve similar levels of confidence?

In short, professional CISO support will provide expert guidance on building GDPR compliance into an organisation’s systems in the most cost-effective and robust manner.  The first step is to know your environment and to scope what data you hold and where it is. This is a major component of then being able to move forward and determine what needs to be done and where. SRM offers both strategic level CISO support and a Virtual CISO (vCISOTM) service for smaller organisations unable to employ a resident CISO.

So, as the implementation of the General Data Protection Regulation draws closer and organisations across the UK consider their state of preparedness, it is perhaps worth considering why Stephen Schmidt is so confident that his company is ready.

A former FBI intelligence analyst, Schmidt’s confidence is not the only unusual thing about him. Firstly, he has held the CISO post at AWS for over ten years which, considering the average CISO is only in post for 2.2 years, is remarkable in itself. The second notable thing about him is that he considers it a ‘wonderful job’; not the view expressed by many resident CISOs who feel acute stress knowing that when it comes to security and compliance the buck really does stop with them. The fact is, however, that resident CISOs of this calibre are hard to find and expensive to retain.

To read the full interview with Stephen Schmidt, see here. In summary, however, he makes (among many others) the following points:

  • ‘We comply with the law in every jurisdiction in which we operate… Unlike some other folks, we don’t have to bolt privacy controls onto our services afterwards – they’re built from the beginning. Which means it’s much easier for us to be compliant with things like GDPR.’
  • ‘The guiding principle here is, our customers own their data.  It’s something that we give them a lot of tools on how to protect. It’s an area where we give them a lot of opportunity to encrypt, appropriately, and control their own encryption keys if they wish, and it’s up to the customer then to choose “How do I want to manage my privacy?” and “how do I want to manage access to information?”’
  • ‘We do the same things that anybody else should be doing, that is, know your environment intimately, monitor it thoroughly, alarm when things exceed your normalcy thresholds, and most importantly, have a very narrowly confined long term blast radius so that if something does go wrong it can find the critical error.’

What can be learned from this? Well, firstly that GDPR compliance goes far deeper than simply a tick box exercise. Secondly, that unless you are as experienced as Mr Schmidt, it is advisable to seek professional CISO support.

SRM is at the forefront of information security in the UK. As cyber security supplier to H M Government, we understand large organisations, but our clients also include corporates, charities and SMEs. Our GDPR team provides expert guidance and is also able to scope a client’s system for frailties and vulnerabilities through bespoke penetration testing, assist with accurate data mapping and provide a whole range of additional services developed to support CISOs and DPOs at various levels from GDPR compliance to disaster recovery.

If you would like to find out more about gaining GDPR confidence, contact Mark Nordstrom at or phone 03450 21 21 51.

Visit our website:

Or read our blog:

UK research highlights the lack of Chief Data Officers at C-Suite level

After GDPR, what will happen to ICO notification fees?

How a CISO can exert influence at board level


Back to top