Skip to main content

The British Airways Fine and Why I Founded Panaseer

July 09, 2019

Nik Whitfield

I founded Panaseer 5 years ago as a strategic proposition based on 3 market forces which I believed would dominate the future cybersecurity market:

  1. Increasing scrutiny, driven by regulators
  2. Scarce security personnel
  3. An explosion in security tools and attack surface

We have been watching as these 3 market forces continue to gain importance and influence the market. Indeed, all continue to grow as issues for enterprises and will do so for at least the next 5 years. Yesterday, the trigger event we’d been anticipating dropped like a bombshell – a massive penalty to a reputable global brand, which will cause a fundamental shift in the security market and the way we think about and invest in security.

The proposed fine incurred by BA of £183M ($230M) from the UK Information Commissioners Office, was the first penalty handed out under GDPR, and the largest cybersecurity fine globally to date. The regulator was lenient – it could have been 4%, or £488M ($610M).

Imagine the impact in every board room around the world doing business in the EU? Every industry is in scope, regardless of domicile.

The fine was not because BA was breached – although, that was the trigger for investigation – but because the ICO found that BA ‘was compromised by poor security arrangements’. Boards all around the world will be asking: ‘Do we have poor security arrangements?’ Of course, the answer to this is both of huge import and an enormous challenge.

An answer has previously been attained through the ad-hoc, manual assurance of assets and controls, often using spreadsheets and questionnaires – painful, incomplete and untimely. GRC does not solve this.

Indeed 89% (before the BA fine) of companies report concerns about the lack of visibility and insight into trusted security data. This is despite the security team spending 36% (and increasing) of their time trying to create the insight from 75+ (150+ plus for banks) security tools.

Yesterday’s fine indicates that this is inadequate. The new standard is to continuously and automatically measure an enterprise’s assets and that their security controls are present and working effectively. This will become a basic level of diligence for enterprise organisations. This is Continuous Controls Monitoring, and this is the reason we built this company and the Panaseer Platform.

Every board doing business in the EU now has a clear business case for CCM.

If you’d like to join the conversation around CCM you can tweet us here or reach out to me directly via LinkedIn to set up some time to talk.