This post is also available in: Deutsch (German)
Translated with www.DeepL.com/Translator
Are you astonished? Do you have the impression that information security is a very important topic today? Then your attitude is the same as mine. The data protection laws and above all the DS-GVO in no way reflect the importance of information security (Art. 32 has just 4 paragraphs, actually no more than a side note). Nothing has been done here and not even the old provisions from the existing data protection laws have been adopted. Of course, one speaks of technical and organisational measures and demands adequate security measures. That does not go anywhere. Is there a reason for this? I can provide at least one explanation:
In practice, the security officer is the natural enemy of the data protector.
Data protection remains a blank theory if the necessary security measures are not implemented. However, many data protectors see security measures primarily as a threat to their clientele, namely employees (this is particularly true in Germany, where data protection is often the extended arm of the works council). They are to be spied on, their work monitored and their personal preferences recorded by the employer. This type of data protection primarily serves to masturbate the self-proclaimed data protection missionaries. From an entrepreneurial point of view, it is necessary to ensure that ALL data (and by this I mean both company data and employee data) are properly protected and that the risks are known and can be limited. However, the threats to data have increased to such an extent that a succinct wording, as provided for by law today, is no longer sufficient. The law may not deliberately lower the level of information security, but the user is left with the impression that it is sufficient to draw up data protection declarations and formulate declarations of consent. Data protection consists of 40% information security, 40% information governance and 10% processes and 10% policies and contracts. According to a recent survey by KRM, the majority of Swiss companies do not have information security management. They therefore also do not know the risks to which they are exposed. In a very active cybercrime environment, this is more than questionable.