Meet the expert: Jenni Parry to speak at PrivSec Global

Streaming live May 22 and 23, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today.

Jenni is an Associate Director of Cyber Risk with Aon, a role that involves her providing guidance and consultation to organisations, helping them to identify and evaluate their cyber risk. This, in turn, facilitates the creation of ongoing strategies that consider factors like change, corporate culture, and risk tolerance.

Jenni appears exclusively at PrivSec Global to discuss how organisations must adapt to evolving regulatory frameworks.

Below, Jenni answers questions on her professional journey and the themes of her PrivSec Global session.

Could you outline your career pathway so far?

My first real job was an IT Operator, this was back in 2000. In this role, I was responsible for monitoring the systems and batch along with performing checks to verify systems were stable and backups were being performed.

It gave me hands-on experience of the industry and the various roles available in IT. After a couple of years in that role, I left work to have my children. After three years of being a stay-at-home mum, I then began my undergrad in Computer Science with UCD.

After I graduated, I became an IT Auditor and Risk Consultant for four years with EY. This role gave me great experience auditing different financial institutions, checking their controls, and seeing what risks there were. I learned very quickly what broken controls and processes look like, and what the impact of these factors can be. Resilience assessments were also a large part of the role.

From there, I went to Canada Life where I was an IT and Cyber Risk Manager for two and a half years. That was a very different role, I went from being the auditor – coming in and observing and documenting everything – to actually being on the ground and working with the various infrastructure teams. I wore a couple of different hats in that role. 

I was, obviously, the Risk Manager, so I managed the risk register and performed risk assessments. I was the lead for Data Privacy as well, so I would have been doing a lot of DPIAs, and a lot of other assessments in that area.

 This was a brilliant learning opportunity as at the time there were a lot of new security tools being implemented i.e. EDR and SIEM. As I reviewed the documentation it gave me a really good understanding of how these tools actually work! I was also responsible for overseeing the Vulnerability Management programme. This gave me first-hand experience of SAST testing, DAST testing and penetration testing. I had to ensure that testing was performed and identified vulnerabilities were being addressed on set time schedules.

I joined Aon in 2021, where I currently advise clients on how they can improve and increase their security posture. For anyone who has gone through the cyber insurance process, you’ll find there are a lot of questions and a lot of forms. The problem with cyber is it’s not a simple ‘yes’ or ‘no’ game. So, I try to shine a light on the grey areas; by talking to our clients, I’m able to identify those compensating controls, and really articulate what people are doing to try and mitigate the risk of cyber.

Could you give an overview of the main dynamics behind the evolution of global data privacy regulation?

In my opinion, the biggest driver for regulation is the evolution of cybercrime over the last few years. The pandemic forced many organisations to turn their entire workforce remote, which meant there were a lot more opportunities for hackers.

Malware-as-a-service has emerged, leading to an underground economy in cyber warfare, this in turn has significantly lowered the barrier for entry for would-be hackers. Phishing has become a major problem which has only been compounded by the use of AI and large language models.

The new regulations which are coming into force over the next few months, specifically DORA and NIS2, aim to improve the overall cybersecurity of critical sectors across the EU. This will be done by enforcing new cybersecurity risk management measures to ensure a minimum baseline of security is in place, this will include improved risk management and accountability, business continuity, incident response and reporting.

What are the primary challenges that businesses face when it comes to dealing with these dynamics and putting themselves in a position that optimises compliance?

I think this will very much depend on how mature the organisation is before they start their compliance journey. If they have effective processes and controls in place and are documenting all key information, they will be in a good place to implement the new measures. 

However, if they are missing critical functions, so for example if they don’t already have an incident response plan in place, they will have a long road to get all the required elements of the directive in place. Budget will also play into this in a large way.

Board accountability and cybersecurity training are required by both DORA and NIS2 – this might be a challenge to some organisations. The scope of entities covered by NIS2 is quite broad and there is a new size cap rule, however it is up to the organisation to determine whether or not they are in scope for the directive.