A few weeks ago, comforte AG hosted an online webinar featuring Forrester. The focus of that presentation was the intersection point between data privacy and data security. The overall goal was to emphasize the impact on businesses large and small and how to put data security into practice.
The webinar provided a double-click into a variety of supporting subtopics, including privacy and ethics, the NIST privacy framework, and the intersection between security and privacy. It also touched on compliance challenges and evolving digital services. We used the Forrester data control model as a strategic guide for the discussion. Along the way, we pointed to comforte’s data security platform and how it enables data privacy.
A number of questions came out of that webinar that we captured and discussed. We wanted to provide the answers to those in a Q&A format. Here are those questions, in no particular order of importance.
Q: You mentioned that compliance is not security and qualified that with the statement that ‘compliance is the floor.’ Can you explain that thought further? And why can’t compliance directives specifically point to data-centric measures?
A: Compliance requirements cover some types of data but not all of the different types of sensitive data, such as your trade secrets or intellectual property, within your organization that you would want to protect. The actions that companies are required to take in order to meet compliance requirements are also the minimum requirements and expectation. It’s a floor, because you can do more. Take riding a bicycle as an example. In some places, it is mandatory and required by law to wear a helmet. This is the compliance requirement. A helmet offers protection, but it is not the only measure that a cyclist would implement for safety and protection. They may also want to add a lights to their bicycle, wear closed-toe shoes, and take additional precautions.
A challenge is that these regulatory requirements may not be prescriptive (e.g., you must implement encryption at rest) and instead worded as requiring you to implement “reasonable security” measures as a way of offering flexibility. It also extends the life of the requirement; as technologies and measures for protecting data evolve, we do not want a mandate use of a specific technology and have to keep updating legislation. This is why security strategy is important. It enables you to determine a data-centric approach to security, and identify the controls necessary for the data in your environment.
Q: You talked about the fact that data collection triggers the most fines. Where is the balance between data collection and over-collection of data? Are there any dangers in automating the fulfillment of the individual’s privacy rights?
A: Data collection, and by extension data governance, is cause for concern here. Organizations must get smarter about privacy, privacy rights, and the purpose of data collection and use. It’s not so much about finding the balance between collection and over-collection. It’s more about the practice of data minimization, collecting only what you need for a clearly defined purpose. There’s also the other end of the data lifecycle, where we must consider what data to delete when it’s no longer required for business, compliance, or contractual purposes to maintain.
Automation is great when you are automating the correct process. Otherwise you are making mistakes and doing so faster. Before automating fulfillment of individual’s privacy rights, you need to have a thorough understanding of the process in which you fulfill those rights, and measures for ensuring that it is in fact the individual who is requesting their own personal information and not someone else doing so.
Q: You used the term ‘adapt’ a few times. Is this the most important quality for success in your opinion, the ability to assess and adapt?
A: The most important quality is to build a strong foundation of controls and processes for your security program and your privacy practices. This enables you to adapt – whether this is adapting to meet changes in regulatory and compliance requirements, business partner requirements, and evolving threats. For example, the foundational privacy capabilities and practices like privacy by design, data flow mapping, third party risk management, controls for data protection, processes to fulfill data subject rights that organizations had to embrace for EU GDPR are not one-time endeavors. They will also apply to actions that companies must take for CCPA and other country-specific privacy compliance requirements.
Q: How can you leverage a larger body of best practices outside of your own organization’s? How can you tap into the best practices that other organizations have gained through their experiences?
A: There are different ways you can approach this at varying price points and investment of time. From networking in informal and formal peer CISO groups, membership and access to resources as a part of an industry organization (e.g., ISC2, ISACA), resources like SANS, research organizations like Forrester, to security consultancies. Building your strategy on recognized security standards and frameworks also helps here; often these are developed based on an understanding of what measures have and have not worked within organizations. For example, Forrester created its data security and control framework as a way of helping our clients frame and discuss a high level strategy with a non-technical business audience, to help build the business case and approach for investment in data security.
Q: What is the best way to encourage and facilitate that alliance between data science and IT that you mentioned at the end of your portion?
A: With your interactions and discussions, assume positive intent (each team is just trying to do their job here) to avoid an adversarial relationship. Rally behind big picture shared business goals, such as improving customer experience, embracing innovation through data, or protecting the firm’s reputation and brand. Understand each other’s objectives. For IT, this means understanding the business context of data assets, what data science teams are trying to accomplish, what data they need, how they use data, where this data comes from, what data science teams need to successfully and efficiently do their job, and where existing IT or security processes or procedures cause them grief. For data science, this means understanding IT and security’s objectives, what their concerns are, what requirements they’re trying to meet (e.g., privacy rights, compliance, contractual business requirements, etc), what limitations may exist with technologies today, what risks they’re trying to manage to enable the business.
We certainly feel that the topic and these questions have relevance for every business and organization, especially in the current climate of growing regulatory scrutiny of corporate data security. For example, Brazil will be yet another country to roll out a comprehensive set of data privacy rules, known as LGPD, later this summer. We want to keep an eye on how this all evolves and will make sure to provide other learning opportunities in the near future.
So stay tuned!