I always enjoy hosting and participating in the CISO Executive Network meetings. The meetings offer Chief Information Security Officers (CISOs) the opportunity to discuss together ways they can improve security in their organizations, get ideas from each other on strategies and products, and vent with colleagues about particular issues and complaints. It gives me great insight into what they are experiencing so I, in turn, can help others, and to stay on the cutting edge of products and services available to assist with data security.
This week, the meetings centered on data privacy, which is of course, my thing. It was interesting to hear how organizations handle data governance and management, data loss prevention, compliance and minimizing risk.
Here are my thoughts on the topic.
First, I think it is important that the data privacy and security functions work together closely and not in a vacuum. Privacy and security cannot work in silos apart from each other, as the goals and functions are intertwined. It is hard to work as a team and to have a coordinated attack on data protection when there is no communication or collaboration about what data is being collected by the organization, why they are being collected, and how is the data are being used and protected.
Second, organizations may wish to consider having a council or committee that is tasked with the overall privacy and security of data that the organization maintains. The council would be the centralized location of responsibility for determining what data is collected, how they are used, how they are classified and protected and who has authorized access, and would advise on compliance and risk. What often happens is a business unit starts collecting data, then tells the security folks to protect the data. There is no central business decision-making around the collection of data in the first place, and protecting the data falls on the CISO without any input from the beginning.
Third, it is important for organizations to start thinking about data ethics. What I mean by data ethics is the ability of the organization to have a centralized approach and process of which data are actually collected by the organization, and to only collect the data necessary for the product or service that is being offered to the consumer. Instead of grabbing all the data and determining how to use or monetize it, organizations would be able to differentiate themselves in the market by determining ahead of time which data they will collect, how they will use and disclose the data, and be transparent with the consumer about its collection and use. They also could offer consumers incentives so they can monetize it themselves, deciding who it is disclosed to and for what purpose, and how long it is retained. When thinking about the relationship between the consumer’s rights to their own data, and the organization’s ability to use it while also being transparent with the consumer will naturally assist with compliance standards and risk and liability. Consumers are getting fed up with finding out that their data has been breached or misused by companies that they didn’t even know had their data in the first place.
Fourth, compliance shouldn’t drive privacy and security decisions. Data ethics and sound business decisions around the collection and use of data should drive the privacy and security program of an organization.
Fifth, secure data retention and destruction are key to minimizing risk and are important parts of a data privacy and security program. Many companies have outdated and irrelevant data retention and destruction programs that are not being used in a comprehensive and systematic way. Updating and following a data retention and destruction program will dramatically assist an organization with compliance and reduction of risk.
Sixth, companies can buy and use data loss prevention (DPL) tools until they are blue in the face. There are vendors that will sell you all sorts of shiny new DPL objects. Many of them are good – but that they are not a panacea. You can have all the DPL tools in place and an employee might still click on a link that will cause a security incident. Employee education remains super important, especially in these times of working at home. Continue to push alerts out to employees about security tips and data loss so they can stay abreast of new tactics, even if they are working in their day jammies. No matter how good your data security or DPL tools are, you can’t completely prevent an incident, many of which are caused by employee error or insider threat.
Finally, just as organizations have used the National Institute of Standards and Technology (NIST) Cybersecurity Framework to assist with data security, consider using the NIST Privacy Framework to think about data collection in a different way and to employ Privacy Impact Assessments when developing a new product or service.
Consumers are starting to demand that companies consider their privacy rights before collecting and using their data. Changing the thinking of data collection, and the ethics of collecting, using and disclosing individuals’ data is the new norm. If you do the right thing, regulators don’t have to make you do it, and compliance comes naturally.