Arguments over the importance of security versus privacy will continue, but the debate’s losing steam by the second. In today’s data-driven world, cybersecurity and data privacy are interdependent, high-stake functions, and businesses and government entities must prioritize both. This mandate is transforming the CISO role, with business leaders restructuring their org charts to create new C-level partnerships, reporting structures, and seats at the big table.
It’s a brave new world, and questions abound. That’s why Sage Data Security made “The Future of Privacy and Security” the theme of its 2018 CyberCrime Symposium. In a series of thought-provoking presentations, speakers provided attendees with a roadmap to help them navigate what’s ahead. For instance, how will intensifying emphasis on data privacy impact security officers? What operational changes will ensure cross-departmental communications on security and privacy issues? How will corporate culture shift to smash barriers between CISOs and their boards?
And what are the legal ramifications for failing to protect and properly use personal data? With the European Union's General Data Protection Regulation (GDPR) putting real teeth into privacy regulations, the consequences are potentially devastating. Consider the financial hit alone. In his keynote, “Privacy is Alive and Kickin’,” Todd Fitzgerald cited the 2015 Anthem breach that exposed 80 million records containing personally identifiable information (PII) and protected health information (PHI). “They settled customer lawsuits for $115 million, and then paid a fine of $16 million to Department of Health and Human Services,” said Fitzgerald, CISO at CISO Spotlight. What if the Anthem attack fell under GDPR, which levies fines at 4% of a breached organization’s annual revenues? Anthem could have paid as much as $3.6 billion.
By taking the lead in establishing powerful laws for privacy protection, the EU’s GDPR “is opening eyes to this idea of privacy and how personal data is being used,” said presenter Phil Bickford, senior technical product manager at MediaPRO.
Read on for other key takeaways from the proceedings.
The CISO function needs a reboot.
It’s too much to expect a CISO to develop the knowledge needed to comply with GDPR and existing and forthcoming security and privacy laws, while overseeing the daily challenges of protecting sensitive data. Forward-thinking CISOs, said Fitzgerald, will learn the language of privacy now, as they become partners with CPOs, CIOs, and others in protecting organizational and customer assets. Security technical expertise will still be important, but CISOs will focus more on strategic thinking, business knowledge, and risk management.
The industry’s been moving toward what Fitzgerald calls the “privacy- and data-aware CISO” since around 2016. “I’ve seen this focus on privacy grow,” he said, with security officers putting a lot of effort into knowing where their data’s located, who has access, how long they’re keeping it, and how they can protect it.
At the Federal Reserve Bank of Boston, “Big Data is both our problem and opportunity,” said SVP and CIO Don Anderson, who provided examples of the institution’s privacy initiatives in his “Respecting Privacy While Delivering World-Class Cybersecurity” talk.
“We collect data on our organization, our employees, and the banks we do business with, and we’ve got to make sure their data stays private,” Anderson said. “Privacy is just as important as cybersecurity — that’s why we’ve connected the two at the hip.”
So, while the FED “has always had a pretty good privacy program in place, we totally revamped it within the last year,” said Anderson. Each of the Reserve’s district banks now has its own privacy officer, along with a playbook that dictates processes they’re required to follow for privacy-related initiatives. They’re now in the process of reviewing and classifying all their PII data.
Who owns an image?
Along with all the other personal data organizations must include in their security and privacy strategies, there’s all the video they capture — for physical security, property protection, law enforcement, behavior tracking, and individual identification. Like other private data, it’s supposed to be used only for defined purposes. The GDPR, said presenter Christopher Pierson, CEO of Blackcloak, covers biometric data in its breach notification laws, as do other privacy laws.
In his presentation “In Your Face! The Privacy and Security Implications of Facial Recognition,” Pierson praised the security- and privacy-enhancing capabilities of facial recognition, but cautioned that it has negative security and privacy implications, too.
“An organization can harness that data for other purposes, like marketing and sales,” he said, but only if it masks or anonymizes it effectively. Further, a growing spate of state privacy laws would require individual sign-off.
Employees continue to behave badly.
Organizations will need to invest in employee privacy awareness and training, just as they do with security. In his presentation, “”Human Risk: Today and Tomorrow,” Bickford used findings from MediaPro’s 2018 State of Privacy and Security Awareness report to highlight the ongoing employee-as-security-risk problem.
Of US employees surveyed for the report, 75% struggled to identify best practices for actions related to cybersecurity and data privacy scenarios. As for their ability to recognize personal data, said Bickford, employees easily identified credit card, social security, and drivers license numbers as privacy-related. However, when asked how they’d destroy different types of personal data, 20% chose the riskier option — trash receptacles over secure shredders — to dispose of some sensitive information.
“The employee is the biggest risk, so we spend a lot of time educating our employees about what they need to do at work,” said Anderson. The bank is now educating employees on home office security as well. That effort will continue to ramp-up, said Anderson, “as employees still go home and do all kinds of crazy stuff, and we don’t want data going from work to home and back again.”
Cyber-risk touches everything.
Ultimately, the CISO’s primary function is managing risks. And risk factors just continue to grow.
In her talk on cybersecurity metrics, Summer Craze Fowler, Technical Director of Cybersecurity Risk and Resilience at CERT at Carnegie Mellon University, summarized the challenge: “Even though not all risks are related to cybersecurity, cybersecurity officers, as part of the organization, own all of them. They need to be managing toward all those risks.”
This is the first in our series of posts presenting key takeaways from our 2018 CyberCrime Symposium, held November 1-2, 2018. The program — “The Future of Privacy and Security” — featured an incredible line-up of speakers. If you couldn’t get a seat at the event or want a refresher on various sessions, this is a not-to-be-missed series!
THE SAGE ADVICE GUIDE TO CYBER THREAT HUNTING
As cyberattacks continue to soar, it's time to get proactive when protecting your network. You can’t simply sit back and wait for an automated alert to let you know you’ve been breached. You need to actively seek out potentially malicious behavior on your network. That’s why we’re seeing a shift to a more proactive approach... Cyber Threat Hunting. Learn how to defend your network. Learn more in the Sage Advice Guide to Cyber Threat Hunting.