Why should information security officers care about privacy? That’s the loaded question Todd Fitzgerald posed to a packed audience in his opening keynote at the 2018 CyberCrime Symposium. The short answer: They have to.
If that reality had been giving any attendees insomnia, Fitzgerald’s high-energy presentation, “Privacy is Alive and Kickin’,” was a pick-me-up and privacy primer in one fast-paced package. And aptly named: The spotlight on data privacy is at its harshest point yet, with the EU's General Data Protection Regulation (GDPR) piling onto ongoing security concerns over social media, BYOD, and cloud usage.
With so much at stake, Fitzgerald, managing director and CISO of CISO Spotlight, used expertise and enthusiasm to grab audience member attention so he could take them on an whirlwind tour of today’s privacy landscape. From global privacy laws, privacy fluency, and shifting data protection roles to privacy-by-design principles, here’s a sampling of the ground he covered.
Snowden ran smack into snowballing innovation. It was only five years ago, give or take, that privacy really started kicking. In the months following Edward Snowden’s 2013 broadcasts, Fitzgerald, a frequent speaker and panelist at industry events, watched as privacy-related sessions at information security conferences started drawing charged-up capacity crowds.
“That was the start of the shift in how security professionals looked at privacy,” he said. “They started figuring out how important it was for them to understand it.”
Consider activity within the NSA itself. In 2014, the agency, still reeling from the Snowden exposure, hired its first director of civil liberties and privacy. Moreover, the new director, Rebecca Richards, was given direct-line reporting to NSA's director.
Security officers are reaching a new level of awareness. When CISOs first emerged in the mid-1990s, security was primarily administrative, with workers handling log-on requests and password resets, said Fitzgerald, who tracks the five stages of their evolution in his latest book, “CISO Compass,” available in early 2019.
By stage three, which hit somewhere in the 2004-2008 timeframe, the first risk-oriented CISOs appeared, followed by an entirely new incarnation — the threat-aware, cybersecurity-driven CISO who understood social media, cloud, and mobility impacts. This CISO model served well until 2016 or so, when the function began morphing to become what Fitzgerald calls the “privacy- and data-aware” CISO.
As CISOs delegate day-to-day security functions to their teams, their technical security skills will take a backseat to leadership, privacy and data management expertise, and business knowledge. This new breed of CISO not only speaks security and privacy, but can translate that into business language. They’ll then be able to focus their leadership’s attention where it’s needed, Fitzgerald said.
“It’s gone beyond the maturity matrix and security controls,” he said. “If a CISO doesn’t understand their company’s data — where it’s located, how it’s protected, who’s using it, privacy laws governing it — how are they going to have those conversations with their board?”
CISOs will align and collaborate with new departmental leaders. In the International Association of Privacy Professionals' (IAPP’s) 2016 Privacy Governance Report, 87% of the CPOs surveyed cited information security as their most important departmental collaborator. Not far behind was legal (80%) and IT (74%). The privacy pros singling out security is up from 83% in 2015, and 76% a year earlier.
These findings, said Fitzgerald, highlight how important it is for CISOs to become fluent in privacy. Further driving this need: The GDPR requires organizations with a significant EU presence to have CPOs on staff, and more US organizations are hiring them as a best practice. Fitzgerald pointed to the Organisation for Economic Co-operation and Development's (OECD’s) “Eight Principles of Privacy,” with its widely adopted privacy terminology, as a valuable resource.
As CISOs, CPOs, and CIOs move to design new privacy programs or revamp existing ones, it’s critical that they follow “privacy-by-design” principles, according to Fitzgerald. These principles are integral to both data protection and privacy, and are among the requirements for GDPR-compliant programs and products going forward.
Following these ensures stakeholders integrate privacy and security into their privacy program, as well as their info-security strategies. The seven design principles for building privacy into IT systems, business practices, and network infrastructure:
- Enable proactive and preventive measures;
- Make privacy a default setting;
- Embed privacy into design;
- Aim for positive-sum outcomes, not zero-sum tradeoffs;
- Build end-to-end security across the privacy information lifecycle — collection, use, retention, and disclosure;
- Ensure visibility / transparency into data practices; and
- Prioritize respect for users.
Finally, Fitzgerald advised info-security attendees to review privacy certifications and pursue those that make sense for their situation. “I think the privacy certification process provides the deep-dive we need to stay up-to-date with local laws and build programs based on privacy-by-design,” said Fitzgerald, who’s got a number of privacy certification in his own toolbelt.
This is the second in our series of posts presenting key takeaways from our 2018 CyberCrime Symposium, held November 1-2, 2018. The program — “The Future of Privacy and Security” — featured an incredible line-up of speakers. If you couldn’t get a seat at the event or want a refresher on various sessions, this is a not-to-be-missed series!