Privacy is a business imperative, and that represents opportunity as well as challenge.
Data Privacy Day: Privacy as a business imperative.
We heard from a number of business leaders on the centrality of data privacy and protection to the way businesses operate today. Here are some of their perspectives and recommendations.
Corporate responsibility for data privacy.
Brian Rue, CEO and Co-founder of Rollbar, sees privacy as something to be embraced, not evaded, or grudgingly acknowledged:
“Companies should embrace data privacy. Rather than viewing privacy requirements as a constraint or something holding you back, instead embrace how consumers have spoken that they need privacy - this comes through government - by fulfilling privacy needs you are fulfilling customer needs. If privacy feels like it's a distraction it might be a sign that your direction is out of line with what consumers are saying they need and what they will need and the direction that everything is going.”
Steve Cochran, CTO of ConnectWise, sees a coming acceleration in the need to protect personal data:
“The concept of data privacy may never have been more important than it is today, on this Data Privacy Day. And never before has the concept of Data privacy been more under threat. It behooves all of us technical professionals to use this day to reflect on the growing threat and our response to that threat over the last year and prepare ourselves for the coming year. Data privacy and the effort that is required to protect it will continue to change at an accelerated rate this coming year and the years to come. Our company and our partners are doing their part and leading the charge in keeping our community safe and secure against these growing threats.”
Matt Sanders, Director of Security at LogRhythm, called for some self-examination:
“Data Privacy Day serves as a reminder for companies to take a step back and evaluate their day-to-day cybersecurity practices. Organizations must do their part in ensuring the valuable information they are entrusted with – including customer, employee, partner and corporate data — remains properly protected. Modern day companies run on data, making it critical that security leaders are knowledgeable of, and aligned with, the overall business goals. This enables the company to access and leverage data as needed, while still ensuring its security.
“According to our 2021 report based on research conducted by the Ponemon Institute, 93% of security leaders do not directly report to the CEO, and only 37% of respondents believe their organization values and effectively leverages cybersecurity leaders’ expertise. This significant misalignment is leaving ample room for shortcomings in cybersecurity initiatives that can lead to data breaches. For example, our recent report found that only 49% of respondents’ incident response plans account for problems like ransomware, and only 25% include guidance on how to handle hackers – two common ways sensitive data can be exposed or compromised. Security leaders must report directly and regularly to their CEO and board of directors to align business and security priorities and ensure the right security programs are in place. Well-equipped security programs enable the future of the business-- keeping data secure while supporting the company’s overall growth and success.
“Data Privacy Week is a great reminder of the importance of protecting the privacy and security of data as well as meeting compliance and governance requirements such as GDPR, CCPA, and HIPAA,” said Brian Spanswick, CISO, Cohesity. “This starts with selecting a next-gen data management platform that can offer data protection, governance, and compliance on a single platform as part of an overall risk management strategy. These solutions need to be dramatically simplified so they can easily manage large complex data estates from a single UI and take advantage of AL/ML classification technology to help identify and manage sensitive data.”
Jason Needham, CEO of Cloudentity, observes that customers’ experience of how their privacy preferences are respected has become a business imperative:
“Data Privacy Day serves as a reminder of the importance for all types of organizations to have an open dialogue about data privacy, starting at the leadership level. Embracing customer privacy is increasingly an indication of a healthy brand, providing consumers with the confidence necessary to share their personal data. While government regulators enforcing privacy laws such as GDPR, CCPA and CPRA are a step in the right direction, more needs to be done to protect consumers' privacy and this needs to start at registration and continue through API-based data sharing.
“A user’s experience around their privacy preferences is now critical to a company’s bottom line. And customer expectations are increasing as well, as users move from blanket consent to share their information towards a more granular way to specify what information can be shared to who. Data privacy must be enforced while still providing a simple, easy-to-use customer experience. Gaining consent to share user data in a secure and seamless manner is possible with adaptive authentication and authorization to confirm the user and the third party are who they say they are. Having the right data security guardrails in place builds consumer trust and brand loyalty, allowing companies to become more competitive through an increased level of service and greater customer lifetime value.
Jeff Sizemore, Chief Governance Officer at Egnyte is among those who make a strong case for privacy as a business essential:
“Data Privacy Day reminds us of the mission-critical requirement to safeguard data amid rising cyberattacks and companies’ adaptation to longer-term hybrid-work models. Due to increased cyber-risk and a strong consumer desire for privacy protection, there continues to be a steep rise in state-by-state data privacy requirements, with movement toward a potential federal privacy law anticipated later this year. By 2023, it’s predicted that 65% of the world’s population will be covered by privacy laws.
“Increasingly, with personal privacy viewed as a human right, how vendors manage consumer and employee data will determine how much the public trusts and wants to do business with them. To comply with governmental requirements during the global pandemic, organizations may need to store employees’ Protect Health Information (PHI) like vaccination statuses for their employees, which creates its own privacy impact.
“Additionally, protecting unstructured data will likely be one of the biggest challenges in 2022. If you can’t see it, you can’t govern it. If you can’t govern it, you definitely can’t manage privacy. Organizations need to have visibility into structured and unstructured data to build out effective data governance programs. Thankfully, there are data security and governance solutions available to protect that information holistically. Expect to see ongoing privacy assessments become more common in the days ahead. Those who put privacy at the forefront and ensure they are solving the problem comprehensively will be the ones who come out on top.”
Anastasios Gkouletsos, IT Security Lead at Omnipresent, a leading global HR platform, has some direct advice:
“Focus on Endpoint Security. Endpoint security should be a priority for every company, but particularly for those that are going global with a remote workforce. For remote teams, endpoint security should go far beyond installing off-the-shelf anti-virus software. An effective endpoint security solution should also include a firewall, malware removal, ransomware protection, device management, password manager, and a business VPN.”
Peter Tsai, Head of Technology Insights at Spiceworks Ziff Davis, talked about the importance of business connectivity in understanding the challenges of privacy protection:
“In our hyper-connected age, common business sayings include ‘data is the new oil’ or ‘data is the new gold.’ While user data is indeed valuable to advertisers, companies must always remember that protecting the right to privacy is not only mandated, but also fundamental to building trusted relationships with customers. Recent SWZD research revealed 50% of B2B companies worry privacy regulations or restrictions on the use of data will make it harder to do business. But instead of fearing change, business professionals should embrace it. Not only are the penalties too high for non-compliance, now more than ever, trust and transparency are huge differentiators that help businesses attract customers and build brand loyalty.”
Paul Keely, chief cloud officer at Open Systems, argues for prevention:
“Naturally, the best way to protect critical data is to prevent bad actors from accessing it in the first place. One of the keys to this is monitoring 24/7 to identify and contain breaches as early as possible in the cyber kill chain. Done effectively, this can keep a breach from expanding beyond a single affected endpoint. Endpoints are a significant concern, as companies’ attack surfaces have likely grown 10 times or more due to the pandemic forcing employees to work from home. With all of these thousands of endpoints making thousands of remote connections, the number of alerts has exploded. While the vast majority are false positives, their sheer volume makes it harder to identify the actual threats hidden among them. Understanding their attack surfaces will help companies recognize real threats.”
Doug Dooley, COO of Data Theorem, hopes that added attention will induce organizations to perform some due diligence about the way their privacy needs, challenges, and responsibilities have shifted:
“There is hope that Data Privacy Day brings added attention to what organizations can or should do to protect sensitive information from data breaches. During the lockdown periods of the pandemic, we have witnessed the growing number of several high-profile attacks including software supply chain, ransomware, cloud hacks, and the most common Enterprise data breach vector of web-app and API attacks. In 2022, organizations are likely to see that API-centric attacks will represent the most significant loss of privacy and large-scale (1M+ records) data breaches. Modern applications are mobilizing and monetizing data most often through the use of APIs and attackers are exploiting the lack of observability and protection controls most APIs have today. Every new cloud service, mobile application and modern web application are enabled through APIs. However, most Enterprises have no ability to generate an inventory of all their APIs, much less the privacy and security controls necessary to protect their data. This is a time of opportunity for hackers to exploit large amounts of data and violate privacy. Let today be a reminder that we have plenty more to do to protect our data privacy.”