Daniel Ayala
Interim CISO
Michigan State University
MODERATOR
Dr. Faith Heikkila
Information Security Governance Specialist
Perrigo
PANELIST
Michael Muha
CISO & CPO
WorkForce Software
PANELIST
August 2020
In the growing digital environment, customers are providing organizations access to more data than ever, and ultimately the CISO is responsible for how their company handles that data. The evolving privacy landscape has started to change how cybersecurity enables data protection, and CISOs have more responsibility than ever.
With customers giving more of their personal data, they are also expecting more in return. CISOs in Detroit agreed that the expanding regulations have brought more people to the table, and success happens when organizations center on doing the right thing for the consumer.
On August 20, the Detroit CISO Community came together to share insights on the increasingly important topic of data privacy. Before diving into that conversation, Detroit’s CISOs responded to a poll question asking if they were fighting for data protection in their organization, or if it was a company-wide strategic initiative.
On a scale of 1-5, with 5 being the highest, they found:
0% ranked the importance at a 1
12% ranked the importance at a 2
19% ranked the importance at a 3
35% ranked the importance at a 4
35% ranked the importance at a 5
Daniel Ayala, interim CISO, Michigan State University, Dr. Faith Heikkila, information security governance specialist, Perrigo, and Michael Muha, CISO and CPO, WorkForce Software led the peer conversation. During the town hall, they shared experiences and strategies they employ to protect their customers and businesses data.
Tracking the Privacy Landscape
One challenge the security community is tackling is how to accurately track the privacy landscape without over-engineering the solutions. There is no one-size-fits-all solution, although everyone agrees that consensus across the organization is vital. Perfect is the enemy of good and over-engineering for a system that will not make a business impact only wastes time and resources. In order to ensure each solution fits and enables the business, CISOs suggest finding champions to collaborate with in each department and increasing regular meetings with legal and risk groups.
COVID-19 plays into increasing personal data concerns as well. As manufacturing centers and job sites begin to open back up, contract tracing solutions are being rolled out and tracked for the health and safety of employees. Some companies have a committed task force for collecting, maintaining and protecting daily contract tracing alerts and solutions. It is important that the task force is centered around protecting not only the data, but the lives of everyone across the business and they ensure proper steps and workflows are in place and easily triggered upon a positive test.
We must make sure that if new regulations come out, we know what our customers will be subject to and relay changes back to the business, so everyone is informed.
Balancing Privacy and Security
While some would argue that the priorities of privacy and security are occasionally in conflict, the majority of CISOs agreed that the two go hand-in-hand. Whether you are one piece of a multi-department privacy puzzle, or responsible for creating the entire strategy, discussions must be framed in business terms as security pushes to position themselves as a driver of business enablement. Privacy by Design makes data protection a part of everyone’s role, and working in lockstep across the business moves the needle towards compliance.
The main conflict CISOs saw between privacy and security came down to budget. While a CISO may have a laundry list of projects they want to execute, they are also seeing more demands from customers around data. Since you are judged based on the happiness of users, not just how well you are protecting their data, privacy may take priority in response to frequent customer demands.
Data Privacy Across 3rd Parties
Managing third party privacy concerns requires more work, resources and focus than ever before. Whether you’re outsourcing responsibility to a SaaS provider or handling it internally, ensuring you’re asking 3rd parties the right questions is critical to receiving good information to make a risk-based decision.
CISOs suggested taking advantage of risk assessments, collecting audit reports and developing processes and checklists that address privacy and security of third parties. There is value in showing regulators that you have done your due diligence, so in the case of a breach you can show evidence that you did your best to mitigate the 3rd party risk. If you didn’t document it, it didn’t happen.
Thoughts from the Community
The panelists were asked if they were partnering with startups to take advantage of new technology and wondering what the best approach would be to gain confidence in their security posture. CISOs responded by suggesting tailoring the standard questionnaire and pointed again to the importance of asking the right questions. Making your questionnaire flexible for large vs. small companies or having two different question sets for vendors were floated as scalable options.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.