Data Protection Day as it’s marked across Europe, or Data Privacy Day, internationally, is an annual marker in a very challenging cybersecurity challenging calendar. Consumer data is regularly stolen, and enterprises and public sector organisations are often in the headlines because of incessant attacks from cybercriminals as well as from accidental privacy misadventures.
All organisations find maintaining privacy and data protection best practises a challenge in this environment. With increasingly strong regulations levied from across many national and regional jurisdictions, staying on top of data privacy and protection is only ever becoming a bigger priority with high risks and penalties at stake.
Five experts from across the enterprise technology space offer their opinions and advice for organisations of all sizes. From cybersecurity and password management to customer data, data analytics, and software development, these thought leaders have shared their experiences so you can benefit.
Security starts with your teams Rob Zuber, CTO, CircleCI
“In today’s world, we use tools built by others, offering greater agility, allowing us to work faster and more efficiently. The caveat? It’s easier to lose sight of what is happening. Security is core to the software business and software is core to every business. Data security must be core to every business from the infrastructure and software layer upwards – and it starts with developers and their mind-set.
“Leaders need to think about the security of their offerings at every point in the systems development lifecycle: From including security engineers from the design phase through to regular third-party audits of code libraries and service provider standards. With this greater traceability, developers are empowered to write, test, and measure those improvements using a Continuous Integration/Continuous Delivery platform, resulting in shorter lead times for developing features and bug fixes, as well as greater agility concerning changes in development priorities and market trends.
“The bottom line is that your team is your most valuable set of security researchers. They know your applications best and must be the first line of security and data privacy defence, creating a secure foundation for the entire business.”
Rob Zuber is the CTO of CircleCI, providing a platform for businesses to build software applications at speed and at scale. Rob has founded four startups and has been CTO at three.
Privacy is a security issue, at heart – Drew Bagley, Vice President & Counsel, Privacy & Cyber Policy at CrowdStrike
“Increasingly, privacy is not only a core social value but intertwined with technologies used in daily life. Although threats to privacy can take many forms, one of the greatest threats today comes in the form of data breaches. Consequently, modern privacy laws require holistic data protection in both privacy and cybersecurity.
“The GDPR, California’s CCPA, Brazil’s LGPD, Japan’s APPI, and sector-focussed laws take common approaches to not only laying out rules of what organisations can do with data, but also make clear there are risk and impact based obligations to protect data against breaches and make appropriate notifications in the event of one.
“In the past year, the UK has signalled it may chart its own data protection course separate and apart from the EU. The Information Commissioner’s Office (ICO) has solicited feedback from the community to inform the potential adoption of a more flexible cross-border data flow regime. This can be a very positive development for incentivising UK regulated organisations to protect personal data with the best cybersecurity technologies and practises. Leading security solutions are cloud-based and global, using massive compute power to hunt for threats in customer environments and track the spread of malicious activity around the world. This is only possible through global data flows. Adversaries don’t care about borders or regulations, and the ‘white-hats’ need global collaboration and data sharing to combat the ever-present criminal threat. Recently, these have been coming from ‘Big Game Hunting’: targeted ransomware that hits enterprises in campaigns seeking valuable datasets. Recent activity has included an adversary leveraging ransomware in an initial attack coupled with a second round of extortion to try to prevent the stolen data being leaked.”
Drew spearheads CrowdStrike’s data protection efforts and global cyber policy initiatives. He helps lead the Secure Domain Foundation and the ICANN Competition, Consumer Choice, & Consumer Trust Review Team, and he’s a member of the Europol Advisory Group on Internet Security.
Data is a hot commodity – Craig Lurey, CTO and Co-Founder at Keeper
“People’s personal data has become a hot commodity. As a result, we have seen a record number of cyberattacks and data breaches in recent years as cybercriminals will stop at nothing to get their hands on people’s data. Personal data is used for advanced social engineering attacks, password stuffing attacks and ransomware attacks against companies and individuals.
“Despite this, people and companies do not pay enough attention to the tools and software that has access to their personal and corporate data. Rigorous vetting of software that is installed by end-users on mobile and desktop devices is not taking place in many cases, which may inadvertently be placing user and corporate data at risk.
“As we mark Data Protection Day, it is therefore critical to highlight the importance of using powerful and sophisticated tools that properly secure people’s data. Users should pay particular attention that the software has strict privacy policies and utilizes a zero-knowledge architecture, which ensures that the company developing the software has no ability to access or decrypt the user’s data stored within. This is key if consumers and business users want to make sure their personal and sensitive data is – and continues to be – well protected.”
Craig Lurey is the CTO and Co-Founder of Keeper Security, Inc. Craig leads Keeper Security’s software development and technology infrastructure
There’s no one data security team: It’s everyone’s job – Kieren Niĉolas Lovell, Head of Information Security, Pipedrive.
“Data privacy and protection are a central part of modern sales and marketing teams’ responsibilities. There can be no trust if customer personal information isn’t safe and secure. Data breaches from cybersecurity incidents or simple internal mistakes have the potential to risk customer finances and identities, with remediation requiring considerable time to fix and monitor.
“Data privacy and protection must be understood at a department and organisation level, as well as the credentials of any service providers used – with all their dependencies and IT supply chain. Clearly this is a challenge for SMBs who must look for best practises from suppliers, such as each company’s data in any cloud applications being stored in a separate database, avoiding risks of unwanted leaks into another company’s database, and basics such as using only secure HTTPS connections, where all information is encrypted. Asking about how service providers manage the many recent national regulations from major markets is vital, to ensure your own data use stays safe.”
Kieren is professional, experienced instructor and communications & cybersecurity specialist, who reached the rank of Lieutenant Commander in the Navy. He has major IT & leadership experience, including maintaining and managing a multitude of systems and leading large teams within high threat environments. Currently, he is the Head of Information Security at Pipedrive, a lecturer at Pembroke College (University of Cambridge), Cranfield University, and Tallinn University of Technology, Estonia, teaching ethical hacking, OSINT, incident response and management routines, C3 techniques, and developing the TTU cyber training strategy.
People and culture make privacy happen – Cindi Howson, Chief Data Strategy Officer, ThoughtSpot
“The analytics profession has a huge part to play in respecting and protecting the privacy of personal data enterprises have amassed in a digital world
“Data is what empowers organisations to understand their customers, personalise services, and operate efficiently. Without data, digital societies can no longer function. Those working with data must be aware of the implications of how personal data is collected and used as part of daily business operations, but also the bigger of when that data is shared, how its manipulated, replicated, and the degree of trust customers place in organisations collecting their data.
“Ensuring data privacy is not only a technology issue, it’s also about culture, customer centricity, and people change management. There was a time – before GDPR and CCP – when exporting customer data from a BI system to a spreadsheet might have been acceptable. Now, it poses a huge GDPR compliance issue. Further, with the increased ability to mine a myriad of data sources, both internal and external, the degree that an analyst can form a complete picture of an individual has increased, despite data being anonymised. This is where every person who works with analytics, needs to ask themselves, “just because I can do this, should I?” Front line workers, analysts, chief data officers, and chief privacy officers need to work in concert to ensure privacy is respected across all interactions. To retain customers and their trust, privacy must be factored in from the start, not as an afterthought.”
Cindi Howson is the Chief Data Strategy Officer at ThoughtSpot and host of The Data Chief podcast. Cindi is an analytics and BI thought leader and expert with a flair for bridging business needs with technology. At ThoughtSpot she advises top clients on data strategy and best practises to becoming data- driven, influences ThoughtSpot’s product strategy, and is the host of The Data Chief podcast.