E4: The Case for Data Security & IAPP Certification

In episode 4 of the “Are You DataSmart?” podcast, the Ward brothers discuss the balance between technology, policy, and execution of data security. The first two should assist with the third, execution, but that doesn’t always work out…

GDPR, ePrivacy Regulation, and the general topics of data protection require that you and your company take a proactive approach to data security and working with certified IAPP members may be a great way to get started.

TRANSCRIPT

Jay: “Are You DataSmart?” Weekly podcast on data security, information management, and all things related to the data you have, how to protect it, and how to maximize its value. I’m Jay Ward.

Christian: And I’m Christian Ward. And today, we’re gonna discuss data security and the case for it. We’re gonna do this in a couple of different ways, but one of our big important things here is to understand that when it comes to data security, what you don’t know can and probably will hurt you, as many companies I’ve found out over the years. And when we talk about data security and the big question of how the company set it up, how do they manage it, how do they control the risks for it, typically, when you meet with a lot of people in this space from a business perspective, they always look at data security broken down into a couple different areas. One is technology and the other is policy. And as Jay and I will kind of dive in on, there are a lot of pros and cons to both, and I don’t know, Jay, do you have the new iPhone X?

Jay: I don’t, I’m a lead-eyed, I only have 8.

Christian: Okay, so the new iPhone X, if people have seen has this new face ID and it’s fascinating. There has been a few people who’ve hacked it with their close-looking relative or child, but it is amazing how much the technology is advancing around passwords, password managers, or even across an enterprise. Companies like Okta, that’s O-K-T-A, that allows a corporate IT department to control all of the passwords to all of the applications that an enterprise runs globally. These platforms are getting really, really strong and when you merge that with things like iPhone X’s face ID or biometrics, we’ve had fingerprint scans on the iPhones and the Google phones for several years and the Samsung phones, you know. That ties in then with policy. Now, policy and its approach has been…seem to sort of change quite a bit usually to take advantage of some of these new technological opportunities. But policy tends to go around user access, the limitations of how long passwords are valid, those automatic and somewhat annoying policy requests to change your password every few months, and each of those sort of drives, whether or not you are a data maximization shop or a data minimization shop. Jay, is that a good framework you also see, sort of that policy and technology side of things?

Jay: Yeah, I think in the end, for me, those two pieces combined and you need to have the execution as the primary third component. It’s great to have the technology. It’s great to have good policies, but if you don’t have the follow-through, that’s where you run into trouble and that’s where, you know, Uber friends since last year, they had their 20-year consent order with the FTC because they had a great sounding privacy policy about the security of their customer information. They just didn’t follow it. I guess it’s easy to have a good policy. It’s a little more difficult to follow it.

And so, if you don’t execute, if you don’t follow through, that’s where you run in to all of the problems. That’s when your data security protocols get lazy and that’s when regulators start looking at you.

Christian: Absolutely. Well, I think, you know, if you can get some way to have policy and technology support each other, it’s meant to make execution easier, but it’s a great point that execution is really where those two things meet and it had their works or it doesn’t. And something that we’ve seen also is with all the breaches and everything out there, there’s a lot of great platforms and tools that can help you and your customers do better at their password management. One of my favorites is this, “Have I been pwned?” that was built by Troy Hunt, which is a platform that analyzes based on your email address, all of the potential breaches you might have been a part of that you didn’t even know about. I mean there’s so many classic data breaches that have occurred over the years of, you know, hundreds of millions of accounts that a lot of people just have no idea that they actually where compromised and that same password that they’re setting up on a new platform has already been compromised somewhere else. He’s actually released a new API where you can build into your own password setup, a way to notify people that are gonna sign up, let’s say, for your newsletter, “Oh, by the way, just so you know, you’ve actually been pwned, your password is now owned by someone into breach. You might wanna not use that here.”

Jay: For those of you who may not be from the internet, pwn is a way that just people use the word “own,” pwnage and internet speak means that you’ve been hacked or something terrible’s happened to you or you’ve been beaten by an 11-year old in an online video game. I’m just talking about a friend, it’s not personal experience.

Christian: So now, knowing that, and knowing that there’s a lot of tools to help us avoid such situations or monikers, a couple questions that sort of start to come out is, you know, when we talk about the business case for data security, I wanted to talk a little bit through, what do you see, Jay, as some of the big reasons…I know it sounds obvious, but it’s always helpful to lay out, what are the big reasons that people need to enforce a great data security approach?

Jay: I think you can say you’re gonna lose your revenues because you’re gonna scare off customers. You’re gonna lose your assets because they’re gonna be stolen. You’re gonna lose your reputation. You could say all of those things, but I think the best way to frame this and think about it is imagine every heist movie you’ve ever seen, okay? There’s people dropping in from ceilings and there’s people who are, you know, putting on disguises, going through all of these intricate steps and the goal is to steal, you know, some bars of gold, or, you know, bags full of cash. If you put in place some of the data security protocols that companies that have been hacked had and tried to translate it to a movie, there wouldn’t be a movie. Some of them walk in, pick up the bar of gold, and walk out with it. So you have to contextualize it this way, the data that you have is your brand, it’s your value. It’s what makes you the company you are and it’s what makes you as valuable as you are.

So the business case is it’s self-explanatory and it’s self-executing. If you don’t protect what you have, it’s gonna be taken. I mean, that is the way of the worlds, the way it has always worked. So thinking about why do I need to spend the money on data security, a lot of times, companies are like, “Well, you know, it’s an IT issue, I’m not really interested in.” it’s not an IT issue. You don’t worry or fret about putting locks on your doors and that’s exactly what we’re talking about. It’s the safe in the vault. It’s the lock on the door. And if you don’t want the money flying out the door, heist or not, you need to think about data security as a component of your business plan not just an IT plan.

Christian: Yeah, I couldn’t agree more. I think it’s certainly come a long way though, you know. In prior years, it was more of an afterthought. It was sort of the problem of the CIO or the CTO and what the COO may be watching them. But with the…I mean, you know, sort of the new arrival of things like the CDO or the DPO, you know, this is becoming much more important. You also talked about something about, you know, loss of revenue, reputation, but something that we’ve seen in the business world is, you know, the competitiveness. When you receive an RFP from a major, you know, healthcare organization or a major financial institution, these RFPs, the data security audit, and the security protocol’s audits that they provide in their request for proposals are unbelievable. They’re getting longer every year, you know, it’s sort of this whole back section of an RFP that if you can’t answer those questions really well, you’re pretty much not gonna be competitive with everybody else in this space.

Jay: Yeah, you mean you have to imagine it in the same sense of if you’re gonna do an acquisition and the lawyer send you…because we love to do this, the giant questionnaire, fill in the blanks, and tell us everything you’ve ever done and your answer is about your accounting system is, you know, you’ve got a guy whose written some things down somewhere. You’re not gonna win the contract and I think companies have rightly, as you say Christian, kind of adapted to the reality of the need for robust data security. And I think that kind of leads into the other component of why do we need data security and that’s the regulatory case.

Forget about getting sued, everybody always thinks about getting sued by someone who is, you know, they…you breached your contract or there was a hack. That’s a no-brainer. But the regulatory case is one that you might not be thinking about. If you’re not taking steps now to be at least not the low-hanging fruit when it comes to data security, like, you have good passwords for instance. You’re just inviting a 20-year consent order with the FTC like Uber did. You are inviting a suit by a data protection authority in Europe and, you know, looking at the millions of euros in fines. So it’s spend some now or spend a whole lot later. And one thing I always remind people, you know, I remind clients about this, if there’s a regulatory action, a lawsuit, that’s a prefabricated lawsuit by customers or competitors. All they’ll do is they’ll get the information that the regulator got during that review and they’re just gonna copy and paste it and boom, there’s a complaint against you. So you need to think not just about, you know, the business case, but think about what your regulators are gonna look at. And they are all looking at data security now.

Christian: Now, when something like that occurs and someone just post it, they’re also just making attack right there on your reputation as a business. So, to sort of bring that point back to the first risk, you’re really risking that reputation and it’s very hard to make up, which I think we also for boom, as we start to get into covering data partnership strategies in later podcast, we’ll talk a lot about how when you’re sharing data back and forth between partnerships, that you not only have to worry about your own security, but the security of those partners that you work with.

Jay, another question is just, you know, what are the steps people need to take because I think everyone gets it very clearly, “I’ve got to have some of the technology solutions, I’ve got to have great policies, I’ve got to execute them and ensure that I’m complying with them at all times.” But what would you say, you know, they really need to do in terms of preparing and getting things going?

Jay: I think it’s three things: you need to pay attention, you need to have the right personnel, and you need good advice. You know, you need to be thinking about these issues and incorporating them into the way that you operate your business. You need to find people who know what they’re doing and you need to find people who know what they’re talking about, you know, that’s the advice piece. You know, the internet, when it comes to advice is like a reversed iceberg. You can…you know, there’s 90% of the information out there that’s gonna be useless to you, but there are good pieces of advice that you can find. And in this year, that’s for us, for you and me, that’s lead us to the IAPP, the International Association of Privacy Professionals…

Christian: Yeah, absolutely.

Jay: You know, it’s the only ISO-certified privacy organization in the world and you get these certifications that say, “Look, this is someone who really does understand European data law or American data security law.” And for us, I think it’s been a very valuable process and it’s a great organization, and I always encourage my clients to reach out to the pros and that’s how they do it. But attention, personnel, and advice, that’s what you need to keep in mind when you’re trying to carry through and as I said before, execute on using your technology to follow through in your policy.

Christian: Absolutely. Well, that’s the case for data security in this episode of “Are You DataSmart?” Thank you, everyone, for listening.

Jay: Thanks very much.

Leave a Reply