Recently, Chief Information Security Officer (CISO) and President of Forensics at HaystackID® John Wilson was interviewed by Security Magazine on balancing privacy, compliance and systems. Here are excerpts of the interview, the full interview is available here.
5 Minutes with John Wilson: Balancing Privacy, Compliance and Systems
Chief Information Security Officer (CISO) and President of Forensics at HaystackID John Wilson discusses how organizations can best leverage a data-centric approach to ensure data privacy and compliance.
Security: We have seen an increased focus on the concept of privacy. Can you share your thoughts on what is driving this increased focus? Is it only a state focus? Federal focus? International focus?
John Wilson: I believe the privacy movement started as an international concern with the various iterations of privacy protections in the European Union, including the International Safe Harbor Principles, Privacy Shield, and finally, GDPR (General Data Protection Regulation). It wasn’t until 2018, when GDPR went into effect, that concerns over the substantial fines caused privacy to obtain significant attention. At the same time, California introduced the CCPA (California Consumer Privacy Act), also with threats of significant fines that kicked off the growth of privacy focus across businesses of all sizes. Since then, a growing number of states have adopted varying privacy protections, and there continue to be federal privacy protection initiatives, though nothing has been adopted yet on the federal level. So, as you can see, international privacy has been the driver, but state-level privacy concerns are rapidly gaining momentum, and likely there will eventually be federal privacy protection regulations of some nature.
Security: As a CISO, how do you personally balance privacy, compliance, security and systems?
John Wilson: There is a lot to unpack here. Balance might be a bit of a misnomer. I do strive to ensure that there is balance in all these initiatives, but more often, we discover that if we secure the privacy data, the compliance initiatives will have the necessary frameworks to be successful. Not all compliance requirements are centered around privacy, but implementing privacy data controls using a data-centric approach provides a sound framework for the classification of data that can be easily leveraged to drive the rest of the compliance requirements. Similarly, once you implement security controls and policies around your privacy data, it is easy to extend them to all classifications of data. Using the data-centric approach allows you to scale your security from highly sensitive data to the least sensitive data, which also allows you to focus on the most critical data sources first and step through the tiers of diminishing returns to maximize the impact of your security dollars. Lastly, this approach allows you to focus your efforts and resources on the systems that deliver protection to your most valuable data first and step down to the least essential assets. Overall, it’s not a question of if but when an event will occur. You must plan for that eventuality. Taking a data-centric approach helps ensure that when an event does occur, the organization’s most valuable data will be protected, and you will have the systems in place to detect and respond to any event faster.
Balancing privacy, compliance and systems is more complicated than ever, and it takes specialized expertise to manage it all! As I mentioned, you can check out the full interview with John here.
Disclosure: HaystackID is an Educational Partner and sponsor of eDiscovery Today
So, what do you think? How does your organization handle balancing privacy, compliance and systems? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.