InfoSec Unfiltered Blog

RSA Conference — Seven Key Takeaways from Day Three

Another fantastic and busy day at RSA Conference. Clearly privacy matters to the good folks here because the stream of visitors at our booth wanting to know more about centrally managing and protecting data across ALL silos has been constant – and we’ve run out of #MyDataMatters T-shirts!

Yesterday, much was made of the business case for security in terms of privacy and trust as a competitive advantage. Here’s a summary of the messages from the sessions that I feel are most important to data-driven IT leaders and others who couldn’t attend the conference in person (you can read about Day One and Two here):

  1. Frank Kim, CISO for SANS Institute, said that CISOs should be agents for change that think like Peter Drucker, keeping in mind that, “Culture eats strategy for breakfast.” According to Kim, this is important because CISOs really need to create a corporate culture prepared for things like the dangers of phishing while managing security exception requests. Kim suggested that CISOs, like their CIOs, suffer the curse of knowledge and need to learn to speak the language of the stakeholders, building effective cases for security based on the business and not technology. Kim also advised that CISOs need a security framework like NIST to demonstrate continual improvement.RSA Conference
  2. Bill Brown, CIO and CISO at Veracode also suggested that CISOs be more like CIOs, advocating the need to evolve from a technology based disposition to one that is business focused in order to successfully communicate with boards about the importance of security.
  3. CEO of Palo Alto Networks, Mark McLaughlin said that trust is essential in an era of digital disruption where its citizens are increasingly vulnerable. Overcoming these challenges, he said, means doing away with the IT silo problem that hinders and complicates organizations’ ability to protect personal and sensitive information.RSA Conference
  4. CTO of Symantec, Hugh Thompson said that in the age of digital disruption, as we are creating even more data, here power moves to analytics. Dr. Thompson proposed that organizations need to understand that it matters what information security professionals do, advocating a Neighborhood Watch approach to security.
  5. Eric Schmidt, Executive Chairman, Alphabet Inc. admitting that he “was proven completely wrong” about artificial intelligence given his graduate degree thesis that AI would not scale or generalize, acknowledged that Google is in fact an AI company. He now worries about losing the openness of the internet because of regulation. Schmidt wants to empower researchers while simultaneously protecting privacy by, for example, enabling medical research of large, HIPAA compliant data sets.
  6. In a panel moderated by Cisco’s CPO Michelle Dennedy, Michele Guel, Distinguished Engineer and Security Architect at Cisco said that what really matters when talking about big data and the cloud is where data is swimming; she said data is everywhere so knowing who is using it, where and when, is critical to engineering privacy throughout its lifecycle. Harvey Jang, Cisco Director of Global Data Protection and Privacy, drove home the importance of this approach for compliance with the EU’s General Data Protection Regulation (GDPR), which demands that organizations know what data they have and understand the risk that it poses. Dennedy said that thinking about privacy from the start will determine whether businesses create cloud opportunities or cloud scapegoats.RSA Conference
  7. Johannes Ulrich, Dean of Research, SANS Tech Institute, advised that as digital threats evolve, when engaging with third-party or cloud-based services, using tokenization for data protection is the best answer.

Tokenization is a method of pseudonymization, promoted by the EU in the GDPR as means to protecting privacy during processing of information. Given the increased focus on the need for businesses to ensure their customers’ privacy without compromising the value and usability of data, expect to hear more about this approach to securing data and privacy.

Which of these most resonates with you and your brand? Is your organization familiar with the differences between anonymization and pseudonymization? Come and talk to us about any of these points at booth 4433 North if you’re at the conference but if you couldn’t be here this year, follow me @MylesSuer, @Protegrity and #CIOChat to discuss these matters and more. And don’t forget to check here tomorrow for more news from the event.

Leave a Reply

Your email address will not be published. Required fields are marked *

Categories

Archives

Subscribe Now