As RSA Conference draws to a close and I reflect on the past few days, I can honestly say that it has been a huge inspiration to be surrounded by so many people passionate about data protection and privacy. Knowing that #MyDataMatters to individuals is a huge driver for brands, vendors and regulators to step up to their roles as data custodians, but they face many challenges in their bid to do so.
The key messages from day four at the event echoed those of the of the event as a whole – data and privacy protection is about people as well as technology:
Todd Fitzgerald, CISO of Northwestern Life, said that the notion of a right to privacy started in the 1890s with photos of questionable behaviors appearing the newspaper — the Twitter of the age! Fitzgerald suggested that CISOs need to move towards being more governance and privacy focused, knowing where data is and how it is used. This is a new era for the CISO, one which Fitzgerald says requires a ‘privacy and data aware’ CISO.
The Vendor Security Alliance includes CISOs for several SaaS service providers working to fix evaluating third-party cybersecurity risk. The Alliance aims to standardize a faster security audit process, making it possible for CIOs to include vendor security much earlier in the procurement and vetting process.
CEO at Forcepoint, Matt Moynahan said organizations need to understand the cyber continuum of intent and understanding in the exchange of value between consumers and their privacy. He said that people themselves are the issue at the heart of data protection and that this is why the focus needs to be protecting theirdata itself.
Leidos’ Chief Cybersecurity Strategist, Gib Sorebo said 73% of health apps have been hacked, costing the industry $6B a year as well as many patients their privacy. According to Sorebo, the key vulnerability for Electronic Health Record is the systems architecture within which they are input and accessed. Sorebo also suggested that Meaningful Use really needs to be better connected with Payers to improve quality of care.
CIOs and other IT leaders in the #CIOChat discussed these points and others from the previous three days at RSA Conference, agreeing in general that while data security is now a strategic business advantage, there are many IT and people issues to consider.
Peter Salvitti, CTO of Boston College, said that security is as much of management discipline as much as consistent policies, controls, etc. Communication between biz and tech via CISO is key Privacy needs to be considered in advance often leading to I’m not moving to the cloud unless there are better controls”
Stoney Brook University CIO, Melissa Woo, said that similar skill sets are required for both good CISOs and CIOs — business traits such as communication and strategizing, etc.
Jeffrey Pomerantz, Information scientist and Senior Research Analyst at Educause ECAR, said their research shows CISOs spend a lot of time supporting institutional strategy projects across campuses. He believes that as the C-suite is needed to project leadership and influence, communication is among the most important skills they require.
Orange CIO, Pascal Viginier, said that it is best to have a security oriented CISO with a strong business acumen. He considers that Privacy by Design offers value to customers.
Cisco CPO Michelle Dennedy said that there is more than value in considering privacy in advance of implementing a cloud strategy. She believes privacy is the difference between realizing value and returns or, flaming out in glory.
So that’s it from me from RSA although I’ll be discussing many of the facets of privacy and data security raised here in my upcoming blogs so sign up for alerts of my next posts and follow me @MylesSuer and @Protegrity.
What do you think about the news that has come from the show? I’d love to hear your perspectives, and if there are other data protection and privacy topics you’d like to discuss, join the #CIOChat and let us know.