Issue Sixteen
July 2022
The digitization of our world continues to expand capabilities that touch every part of our lives. Virtually everything is connected to the internet - our phones, smart devices, networking equipment, autonomous vehicles, factories, our critical infrastructure, and our expansive supply chains. Being so connected empowers us to live and work in ways never possible before.
With every connection, data is being amassed and stored to supply the intelligence necessary to improve our experience and to provide insight into how technologies should evolve. With data, we can reach intended audiences with pinpoint accuracy and provide value in ways that weren’t possible years ago. The significance of these profound transformations is nearly immeasurable, and the work that has gone into making it all possible is, likewise, incomprehensible.
The questions we must begin to ask ourselves: Are we transforming the ways in which we protect the data that fuels our expansive ecosystems? Are we transforming the ways in which we interact with these new technologies and capabilities? Are we transforming the culture within our organizations and our society as a whole?
Far too often digital protection is viewed through a transactional lens, focused on costs and the traditional sense of return on investment. The time has come for organizations to evolve their perspectives, to peer through the lens of transformation, in preparation for the future. It is our collective responsibility to ensure the digital world we are building is sustainable, just as intensely as we fight to ensure our physical world is here for generations to come.
Our digital mindset must not only focus on the fruits of transformation, but on the protection of the bodies those fruits nourish. There will be no return on any of our investments if we don't view transformation, to include security, as a return.
ZEROING IN
Why a bipartisan data privacy proposal faces an uphill battle
I am a staunch advocate for comprehensive federal data privacy legislation and am pleased to see the bipartisan American Data Privacy and Protection Act (ADPPA) proposal getting some well-deserved attention.
“Despite opposition from both business groups and privacy advocates, there appears to be agreement across the board that simply getting a federal proposal with concessions on both sides is a big first step.”
The ADPPA is a good start and worthy of vigorous debate, which should lead to meaningful reform. Alas, history may bode otherwise. The ADPPA deviates from privacy models such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) with which businesses have become familiar and for which they have developed policies and procedures. Regrettably, it appears the ADPPA “fails a central requirement of any good federal privacy law: to create a national privacy standard.” In its current form, the ADPPA will not address the patchwork of state laws which should be a primary goal of the legislation. Notwithstanding the uphill battle ahead, there are three significant takeaways that every business should include in their cybersecurity and privacy programs regardless the outcome of ADPPA.
Minimize data collection. Business should adopt policies and procedures to limit the collection, processing, and transfer of information to only what is “reasonably necessary, proportionate and limited to” the information necessary or required to provide or maintain specific products or services. Collecting superfluous information is not just a data storage problem, it increases the risk profile of an organization. It should go without saying for sensitive or personal information; however, applies to all data – if it is not necessary to do the job, do not collect it or store it.
Adopt tighter restrictions and prohibit data practices regarding sensitive information. If it is not required by the work, prohibit the collection, processing, or transferring of social security numbers, biometric information, nonconsensual intimate images, and genetic information. Further, prohibit the collection, where feasible and most certainly the transfer, of an individual’s precise geolocation information, passwords, aggregated internet search or browsing history, or “physical activity information” from any device.
Build in Privacy by design. Implement reasonable data collection, processing, and transfer policies, practices, and procedures that mitigate privacy risks (most certainly for minors, if applicable) related to the “design, development, and implementation” of your business products and services. Policies, practices, and procedures should consider the size and complexity of the business and its activities as well as the volume and sensitivity of the data collected or managed.
Again, regardless the outcome of ADPPA, these steps will help address privacy and cybersecurity issues as regulatory, legislative, and client requirements continue to become more stringent.
SQ Insight: Tony Ogden - President, GRC
Got hit by a cyberattack? Hackers will probably come after you again - within a year
The research is abundantly clear - elevating digital security to the executive and board level is the most essential element in tangibly reducing organizational cyber risk.
“…the more often information security and leadership teams meet to discuss cyber threats and risks, the less likely the company will fall victim to a cyberattack – and those who met most often, at least 15 times a year, didn't suffer security breaches at all.”
Yet, many - most - cannot achieve the necessary elevation of this discussion. The key lies in distinction: IT and cybersecurity must be separated - first logically, then budgetarily. While the two certainly intersect, applying the distinction provides a pathway to assigning dollars, defining accountability, prioritizing efforts, and ultimately articulating the value of a cybersecurity program as a transformational element within a modern organization.
Elevating digital security to the executive and board level forges a new cultural mindset - from the top, down - that establishes protection as core value and positions organizations to not only defend and preserve their purpose, but to thrive in fulfilling their social responsibility within a fully digitally transformed world.
"When we finally go from awareness to executive involvement, we see a huge difference – there really is a need to be proactive. And it makes a difference in the number of times you get hit..."
SQ Insight: Kenneth Holley - Chairman
5 Reasons You Should Learn About Cyber Security
Many businesses, as larger “end-users” of information technology innovation, believe they have solid cybersecurity programs, but I challenge that premise. In reality, many company leaders — like many individual users of information technology — do not truly understand the vast dangers and multiple aspects of cybersecurity threats, and they rely on others to implement appropriate technology solutions as a defense without fully grasping the impact that establishing and maintaining these solutions can have on a business. Additionally, many business leaders currently miss the mark on the significant role their people, their individual end-users, play in effective cybersecurity.
Business leaders should start with educating themselves by enlisting the help of cybersecurity leaders and not simply service providers looking to sell technologies. Such education will help these leaders understand what is required to establish and maintain effective cybersecurity and how these requirements affect business outcomes. A significant pillar of this education is understanding what roles their businesses’ people, teams, and departments play in shifting and strengthening the cybersecurity culture and what responsibilities they have to maintain it. Being a business executive today means understanding the entire business landscape — and there's hardly a discussion about that landscape that doesn't include threats and risks, especially in the cybersecurity arena.
SQ Insight: Marc Packler - President, CISO Advisory
