SESSION ID: AST3-W02
The Data Behind How We Work with Data
Sam Pfeifle Publications Director International Association of Privacy Professionals @DailyDashboard
#RSAC
#RSAC
Who Are They?
2
#RSAC
Who Are They?
• 24% listed no credential at all • 23% listed a different credential, Including CCEP, PMP, and CHP 3
#RSAC
What Do They Do?
• We are increasingly seeing non-lawyers entering the profession. • We are seeing more operational privacy pros being embedded in more diverse areas of the organization
4
#RSAC
What Do They Do?
5
#RSAC
What Do They Do?
6
#RSAC
What Do they Do?
• As we’ll see later IT, Infosec, and Privacy are intimately linked within the organization.
7
#RSAC
What Do they Do?
8
#RSAC
Operational Conclusions and Applications • Privacy handles a wide variety of tasks and is organized in many different ways • Companies need to begin defining clearly what is, and what is not, privacy • Privacy is getting deep within organizations; those with privacy as just a compliance role may be behind the times
https://iapp.org/media/pdf/resource_center/IAPP-EY_Privacy_Governance_Report_2015.pdf
9
#RSAC
The Biggest Risks • Brand vs. Breach • Who’s Watching the Bottom Line? • Will Regulator Risk Increase?
10
#RSAC
Biggest Risk Factors • PII Is King • Risk in the Post Safe Harbor Age • Enforcement History Becoming More Robust
11
#RSAC
Mitigating Risk • What if Leadership Won’t Buy In? • Working with IT • Curious Case of Cyberinsurance
12
#RSAC
But Companies Are Struggling • Mind the Gaps • Where’s the Money? • SMEs Really Need Help
13
#RSAC
U.S. vs. the World • U.S. Sample Is Bigger • More IAPP Firms are U.S.-Based • Still, There’s Something There
14
#RSAC
Size Matters • The Maturity Curve • Working with IT • Working with the Regulator
15
#RSAC
Who’s Doing the Assessing? • Bringing in Outside Counsel
• CISO v. CPO
16
• Team Effort
#RSAC
Risk Conclusions and Applications • Privacy is a young profession and operation; without executive buy-in it will not be an asset to the company • How will risk evolve with budget and staff? Most agree throwing money at the problem won’t work. Has to be tactical. • Prepare for the EU General Data Protection Regulation and understand global privacy. https://iapp.org/resources/article/study-assessing-and-mitigating-privacy-risk-starts-at-the-top
17
#RSAC
How IT and Infosec Value Privacy • Half of all companies have increased the number of privacy pros on the infosecurity team • Investment in privacy tech is running ahead of external spend on audit and counsel
• The Privacy Venn diagram • More about people than budget
#RSAC
And That Collaboration Is Only Increasing • Half of all infosec teams now have privacy team members
• Could government affairs use more infosec professionals now that security is becoming more of a policy issue?
• And vice versa
19
#RSAC
It’s the Most Important Thing They Do…
• Communication trumps all else – how to do? • Privacy working group is a start
#RSAC
It’s the Most Important Thing They Do… • Privacy pros want tech, but feel they’re not getting it from IT? • Or does IT know best that tech can’t solve everything?
#RSAC
How Do Opinions Change When Bad Things…
#RSAC
How Do Opinions Change When Bad Things…
#RSAC
How Do Opinions Change When Bad Things…
• Priorities change almost not at all • The only change in action was an increase in security tech spending
#RSAC
How Do Opinions Change When Bad Things…
#RSAC
How Do Opinions Change When Bad Things… When the regulator comes calling, we see a new emphasis on privacy operations Breaches are about more than the data lost Sound policy before and after a breach can keep a notice from becoming a full investigation
26
#RSAC
Applying IT and Infosec Findings Make the privacy opps easier: Get out of the Word file era Get your people talking: Populate your working group; build your teams Train your organization: Budgets and teams are small; make everyone part of the team https://iapp.org/resources/article/how-it-and-infosec-value-privacy/
#RSAC
Sam Pfeifle @DailyDashboard IAPP
[email protected]