Editor’s note: Personal information is valuable in optimizing and personalizing a customer experience. But Personally Identifiable Information (PII) can be abused. We asked three security experts for their advice on how companies can best protect customers’ PII.
Q. What do you believe is the biggest pitfall in purchasing or implementing software solutions that protect customers’ Personally Identifiable Information?
John Ladley, president and chief delivery officer, First San Francisco Partners – Creating formal solutions to protect, and simultaneously extract, value from customer data creates many challenges. This is especially visible when organizations start to understand they have to purchase and implement new tools. The most obvious technologies in this area, encryption, security, etc., can create challenges because of the wide variety of architectural approaches involved. Few organizations have an effective application of enterprise architecture. As a result, many tools meet requirements in one area but are deficient in others. An example is incompatibility with older applications and varied COTS architectures. To avoid this scenario, it is important to establish a customer information strategy and architecture or reference architecture before tackling the tool acquisition challenge.
Just like the available tools, there are many methods and techniques for protecting and managing customer information. It is crucial that technologists within the organization really educate themselves on the enormous variety of solutions and approaches before settling on a tool and/or an approach.
Ironically, the next issue that arises is purchasing solutions too soon. While there is no doubt technology will be applied to meet the requirements of customer data protection, too often organizations grab for best-of-breed solutions only to discover that a more integrated, or higher-level view of the problem requires an entirely new tool solution. The key to avoiding this pitfall is to blend and view data management requirements across the entire customer data life cycle.
Often, a formal structure for defining the rules of data engagement will set the tone for data governance by establishing standards and guidelines for customer information. However, there is little or no automated support for data governance; consequently, another pitfall is overlooking data management and governance tools.
EU Privacy expert Daragh O Brien offers, “The biggest pitfall in purchasing software is thinking that software alone can solve these challenges. Tools can support processes, but … they can’t stop your staff from designing bad processes.”
John Mutch, CEO, iSheriff – The biggest pitfall organizations face in implementing solutions to the data security problem is in knowing where the data is and what data they would like to protect. In many organizations it can be shocking how much sensitive customer information is stored across multiple end-user devices. It is difficult to purchase a solution when you haven’t first understood the scope of the data and its location. You can’t protect what you can’t define.
The next difficulty comes in planning. What is to be achieved by implementing solutions to protect customer data? What specific data needs to be protected? How are you protecting it? Is it protected from being sent via email, copied to a disk, sent via Skype, exported to an encrypted file, uploaded to online? How will data in the online CRM be protected? What is the difference between a user in a hotel room with a big client meeting tomorrow and a user in a cubicle at the office? Should there be different policies for different users? How will the rules be enforced, will the user be blocked and notified, warned and asked if they’d like to continue, who in information security should be alerted, and when.
There are many more questions like this that need to be answered before a solution can be chosen. There are plenty of data protection solutions available, but an organization is not ready to select one until they know what they need it to do. That only comes through planning ahead of time and asking the tough questions.
Tim Prendergast, Founder and CEO, Evident.io – Often, software is purchased without a real understanding of the scope and classification of data to be protected. This leads to dangerous gaps in coverage, especially as companies migrate into hybridized or cloud-only environments. Technologies built for the data center paradigm, for example, fail to provide equivalent functionality in many cloud-native deployments. This leads to partial coverages, a false sense of security, and misrepresentation of privacy guards to customers that don’t have any additional insights beyond the policies historically published by the caretaker of their data and assets.
Companies have to maintain a data committee or working document that is frequently reviewed and updated. This provides a singular nexus for data model changes, data coverage increases/decreases, and inventory of data sources and destinations in a particular product line or organization. The only way to ensure coverage across all the critical data locations is to know where they are and to use the proper technology stacks to protect those data instances.
This may seem like a lot of process and procedure, but it is part of the working DNA of organizations that take privacy and security of customer assets and data seriously. Custodians must treat data privacy and security as core features of their product rather than burdensome regulations that only hurt if you get caught asleep at the wheel. Customers have an expectation and right to these protections, and data custodians owe them the commitment to uphold those protections on their behalf.
Q. What internal processes must companies have in place regarding how customer information is managed and shared according to regulatory requirements and customer expectations?
There should be a separate, but related, policy to define the security commitments of the provider on a broader level. This document defines the measures, frameworks and responsibilities of the provider to protect customer assets and information.
These documents are a matching pair to ensure responsibility and care are taken when handling the critical personal information of individuals and corporations alike.
John Ladley, president and chief delivery officer, First San Francisco Partners – Balancing customers’ privacy expectations with regulatory mandates and data monetization can seem like a tightrope walk. EU privacy expert Daragh O Brien put it succinctly: “Compliance with regulatory requirements is a floor not a ceiling. Customer expectations can often exceed the letter of the law.”
To satisfy all requirements, organizations must start by classifying data consistently and in compliance as to its usage. No doubt, data classification can be daunting and controversial, but it’s absolutely crucial. From there it is important to establish a formal interaction between data governance, compliance and security, as data management activity often differs across organizations. Processes for managing information lineage and flows are essential as well. Know what your data is, what it means and where it’s used; or compliance will result by accident and not design. Next, take the time to establish a coherent and integrated “top-down” governance framework to ensure clearly defined decision rights, responsibilities and accountabilities for processes that affect personal data. Last, but not least, train all stakeholders in the new behaviors to understand and walk the data tightrope. Behavior changes will be required.
John Mutch, CEO, iSheriff – The internal processes need to be engrained as part of the organization’s culture. Customer trust should be important to every organization, from the CEO and the board of directors, all the way down. The processes should center around how the data is handled, giving the employees a sense that the customer data is a valuable resource. It shouldn’t be left lying around; and when it is sent out, it should only be sent out in a protected method using encryption. Don’t print customer data or copy any data to other storage devices unless absolutely necessary. While it is on that device, or printed out, treat it as sensitive information. Do not leave it where anyone else has access to it and destroy the copy immediately when you are done with it. Information security tools should implement this approach.
Q. Who should play key roles in the decision-making process regarding these internal guidelines and controls?
John Mutch, CEO, iSheriff – The decision-making process regarding these internal guidelines and controls should be handled between HR and the information security function. If the organization has a compliance officer, or someone in a similar role, that person should head the effort. Information security and the compliance officer should be aware of all of the regulations that apply. These should be documented and refreshed regularly. HR should be responsible for creating a corporate culture that values customer data. This should start with annual training for all employees on the corporate policy and then reinforced throughout the year.
John Ladley, president and chief delivery officer, First San Francisco Partners – Many organizations rely on compliance teams, or legal counsel for oversight while data privacy and security groups often get to implement new controls. By instituting a formal data governance practice, organizations can eliminate data discrepancies, as this group will ultimately be accountable for the definition and oversight of internal controls. As data continues to grow along with its use, many organizations now appoint chief data officers to provide cross-organizational oversight of all data-related guidelines and controls.
Lastly, new regulation such as the EU Data protection regulation requires many organizations to have a data protection officer to ensure governance and control.
Tim Prendergast, Founder and CEO, Evident.io – There should be, at a minimum, three stakeholders in this process: the technology owner (often the CTO or VP of the line of business), the data owner (product or operations team) and the compliance/governance owner (CISO or privacy officer). This gives a balance of corporate strategic view from the CTO, specific domain expertise and understanding from the product owner.
John Ladley is president and chief delivery officer of First San Francisco Partners. He is a business technology thought leader and recognized authority in Enterprise Information Management (EIM). He brings 30 years’ experience in planning, project management, improving IT organizations and successful implementation of information systems. His books, “Making EIM Work for Business – A Guide to Understanding Information as an Asset” and “Data Governance – How to Design, Deploy and Sustain a Effective Data Governance Program,” are recognized as authoritative sources in the EIM field.
John Mutch is CEO of iSheriff. He is responsible for the future direction of the organization and leading the company’s overall operations, with direct oversight of sales, marketing, professional services, research and development and corporate strategy. He brings a 30-year track record of creating significant shareholder value as both an investor and operating executive. Previously, He served as the chairman and CEO of BeyondTrust Software, ran Peregrine Systems and was president and CEO of HNC Software.
Tim Prendergast is founder and CEO of Evident.io. With well over two decades of pushing the limits of technology, Tim created Evident.io as the first security company focused solely on programmatic infrastructures (cloud). His prior experience includes leading technology teams at Adobe, Ingenuity, Ticketmaster and McAfee. He holds over 15 years’ security experience, including eight in AWS security experience and three years in the Adobe AWS infrastructure from inception to production. Follow Tim on LinkedIn and Twitter.
Kathleen Goolsby is managing editor of SandHill.com.