Top 5 Things The CISO Needs To Know About Data Privacyinfo.truste.com/rs/846...5_Things_the_CISO_Needs_to...Top 5 Things The CISO Needs To Know About Data Privacy October 15, ... Top

1 v Privacy Insight Series v

Top 5 Things The CISO Needs To

Know About Data Privacy

October 15, 2015

2 v Privacy Insight Series

Today’s Speakers

Heidi Shey

Senior Analyst,

Forrester Research

Chris Babel

CEO

TRUSTe

Top 5 Things The CISO Needs To

Know About Data Privacy

Heidi Shey, Senior Analyst

October, 2015

© 2015 Forrester Research, Inc. Reproduction Prohibited 4

1 Privacy org structure creates

challenges and opportunities


What type of privacy org do you have?








Poll Question #1


› 1 Compliance Cub

› 2 Security Satellite

› 3 Marketing Maven

› 4 Business Booster

› 5 Don’t Know



• Challenge: Do policies accurately reflect enforcement

controls?

• Opportunity: Know your data (inventory, classify),

assess risk.



• Challenge: Internal perception as an inhibitor, too much

focus on compliance

• Opportunity: Build on existing strengths and philosophy;

ensure that privacy enforcement efforts are addressed

from a holistic perspective (tech, process, policy, people)



• Challenge: Policy and control misalignment, exposure to

third party risk

• Opportunity: Partner for more comprehensive risk

assessment; Identify and extend your org’s security

requirements to third party partners/vendors



• Challenge: The concept of privacy as a competitive

differentiator can mean different things to privacy

stakeholders

• Opportunity: Treating privacy as a competitive

differentiator (eg., data controls, security and privacy

culture) and marketing privacy as a competitive

differentiator are mutually exclusive. CISOs can support

both.


2 Don’t rely on regulators to tell

you what to do


On the radar…

›Safe Harbor (now invalid!)

›EU Data Protection (updates on the way!)


What is required

“adequate level of protection”

“best efforts”

?


What are the options available?

Following the CJEU ruling on the validity of Safe

Harbor then depending on an assessment of your

data transfers companies have four main options

1 Introduce Model Clauses

2 Start the process of Binding Corporate Rules

3 Rely on Consent

4 Wait for Safe Harbor 2.0


Poll Question #2

What solution is your company considering for data transfers following CJEU ruling?

› 1 Model Clauses

› 2 Binding Corporate Rules

› 3 Consent

› 4 Wait for Safe Harbor 2.0


What you can do in response

›Evaluate how your existing security technologies

and data controls (not just encryption) can help.





›Use privacy requirements to help with business

justification or prioritization for new security

investment





›Use privacy requirements to help with business

justification or prioritization for new security

investment

›Sometimes the technology also doesn't exist yet,

so it will have to be a combination of existing

technology, processes, policies, and vendor

SLAs. Document everything.


3 Compliance is not a privacy

strategy


When compliance drives privacy programs….

Cost

center!



Cost

center!

Silos!



Cost

center!

Silos!

Scapegoats!



Cost

center!

Silos!

Scapegoats!

Head in

the sand!


Treat privacy as a competitive differentiator

› Identify privacy program oversight, roles,

capabilities (requires a village)

›Consider what internal privacy standards should

be, based on company culture and values

›Consider customer experience, and public-facing

communications about privacy


CISOs are a critical business partner

Identifying the necessary data controls and solutions to meet regulatory requirements




Aligning data controls to enforce privacy and data use policies




Aligning data controls to enforce privacy and data use policies

Folding privacy pros into incident response

It’s more than just what you do, it’s how.


4 Privacy requirements and

implications to prepare for


Selected highlights and implications

Data residency



Data residency

Data deletion



Data residency

Data deletion

Breach notification



Data residency

Data deletion

Breach notification

Corporate restructuring


5 Privacy can help to build your

business case for security


Data

security

Data

privacy


Poll Question #3

What is the relative size of the Privacy and Security Budgets?

› Privacy < Security Budget

› Privacy = Security Budget

› Privacy > Security Budget

› Don’t Know


Security safeguards are a privacy principle


Source: IAPP-EY Annual Privacy Governance Report 2015

Today’s privacy budgets are modest


There’s not much for tech and tools

Source: IAPP-EY Annual Privacy Governance Report 2015


Align your security and privacy initiatives



Understand data and how it moves

• Discovery, classification, user behavior analysis, network analysis and visibility, etc





Control data and access to it

• Encryption, tokenization, key management, network segmentation, rights management, access controls, data masking, privileged identity management, etc.







Enforce policy

• DLP







Enforce policy

• DLP

Other complementary initiatives

• Awareness training, incident response, third party risk management, security staff career development, etc.

Thank you

forrester.com

Heidi Shey

+1 617.613.6076

[email protected]


Questions?


Heidi Shey Chris Babel

+1 617.613.6076 [email protected]

[email protected]

Contacts

mailto:[email protected]


Don’t miss the next webinar in the Series – “Practical Vendor

Management to Minimize Compliance Risks” on November 12th

See http://www.truste.com/insightseries for details of future

webinars and recordings.

Thank You!

http://www.truste.com/insightseries

Documents

Top 5 Things The CISO Needs To Know About Data Privacyinfo.truste.com/rs/846...5_Things_the_CISO_Needs_to...Top 5 Things The CISO Needs To Know About Data Privacy October 15, ... Top