Post on 06-Mar-2018
1 v Privacy Insight Series v
Top 5 Things The CISO Needs To
Know About Data Privacy
October 15, 2015
2 v Privacy Insight Series
Today’s Speakers
Heidi Shey
Senior Analyst,
Forrester Research
Chris Babel
CEO
TRUSTe
Top 5 Things The CISO Needs To
Know About Data Privacy
Heidi Shey, Senior Analyst
October, 2015
© 2015 Forrester Research, Inc. Reproduction Prohibited 4
1 Privacy org structure creates
challenges and opportunities
© 2015 Forrester Research, Inc. Reproduction Prohibited 5
What type of privacy org do you have?
© 2015 Forrester Research, Inc. Reproduction Prohibited 6
What type of privacy org do you have?
© 2015 Forrester Research, Inc. Reproduction Prohibited 7
What type of privacy org do you have?
© 2015 Forrester Research, Inc. Reproduction Prohibited 8
What type of privacy org do you have?
© 2015 Forrester Research, Inc. Reproduction Prohibited 9
Poll Question #1
What type of privacy org do you have?
› 1 Compliance Cub
› 2 Security Satellite
› 3 Marketing Maven
› 4 Business Booster
› 5 Don’t Know
© 2015 Forrester Research, Inc. Reproduction Prohibited 10
What type of privacy org do you have?
• Challenge: Do policies accurately reflect enforcement
controls?
• Opportunity: Know your data (inventory, classify),
assess risk.
© 2015 Forrester Research, Inc. Reproduction Prohibited 11
What type of privacy org do you have?
• Challenge: Internal perception as an inhibitor, too much
focus on compliance
• Opportunity: Build on existing strengths and philosophy;
ensure that privacy enforcement efforts are addressed
from a holistic perspective (tech, process, policy, people)
© 2015 Forrester Research, Inc. Reproduction Prohibited 12
What type of privacy org do you have?
• Challenge: Policy and control misalignment, exposure to
third party risk
• Opportunity: Partner for more comprehensive risk
assessment; Identify and extend your org’s security
requirements to third party partners/vendors
© 2015 Forrester Research, Inc. Reproduction Prohibited 13
What type of privacy org do you have?
• Challenge: The concept of privacy as a competitive
differentiator can mean different things to privacy
stakeholders
• Opportunity: Treating privacy as a competitive
differentiator (eg., data controls, security and privacy
culture) and marketing privacy as a competitive
differentiator are mutually exclusive. CISOs can support
both.
© 2015 Forrester Research, Inc. Reproduction Prohibited 14
2 Don’t rely on regulators to tell
you what to do
© 2015 Forrester Research, Inc. Reproduction Prohibited 15
On the radar…
›Safe Harbor (now invalid!)
›EU Data Protection (updates on the way!)
© 2015 Forrester Research, Inc. Reproduction Prohibited 16
What is required
“adequate level of protection”
“best efforts”
?
© 2015 Forrester Research, Inc. Reproduction Prohibited 17
What are the options available?
Following the CJEU ruling on the validity of Safe
Harbor then depending on an assessment of your
data transfers companies have four main options
1 Introduce Model Clauses
2 Start the process of Binding Corporate Rules
3 Rely on Consent
4 Wait for Safe Harbor 2.0
© 2015 Forrester Research, Inc. Reproduction Prohibited 18
Poll Question #2
What solution is your company considering for data transfers following CJEU ruling?
› 1 Model Clauses
› 2 Binding Corporate Rules
› 3 Consent
› 4 Wait for Safe Harbor 2.0
© 2015 Forrester Research, Inc. Reproduction Prohibited 19
What you can do in response
›Evaluate how your existing security technologies
and data controls (not just encryption) can help.
© 2015 Forrester Research, Inc. Reproduction Prohibited 20
What you can do in response
›Evaluate how your existing security technologies
and data controls (not just encryption) can help.
›Use privacy requirements to help with business
justification or prioritization for new security
investment
© 2015 Forrester Research, Inc. Reproduction Prohibited 21
What you can do in response
›Evaluate how your existing security technologies
and data controls (not just encryption) can help.
›Use privacy requirements to help with business
justification or prioritization for new security
investment
›Sometimes the technology also doesn't exist yet,
so it will have to be a combination of existing
technology, processes, policies, and vendor
SLAs. Document everything.
© 2015 Forrester Research, Inc. Reproduction Prohibited 22
3 Compliance is not a privacy
strategy
© 2015 Forrester Research, Inc. Reproduction Prohibited 23
When compliance drives privacy programs….
Cost
center!
© 2015 Forrester Research, Inc. Reproduction Prohibited 24
When compliance drives privacy programs….
Cost
center!
Silos!
© 2015 Forrester Research, Inc. Reproduction Prohibited 25
When compliance drives privacy programs….
Cost
center!
Silos!
Scapegoats!
© 2015 Forrester Research, Inc. Reproduction Prohibited 26
When compliance drives privacy programs….
Cost
center!
Silos!
Scapegoats!
Head in
the sand!
© 2015 Forrester Research, Inc. Reproduction Prohibited 27
Treat privacy as a competitive differentiator
› Identify privacy program oversight, roles,
capabilities (requires a village)
›Consider what internal privacy standards should
be, based on company culture and values
›Consider customer experience, and public-facing
communications about privacy
© 2015 Forrester Research, Inc. Reproduction Prohibited 28
CISOs are a critical business partner
Identifying the necessary data controls and solutions to meet regulatory requirements
© 2015 Forrester Research, Inc. Reproduction Prohibited 29
CISOs are a critical business partner
Identifying the necessary data controls and solutions to meet regulatory requirements
Aligning data controls to enforce privacy and data use policies
© 2015 Forrester Research, Inc. Reproduction Prohibited 30
CISOs are a critical business partner
Identifying the necessary data controls and solutions to meet regulatory requirements
Aligning data controls to enforce privacy and data use policies
Folding privacy pros into incident response
It’s more than just what you do, it’s how.
© 2015 Forrester Research, Inc. Reproduction Prohibited 31
4 Privacy requirements and
implications to prepare for
© 2015 Forrester Research, Inc. Reproduction Prohibited 32
Selected highlights and implications
Data residency
© 2015 Forrester Research, Inc. Reproduction Prohibited 33
Selected highlights and implications
Data residency
Data deletion
© 2015 Forrester Research, Inc. Reproduction Prohibited 34
Selected highlights and implications
Data residency
Data deletion
Breach notification
© 2015 Forrester Research, Inc. Reproduction Prohibited 35
Selected highlights and implications
Data residency
Data deletion
Breach notification
Corporate restructuring
© 2015 Forrester Research, Inc. Reproduction Prohibited 36
5 Privacy can help to build your
business case for security
© 2015 Forrester Research, Inc. Reproduction Prohibited 37
Data
security
Data
privacy
© 2015 Forrester Research, Inc. Reproduction Prohibited 38
Poll Question #3
What is the relative size of the Privacy and Security Budgets?
› Privacy < Security Budget
› Privacy = Security Budget
› Privacy > Security Budget
› Don’t Know
© 2015 Forrester Research, Inc. Reproduction Prohibited 39
Security safeguards are a privacy principle
© 2015 Forrester Research, Inc. Reproduction Prohibited 40
Source: IAPP-EY Annual Privacy Governance Report 2015
Today’s privacy budgets are modest
© 2015 Forrester Research, Inc. Reproduction Prohibited 41
There’s not much for tech and tools
Source: IAPP-EY Annual Privacy Governance Report 2015
© 2015 Forrester Research, Inc. Reproduction Prohibited 42
Align your security and privacy initiatives
© 2015 Forrester Research, Inc. Reproduction Prohibited 43
Align your security and privacy initiatives
Understand data and how it moves
• Discovery, classification, user behavior analysis, network analysis and visibility, etc
© 2015 Forrester Research, Inc. Reproduction Prohibited 44
Align your security and privacy initiatives
Understand data and how it moves
• Discovery, classification, user behavior analysis, network analysis and visibility, etc
Control data and access to it
• Encryption, tokenization, key management, network segmentation, rights management, access controls, data masking, privileged identity management, etc.
© 2015 Forrester Research, Inc. Reproduction Prohibited 45
Align your security and privacy initiatives
Understand data and how it moves
• Discovery, classification, user behavior analysis, network analysis and visibility, etc
Control data and access to it
• Encryption, tokenization, key management, network segmentation, rights management, access controls, data masking, privileged identity management, etc.
Enforce policy
• DLP
© 2015 Forrester Research, Inc. Reproduction Prohibited 46
Align your security and privacy initiatives
Understand data and how it moves
• Discovery, classification, user behavior analysis, network analysis and visibility, etc
Control data and access to it
• Encryption, tokenization, key management, network segmentation, rights management, access controls, data masking, privileged identity management, etc.
Enforce policy
• DLP
Other complementary initiatives
• Awareness training, incident response, third party risk management, security staff career development, etc.
Thank you
forrester.com
Heidi Shey
+1 617.613.6076
hshey@forrester.com
48 v Privacy Insight Series v
Questions?
49 v Privacy Insight Series v
Heidi Shey Chris Babel
+1 617.613.6076 cbabel@truste.com
hshey@forrester.com
Contacts
50 v Privacy Insight Series v
Don’t miss the next webinar in the Series – “Practical Vendor
Management to Minimize Compliance Risks” on November 12th
See http://www.truste.com/insightseries for details of future
webinars and recordings.
Thank You!