This article was originally published on Dark Reading.
Data and its necessity in business is not a new phenomenon. The collection and use of data to advance objectives has been an integral part of strategy for years – and it only continues to grow, right along with the data that fuels it. By 2025, IDC says worldwide data will grow 61% to 175 zettabytes.
But along with growing data collection and use, there are increased concerns about how companies are handling the data. As such, the role of the Chief Data Officer is finding its place in more organizations. A study by NewVantage Partners cited in Harvard Business Review reveals the number of companies with a CDO rose from 12% in 2012 to 68% in 2018. The same research also finds 55% of executives say data ethics is a top business priority.
“In these times of pandemic, personal data is being requested more frequently than ever before for track and trace purposes whether this be by your local restaurant, your medical practitioner or even your employer who may be taking personal medical information details around your health and well-being before allowing you back into the workplace,” says Steve Durbin, managing director of the Information Security Forum. “No wonder then that the ethical use of data is becoming more of a talking point.”
But how do these concerns intersect with the security team’s and CISO’s role as data protectors? How should security find its place into the conversation about data ethics?
“Security has always been intimately involved in taking responsibility for the confidentiality, integrity and accessibility of data and I do not see that changing,” says Durbin. “But as we move more into the realms of privacy by design, there will increasingly be a need for the CISO to be working closely with the Chief Data Officer.”
A ‘Natural’ Extension of Security’s Role
The concern around how data is handled – and potentially misused – is top of mind for consumers as well as regulators. The obvious main concern is privacy. Research from KPMG that looked at attitudes among 1000 Americans finds consumers are distrustful of how companies safeguard their personal data against misuse and theft. Among the findings, 54% feel that companies cannot be trusted to use their personal data in an ethical way and 68% believe that companies will not sell personal data in a responsible way.
“Cybersecurity and data ethics are intertwined and are dependent on each other for the success of sustained digital trust with clients,” says Jason Albuquerque, CIO and CISO with NWN Carousel. “Cybersecurity team are enablers of data ethics strategies. There are several core ideals of data ethics and how security plays a critical role in their success. The first is obvious: is your organization protecting sensitive data to the best of its ability?”
The benefits of a cooperative relationship between security and a data team are numerous. In an age where consumers care more, and regulators are watching, it can mean reduced legal liability, and better protections in the event of a data breach if a business can prove it has handled data in a responsible and ethical way. Without this synergy, notes Albuquerque, the consequences can be dire, ranging from reputational damage to monetary loss.
“Organizations that lack the proper data ethics frameworks can cause immeasurable damage,” he says.
Thankfully, the relationship between the Chief Data Officer and the security team is a natural one, according to Bjorn Townsend, security consultant for CI Security. In addition to safeguarding systems and information, a good CISO should ensure that the business is also trusted as a good steward of data.
“Security needs to be built into the conversation from the beginning,” he says. “Without assurance that adequate security measures are in place to defend our personal data, we cannot meaningfully be said to have control of it.”
A Collision of Objectives?
But sometimes, security and privacy objectives collide, says Laura Noren, New York University visiting professor for data science and VP of privacy and trust at Obsidian Security. The tension between merely handling data securely and treating it ethically (to ensure privacy) can in some organizations present challenges.
“For instance, a traditional approach to data loss prevention requires that the contents of email messages, files, and chat transcripts be captured and scanned to make sure Social Security numbers, sensitive health and education data, financial account data, [are] not entering or exiting organizational safe storage locations via unsafe transfer mechanisms,” says Noren. “That approach is generally accepted as valid and helpful in the security community. Privacy defenders disagree. Capturing, storing, and scanning all email, chat, and file content means millions and billions of fully compliant, non-risky files and emails are scanned and sometimes stored” as well.
The retention of data is also another issue under the ethics umbrella that will only get more use of certain types of consumer data. The European Union’s General Data Protection Regulation set powerful new, followed by the California Consumer Privacy Act (CCPA). Now privacy advocates in California have placed a proposition on the ballot this fall that is seen as an attention in the foreseeable future, especially as more legislation addresses the storing and extension of the CCPA and would expand the protections for the contents of Californians’ emails, texts, and chats that would into effect in 2023 if passed.
“I don’t believe the ethics picture can be complete without considering privacy and the responsibility to properly secure, manage and respond to cyber security risks,” says James Chappell, co-founder and chief innovation officer at Digital Shadows.
In a heated regulatory landscape, making sure data collection is done securely and ethically will require a much larger cooperate effort between data and security teams, who should be thinking now how to work together.
“I personally would actively encourage Chief Data Officers to engage with existing teams or build out companywide security and privacy governance capabilities as part of their role,” says Chappell. “Just like any other part of a business, a data officer or ethics officer should be seeking to enable the business whilst helping to manage the risks.”
Read the article on Dark Reading.