Professional Documents
Culture Documents
0815 - The Intersection of Data Privacy and Cybersecurity
0815 - The Intersection of Data Privacy and Cybersecurity
of Data Privacy
and Cybersecurity
How 125 Data, Privacy, and Cybersecurity Leaders
are Overcoming Organizational Challenges to
Empower Cyber-Secure Digital Transformation
The Intersection of Data Privacy and Cybersecurity
Contents
Click below to navigate
3 Executive
Summary
4 Methodology
10 Centralizing Data
Access and Control 13 Keeping Up with Data
Privacy Regulations
2
The Intersection of Data Privacy and Cybersecurity
Executive Summary
D
ata privacy and cybersecurity leaders in data governance, security, and
have risen to the top of corporate privacy teams.
agendas since the onset of the
In addition, with increasing volumes
global pandemic, fueled by the rapid shift
of data being stored and shared in the
to remote work and accelerating digital
cloud, many security leaders are seeing
transformation roadmaps. the benefits of centralized data access
In addition, public interest in data privacy and control.
is stronger than ever with tech giants like Compliance with fast-evolving data
Apple and Facebook engaged in a PR privacy regulations is also a top priority
war over their use of customer data. for data governance, security, and privacy
This report, conducted with our partners leaders, in order to avoid both financial
at Okera, summarizes our research into and reputational penalties.
how businesses are responding to these Alongside the survey results, we present
challenges. highlights from several top executives
Our findings show that digital who shared their views on the intersection
transformation initiatives are continuing of data privacy and cybersecurity, as well
as what they believe lies ahead. ■
apace and that providing secure access
to sensitive data is a key concern for
Key Findings
72%
have moved at least half of
The #1
benefit of centralizing data
their organization’s data to the authorization and control is
cloud ensuring data security at a fine-
grained level
70%
are either ‘very confident’ or
94%
see compliance with data privacy
‘extremely confident’ that they as a top priority
know where all their data is
located
45%
are not concerned about
Better
regulatory
penalties and fines due to non- compliance
compliance is the leading driver of data privacy
investments
3
The Intersection of Data Privacy and Cybersecurity
Methodology
T
his representative survey of 125 employees, and 61% having more
data privacy, cybersecurity and data than 10,000 employees. Participating
leaders was conducted in April and companies included: Home Depot,
May 2021. Travelers Insurance, Procter & Gamble,
Pfizer, and JPMorgan Chase & Co.
Respondents included Chief Data and
Analytics Officers, Chief Data Officers, We asked the respondents 15 questions
Chief Information Officers, Chief Privacy about how they are overcoming
Officers, Chief Information Security challenges to enable cyber-secure digital
Officers, and Business Information transformation, keeping up with data
Security Officers, as well as other privacy regulations, and ensuring secure
individuals of similar standing. data access and control.
The research focused on large The survey findings were then combined
companies in North America with 93% with commentary from ten industry experts
of respondents having more than 1000 to put these unique findings into context. ■
Contributors
Lydia Payne-Johnson
Director, Information
Sharon Bauer Security, Identity and Risk
Founder & Privacy Management,
Consultant, The George Washington
Bamboo Data Consulting University
4
The Intersection of Data Privacy and Cybersecurity
Foreword
E
nsuring data security and privacy scale data security. For example, all
is hard, and there seems to be no respondents have made investments
end to the string of major hacks and to comply with data protection laws. A
breaches making headlines. As I write mere 6% report that they focused only
this foreword, ransomware attacks on on a single privacy regulation such as
companies like JBS and Colonial Pipeline GDPR. The remainder are addressing
are front page news in the United States. multiple regulations, with an impressive
Only a few weeks prior, a ransomware 49% reporting a higher level strategic
group followed through on its threat to approach, in which they automate
release personnel files of the Metropolitan and standardize enforcement with
Police Department of the District of multiple laws.
Columbia. The examples are endless
Similarly, 70% report that they’re very
and unrelenting. Simply put, digital data
or extremely confident that they know
is stolen because it’s valuable, and the
where all their data is. This is highly
global supply of data is increasing
encouraging, because once companies
every day. know where their data is, they can
We all know and appreciate that manage it. Like everyone concerned with
governments at all levels have issued data security, we at Okera encourage a
guidance, orders, and regulations to zero-trust approach to data access and
reduce the frequency and mitigate the authorization. It may be counterintuitive
severity of cyber attacks. at first, but by locking down data by
default, it becomes easier for companies
When the European Union issued the
to feel confident using an automated
General Data Protection Regulation
data authorization platform like Okera to
(GDPR) in 2018, it demonstrated the
provision access to those who need it for
seriousness of data protection by
legitimate business purposes.
imposing fines up to 4% of revenue for
companies that failed to comply. Four We at Okera thank Corinium Intelligence for
percent is a huge number when you conducting this survey and for the fascinating
consider the investments companies follow-up interviews with front-line industry
make to reduce their tax burden. But experts. I hope you learn and enjoy the ah-
we have all heard about companies ha! moments as much as we did.
that are not worried about fines, so we No matter what software or processes
asked about it in this survey. The answers you employ, I wish that you, your
surprised us. The data indicates that many employees, customers and partners can
companies (45%) are indeed not worried always use data responsibly to achieve
about fines, but that doesn’t mean they’re your goals and accelerate innovation. ■
not worried about compliance. On the
contrary, respondents overwhelmingly
report (94%) that compliance is an
organizational priority, but their
motivations appear to be focused on
building trust with their customers and
partners. In other words, they’re looking at
compliance strategically.
Nong Li
Additional survey results indicate a Founder & CTO,
maturing and readiness for enterprise- Okera
5
The Intersection of Data Privacy and Cybersecurity
What percentage of your organization’s data has been migrated to the cloud?
Select one
40%
30%
26%
21%
20%
13%
10% 9%
10% 7%
4% 4% 3%
2%
0%
1-10% 11-20% 21-30% 31-40% 41-50% 51-60% 61-70% 71-80% 81-90% 91-100%
A
disgruntled employee uploads on behalf of data access and
customer data to a third- governance technology company “New innovations
party platform, triggering
the public naming and shaming of
Okera, shows that companies are
putting more of their data into the
have completely
your company. A cache of regulated cloud as they walk the path to digital changed our
data is left unencrypted on an open transformation.
server, creating a prime target for a In fact, 72% already have moved at
organizational
cyberattack.
While nightmare scenarios like
least half of their organization’s data
to the cloud. This has many benefits,
structure and what
these are enough to keep data such as the ability to conduct analytics we thought IT
privacy and cybersecurity executives
up at night, unfortunately, such
at speed, rapidly scaling artificial
intelligence and machine learning
security would be.
events are increasingly common.
Considering high levels of public
initiatives, and reducing capital
expenditure on hardware.
It’s a new world –
interest in data privacy and the rapid However, it also creates new everything’s moving
acceleration of digital transformation
roadmaps for enterprises, strong data
challenges, like how to ensure data
security at a fine-grained level and
to the cloud”
governance frameworks and effective how best to manage the thorny Rick Doten
cybersecurity are essential. question of data access and control – VP, Information Security at Centene
Our survey of 125 data privacy, especially by third parties. Corporation and CISO at Carolina
security, and governance executives Complete Health
6
The Intersection of Data Privacy and Cybersecurity
7
The Intersection of Data Privacy and Cybersecurity
Enabling Cyber-Secure
Digital Transformation
KEY FINDING
F
rom a data privacy perspective, the results of our transformation roadmap and ensure that data privacy and
survey of 125 security, privacy, and data executives security concerns are being considered.
are encouraging. They show that keeping up with “I created an IT security committee, which had
data privacy regulations was a key priority for executives stakeholders from Legal, HR, and Privacy,” says Reed.
as they facilitate cyber-secure digital transformation. “They felt that they had a stake in the game and that their
However, keeping up with data privacy regulations is not voices were being heard.”
their only concern. Our research shows that respondents Collaborating in this way was an essential part of building
are balancing other challenges too, like the potential for a digital transformation roadmap that prioritizes data
role bloat and policy complexity as they scale (50%), data privacy and security by design.
breaches, internal or third-party misuse of data (50%) and
“Don’t design it, bring it to them and then hope for
rogue datasets (43%).
the best,” concludes Reed. “Instead, make them part of
To face these challenges, privacy and security leaders the design phase so that they are actually helping you
need to develop a strong working relationship and come develop the program to meet the needs of both privacy
together early to develop a strategic roadmap to enable and security.”
cyber-secure digital transformation.
“It goes back to the age-old saying that you can’t
do privacy without security, and you can’t do security
without privacy,” says SecurRisks Consulting President
and Cybersecurity Consultant Marian Reed. “Most
organizations and most security programs are really
focused on deploying tools to make sure that the whole
network is protected without really understanding the
business or the data that’s involved.”
“It goes back to the age-old
She continues: “You have to look at the overall business saying that you can’t do privacy
risk and figure out what are the security components that
really make sense, and what do we need to deploy in without security, and you can’t
this organization to protect it? And you can’t do that if you
don’t have your privacy team at the table.”
do security without privacy”
One method of doing this effectively is to bring Marian Reed
key stakeholders together regularly to discuss the President & Cybersecurity Consultant, SecurRisks Consulting
8
The Intersection of Data Privacy and Cybersecurity
When Spinning up New Dealing with Internal Misuse regulated data being exposed online.
Services is a Problem of Data In April 2021, Experian, one of the
The potential for role bloat and Our research also revealed that the largest credit bureaus in the US,
policy complexity as they scale is a potential for misuse of data, either by unintentionally exposed the credit
leading concern for 50% of senior employees or by third parties, is a top scores of tens of millions of Americans
executives, according to our research. concern for half of data, privacy, and to anyone online who could supply a
name and mailing address.
“Things like role bloat and rogue security leaders.
datasets we have versions of in our In this case, poor API security meant
“When it comes to rogue datasets
on-premises environment, too. So, that the database could be queried
our biggest challenge from a security
most of those concerns are not brand directly, without requiring any kind of
perspective is not some hacker, it’s
new,” says Dan Power, Managing authentication. With more data sharing
the disgruntled employee who sits
Director of Data Governance Global between businesses and third parties
down the hall,” says Power.
Markets at financial services firm State taking place, it’s increasingly important
Street. “But they are bigger, and the He continues: “It’s a constant moving for businesses to share properly
velocity and the scale have changed.” target. Some new file sharing platform encrypted data through secure APIs.
comes up that an employee knows “Digital transformation has led to
The potential for bloat in the
about and suddenly they’re uploading a lot of APIs. So, API security is a
technology stack has been fueled
data to it and you don’t even know concern,” says Voya Financial SVP
by the explosion of software as a
until it’s too late.” and CISO Raj Badhwar. “We put a lot
service (SaaS). For enterprises with
multiple business functions operating Of course, internal, or third-party of focus on API security to make sure
across the US and internationally, this misuse of data need not necessarily that any API that is exposed externally
surge in the use of SaaS could cause be tied to malicious intentions. or internally or otherwise in the cloud
security and integration issues as well Negligence can also lead to private or environment is fully authenticated.” ■
as inefficient spending.
“What happens is that one person
doesn’t realize there’s another person What are your biggest concerns about enabling
on the other side of the company cyber-secure digital transformation?
doing much the same thing, but with a [select all that apply]
different vendor. And they don’t have a
way to communicate,” says Power. “The
initial expense of buying the license or
the subscription isn’t the problem. It’s 58%
seven or eight years later when you Ability to keep up with evolving
find out that you’ve essentially paid for data privacy regulations
the same solution repeatedly.”
9
The Intersection of Data Privacy and Cybersecurity
they have the tools they need to do it. Not at all confident Somewhat confident Very confident Extremely confident
10
The Intersection of Data Privacy and Cybersecurity
data security at a fine-grained level. This would allow Does your company take a zero-trust, least-privilege
all sensitive data to be managed by a tightly controlled, approach to secure data access?
centralized process, mitigating the dangers associated with [select one]
rogue datasets.
“Having a single pane of glass view into the overall
health, compliance, and auditing of your entire company
All or most of the time --
as well as its the applications and data – that that would be this is a guiding principle that
fantastic,” adds Equifax BISO Michael Owens. every data team is expected 64%
Other benefits that companies attribute to centralized to follow
data authorization and auditing include adoption of a
zero-trust policy for data access, improved customer
experiences, the ability to drive innovation, and create new
revenue opportunities.
Getting data into the hands of the right people is critical
to data-driven businesses. Our research suggests that
the benefits of centralized data access and control on Sometimes --
business drivers like improving customer experiences it varies project to project 29%
and enabling innovation are even more desirable
than conventional concerns like improving operational
efficiency and cost savings.
“I think that it certainly will help with business value,
automation and also more optimization of processes which
leads to greater efficiency and speedier delivery,” says
Voya Financial SVP and CISO Raj Badhwar.
Rarely or don’t know --
Adding value in this way helps security, privacy and
we haven’t formalized our
governance leaders to position investments into data approach to data access
governance and security as value-generating in themselves. governance 5%
“The security function generally is not a moneymaker. It
is commonly a cost center,” continues Badhwar. “So, any
added benefit that you can give to the business through
any kind of centralization optimization certainly is welcome.”
11
The Intersection of Data Privacy and Cybersecurity
Adopting a Zero-Trust If you could centralize data authorization and auditing across your
Approach to Data Access entire data ecosystem, how would your company benefit most?
[rank in order of biggest benefit]
Zero trust has become an
increasingly important priority for
security teams since the pandemic Ensuring data
began. This is largely due to the rapid security at a fine-
grained level
4.9
transition to working from home, as
the resulting pivot away from a ‘walled
garden’ approach to data security. Zero-Trust
policy for data 4.32
Our research shows that another
key benefit of centralizing data Improve customer
authorization is the ability to adopt a experiences and
4.2
zero-trust approach. However, while retention
64% of respondents reported that zero Drive business
trust was already adopted as a guiding innovation
principle all or most of the time, 29% and revenue 4.13
opportunities
have not yet implemented it uniformly.
Part of the problem is that overlaying Cost savings
a concept like zero trust on an existing
and operational
efficiency
3.81
security stack is no simple task.
Instead, many security leaders are Avoiding
regulatory fines
focusing on aspects of zero trust to for being out of 3.54
complement their existing framework. compliances
“You can’t just go buy zero trust. It Visibility into who
would be great if you could as it’s is accessing data
and when
3.1
such a broad, sweeping endeavor
with many nuances. The important
thing, however, is just to get started,”
says David Levine, VP of Corporate
and Information Security and CSO at
information management and digital
“There are lots of different aspects of [zero
services company Ricoh USA, Inc. trust], like multi-factor authentication and
“There are a lot of different aspects
to that, like multi-factor authentication micro-segmentation, which is even more
and micro-segmentation, which is
even more important now with the
important now with the proliferation of
proliferation of ransomware.” ransomware”
While a zero-trust approach is very
David Levine
different from traditional methods VP Corporate & Information Security, CSO, Ricoh
of looking at perimeter defense,
it all comes down to making sure
that only the people who need
access to particular applications
or environments have it. This is
particularly important for companies in
heavily regulated industries that hold
large amounts of sensitive data.
“We have databases that grow by
half a billion records a day so it can be
hard to keep your arms around all that
data and to give access thoughtfully,”
says Power. So, we’re prioritizing
investments based on simplifying
our infrastructure and making it more
resilient.” ■
12
The Intersection of Data Privacy and Cybersecurity
I “You take a
n January of 2018, California This is surprising as penalties, at least
became the first state to pass theoretically, can be extraordinarily
comprehensive consumer data
protection legislation in the US. Since
large. However, these concerns may
be mitigated by the belief that smaller,
reputational risk
then, several states have followed less prominent companies may not when you fall
suit, with several more bills currently
moving through their respective state
become the target of regulators. Or, if
they are targeted, that the fines will not out of regulatory
legislatures.
However, the lack of centralized,
be as significant. compliance. If you
The survey results strongly
federal regulations on data privacy suggest that companies take privacy lose customer trust,
in the US has created a regulatory
landscape that is not only fast-moving
regulations seriously. However,
interpreting this survey result
you can’t simply pay
but also fragmented.
These factors, as well as the
is somewhat difficult, as 31% of a fine to fix it”
respondents report not being worried
introduction of sweeping data privacy about fines specifically because they Raj Badhwar
regulations internationally, like GDPR are already in compliance. SVP and Global CISO, Voya Financial.
in Europe and POPIA in South Africa,
are likely driving data privacy up the Our findings hint that there may
list of priorities for businesses in the be reasons to seek compliance for
US. Our research shows that 94% reasons other than fear of being fined,
of data, security, and governance which is discussed next.
executives now consider meeting “It’s a business decision. If the fines
compliance requirements ‘very much are manageable, some companies
a priority’, or ‘an extremely important just budget that in,” says Rick Doten,
priority’. VP, Information Security at Centene
Interestingly, 45% of respondents Corporation and CISO at Carolina
reported they are not worried about Complete Health. “If it is more expensive
penalties or fines due to data privacy to do all this stuff to be compliant, then
regulations. they’ll just pay the fine.”
13
The
The Intersection
Intersection of
of Data
Data Privacy
Privacy and
and Cybersecurity
Cybersecurity
A New Focus on Reputational How much of a priority is compliance with data privacy for your
Risk organization?
Customer trust, once lost, can [select one]
be difficult to regain. Reputational
damage due to being non-compliant is 1% 5%
another reason for businesses to take Not at all a priority Somewhat of a priority
compliance seriously.
“You take a reputational risk when you
fall out of regulatory compliance,” says
Raj Badhwar, SVP and CISO at Voya
Financial. If you lose customer trust, you
can’t simply pay a fine to fix it. So senior
leaders are very worried about the
reputational risk.”
50% 44%
Very much a priority An extremely important
“There is naming and shaming priority
happening all the time by regulators
and the media,” adds Sharon Bauer, Are you worried about penalties or fines due to data privacy regulations?
Founder and Privacy Consultant at [select one]
Bamboo Data Consulting. “And more
recently by nonprofit organizations who 50%
are putting companies in the spotlight if
they abuse people’s privacy.” 40% 45%
In contrast, some privacy and security 30%
leaders are proactively using customer-
20%
31%
facing data privacy policies for positive
public relations. This approach is 10%
21%
particularly timely as the very public 3%
0%
conflict between two of the largest
Yes - because Yes - because we No - because we’re No - because we’re
technology companies in the world,
we’re not yet in don’t know if we’re not worried about in compliance
Apple and Facebook, plays out in the
compliance in compliance penalties or fines
media over their use of customer data.
due to data privacy
“We asked ourselves, how can we
regulations
create a strategic advantage out of
this regulation?” says Miguel Sanchez
Urresty, Chief Data and Analytics How is your company responding to the rapid expansion and evolution of
Officer LATAM at financial firm Principal. data privacy laws?
“If we are compliant and we can make [select one]
that public, we can increase customer
confidence in our company. For me, Strategically -- Minimally --
that’s going to be an advantage point we are automating and standardizing we focus only on GDPR (or another
for businesses in the future.” how we enforce compliance with all similar regulation)
data privacy laws
49% 45%
6%
Tactically --
we reproduce the work we invested
in one regulation to respond to new
regulations
14
The Intersection of Data Privacy and Cybersecurity
15
The Intersection of Data Privacy and Cybersecurity
I
n the past, some organizations treated privacy and risk and privacy risk programs to create an integrated
cybersecurity as siloed risk areas. Other organizations approach that supports business risk management,
experienced a ‘turf war’ between CISOs and CPOs over establishes realistic controls that support business
who should own the responsibility for data privacy. processes, and enables better investment decisions,”
However, the rapid escalation and increasing says Lydia Payne-Johnson, Director, Information Security,
sophistication of cyberthreats, the evolving regulatory Identity and Risk Management at The George Washington
landscape, and the acceleration of digital transformation University.
are highlighting the need for CISOs and CPOs to focus on “Thinking of privacy as a component of your overall
common objectives. security stack is what sometimes gets missed,” Payne-
“CISOs and CPOs need to align their information Johnson concludes.
“CISOs and CPOs need to align their information risk and privacy
risk programs to create an integrated approach that supports
business risk management, establishes realistic controls that
support business processes, and enables be#er investment decisions”
Lydia Payne-Johnson
Director, Information Security, Identity and Risk Management, The George Washington University
16
The Intersection of Data Privacy and Cybersecurity
Who in your organization authorizes the budget to Which of the following drivers have the biggest impact on
assure that confidential, personally identifiable, and investment decisions relating to the access and security for
regulated data is properly accessed and secured? confidential, personally identifiable, and regulated data?
[select one] [select up to three]
Better regulatory
CEO 5% compliance 54%
Improved business
CIO
21% efficiency 50%
17
The
The Intersection
Intersection of
of Data
Data Privacy
Privacy and
and Cybersecurity
Cybersecurity
data privacy and security technology is how the success
of those investments is measured.
Our research highlights the leading metrics that Utilization
organizations are using, including utilization, like the (number of users, 62%
number of permitted users and consumption patterns consumption patterns)
18
The Intersection
Financial
of Data
Services
Privacy
InfoSec
and Cybersecurity
Trends 2021
SUBSCRIBE NOW
! Follow us on LinkedIn
n’ Follow us on YouTube
!
19
The Intersection of Data Privacy and Cybersecurity
About Okera
Okera, the universal data authorization company, helps modern, data-driven enterprises
accelerate innovation, minimize data security risks, and demonstrate regulatory
compliance. The Okera Dynamic Access Platform automatically enforces universal
fine-grained access control policies. This allows employees, customers, and partners to
use data responsibly, while protecting them from inappropriately accessing data that is
confidential, personally identifiable, or regulated. Okera’s robust audit capabilities and
data usage intelligence deliver the real-time and historical information that data security,
compliance, and data delivery teams need to respond quickly to incidents, optimize
processes, and analyze the performance of enterprise data initiatives.
Okera began development in 2016 and now dynamically authorizes access to hundreds
of petabytes of sensitive data for the world’s most demanding F100 companies and
regulatory agencies. The company is headquartered in San Francisco and is backed by
Bessemer Venture Partners, ClearSky Security, and Felicis Ventures
20
The Intersection
Financial
of Data
Services
Privacy
InfoSec
and Cybersecurity
Trends 2021
We’re excited by the incredible pace of innovation and Read our white papers
disruption in today’s digital landscape. That’s why we
Follow us on LinkedIn
produce quality content, webinars and events to connect
our audience with what’s next and help them lead their Follow us on Twitter
organisations into this new paradigm.
Like us on Facebook
Find out more: www.coriniumintelligence.com
21