Recently, Government Technology Insider spoke with Malcolm Harkins, Chief Security and Trust Officer at Cylance, to examine the evolving focus on data privacy and protection in light of GDPR, the role of CIOs and CISOs in safeguarding personal information, and whether the U.S. needs a Federal Chief Data Privacy Officer.
Government Technology Insider (GTI): Today we welcome Malcolm Harkins, Chief Security and Trust Officer at Cylance to look at one of the most critical issues of our time. Data protection and privacy, and whether it’s high time the U.S. government named a chief data protection officer. Thanks for joining us, Malcolm.
Malcolm Harkins, Cylance (MH): Thanks for having me.
GTI: Malcolm, as we know, the European Union has now imposed the General Data Protection Regulation – GDPR – which applies to all businesses with customers in the EU if they capture personal data. GDPR also mandates that public sector agencies need to designate a data protection officer. Let’s start with some definitions. Malcolm, what is a chief data privacy or data protection officer?
MH: Well, a lot of organizations even in the United States already have a chief privacy officer and it’s basically somebody who’s responsible for ensuring the proper controls and policies are in place to manage the privacy of employees, users whether it is somebody visiting your website or a regular customer where you might have personal information. And that could include everything from an email address to other personal information like financial or health records.
GTI: Well, aren’t the CIO and CSO already doing this? Aren’t they charge of data protection?
MH: You know it’s a great question. And in reality, most – borderline, probably, many – CIOs… their primary measurement is cost, functionality and improvements in the business processes of an organization using automation to do that. So, by and large, they’re not that measured on data privacy or, for that matter, in many cases security or broader data protection elements.
The CISO in most organizations reports to the CIO and has a primary focus around traditional information security from an IT perspective and that organizational boundary that is under the CIO. That doesn’t mean necessarily that they have the competencies or reach or scope to fully comprehend data privacy because there are nuances and there are a lot of differences. And again a lot of CISOs primarily focus on the protection of intellectual property-related items and that side of things and have hopefully a strong connection to the chief privacy officer, but sometimes they don’t because they’re organizationally separated in many organizations.
GTI: It seems like data privacy and data protection, when it comes to citizen information, comes under the heading of business risk issues. So how do privacy concerns reflect what’s good for the citizens as well as the stakeholders of the organization?
MH: That’s also a good question and this is where my perspective on risk probably differs from a lot of folks. There is definitely a business risk element: what’s the compliance risk, what’s the liability, what’s the cost, what’s the impact of not only putting the controls in place but also not putting the proper controls in place and that impact on, again the business or the organization.
But I tend to look at risk through three lenses and I think every chief privacy officer, every chief information security officer, and in fact even the enterprise risk managers who might look more broadly at other risk dynamics for an organization should look at risk through three lenses. What’s the risk to the business of the organization? What’s the risk to the customer? And then what’s the potential societal risk you might be creating through the development of technology, the implementation of technology, or not properly managing and mitigating the risks of the technology you’re using.
GTI: I’m wondering about how businesses prioritize that risk as we’ve seen in the news some businesses are thinking more about, “What can I do with this personal data,” as opposed to, “Should I be concerned with protecting it?”
MH: Well, there are a lot of organizations that have sprung up over the past 10-15 years, with the growth of the internet, social computing, and the whole economics of “free.” And when you’re getting something for free, you’re in essence the product because the organizations that are collecting and processing information on you, whether it be what you’re posting, what you’re sharing in terms of pictures, what you like and dislike… they’re selling advertising. They’re selling, in essence, you to organizations that want to market towards you. And so in many ways, the consumer has become the product and therefore the revenue stream of organizations.
So, naturally, in that business model, there’s a desire to collect more about Malcolm. Malcolm misbehaviors, his likes, his dislikes, what he writes in his emails, what he searches on the web, because that provides a richness for how to target market to Malcolm to sell him things.
GTI: One thing I find interesting is that in the face of GDPR, businesses are updating their worldwide privacy stances almost as a preemptive move. At the same time businesses have always resisted the idea of more government regulation. But is it time for federal regulation of privacy for businesses in the U.S.?
MH: I think it’s time for the U.S. to step back and think about the privacy laws that we have on the books today, which there are many, because each state in essence has their own, and decide as a nation should we have a level of harmonization to those data privacy laws so that way, it also makes it fiscally, as a company, easier to comply with privacy laws rather than trying to analyze 50 of them and figure out the appropriate way to navigate those. So I do think there is a step back in the thinking through the privacy laws that we have in the U.S. today, and if there’s opportunities for improvement that would improve not only business efficiency but also the effectiveness of the privacy regimes that organizations may have implemented.
GTI: So I’m wondering with businesses being online and having multi-state presences does this fall under the heading of interstate commerce?
MH: In many ways it does because whether you’re selling something online or you’re just using a Web site as a marketing connection that then has advertising and other things on the other side of it — but this is where the complexity comes in and understanding what is interstate commerce, what is as we were talking before security and data protection, and how do those things differ from a privacy perspective?
Again, one of the biggest fallacies people have around this is they think if they’ve got decent security they therefore have privacy and that’s not true. The nuances of privacy are way more significant than just having your data encrypted, having access control, or there’s another fallacy people believe, that they have their data hosted in Europe, they’re compliant with GDPR, which isn’t true.
And so there’s a bunch of layers to this that organizations need to think about and recognize that you need good security to achieve privacy but they’re not the same thing. I’ve always thought of security and privacy like two magnets. When turned one way they’re perfectly binding and that’s the ideal state, because again you need good security to have privacy. But security can go too far. It can collect too much information, it can think that machine data is not personal data, which in some contexts, it is. And if it does that without thinking about the right data use limitations, the right controls around the collection and processing of that information, you’re actually increasing privacy risks, not necessarily reducing it.
Then if privacy stays too academic, too ethereal, because privacy has its roots in the legal statutes and that’s also what drives sometimes the organizational separation between security and privacy. And if privacy stays, again, not as connected to the practicalities of things, you end up starting to have people have this mental model: “I’m going to balance these things, I’m going to tradeoff between security and privacy,” And I think that’s the wrong mental model because you’re going to tilt toward security and you’re going to trade off people’s privacy, and what we’ve got to do is think again of these like two magnets, and, if either one of those magnets goes too far, it doesn’t necessarily cross the chasm to the other side. It’s like taking these two magnets and turning them and when you do that, you’ve got the polarization that occurs.
That’s why I think a thoughtful understanding and a joining of security and privacy so that you’re focused on optimizing both of them, not trading them off — it’s a design and architectural challenge and a policy challenge but one that we have to strive for, not only in how we operate as companies but how we should think about the legal and regulatory aspects of this.
GTI: Malcolm, several agencies already have their own senior agency officials for privacy. In fact, that role has been around since the George W. Bush administration. But it hasn’t been mandated for every agency. Should it?
MH: Well, you know, to be honest, whether or not it’s officially mandated, I think the mandate is already there. Having some additional law or executive order declaring it, yeah, that might move the needle with some organizations, but this is where I go back to my earlier comments. You have the accountability and responsibility already. Don’t wait for somebody to put an additional statement out there. Go assess the risk to the organization, your customers, and society and live up to the expectations that are already there. You don’t need somebody to give you a written mandate to do what you should be doing already.
GTI: Well, there’s obviously a responsibility for government, whether it’s local, state, or federal, to protect its citizens. So how does all this work when you’ve got so many levels of people in charge of privacy and protection and so many conflicting needs?
MH: It’s a governance issue at the end of the day, whether it is in the federal and state area or in the private sector. You’ve got to think through, again, what you’re accountable and responsible for, and not ignoring the business objective, right, the mission of the organization, but also recognizing, again, the privacy angle of this, the security angle of it, and the risk. I don’t think it’s impossible to go figure this out. It just takes a cross-organizational focus with the CIO, with the chief information security officer, with who’s ever the chief privacy officer, and if you don’t have a chief privacy officer go get the right legal counsel involved to help you interpret the privacy laws, and whoever’s in charge of broader enterprise risk, and systematically going and understanding those risk issues, and then putting the proper controls in place to manage and mitigate those risks. But also keep those controls, in essence, alive. It’s not a one-and-done issue. Things are constantly changing, they’re constantly evolving. And so you have to constantly have a level of not only transformational change in your controls in order to stay on top of the risk issues that continue to emerge, but also a focus on continuous improvement and where you have excursions, go figure out not necessarily who the threat actor and threat agent was that it breached an organization — that’s necessary for law enforcement, stuff like that. But, what control failed? And what can we do about that in order to drive a level of systemic risk reduction.
GTI: Malcolm any final thoughts on data privacy protection on a national level?
MH: You know the ethics of this I think are substantial, not only from the security perspective but the privacy perspective. We’ve already crossed a tipping point where anything and everything with power is becoming IP addressable. It’s computing, it’s communicating, it’s sensing, it’s monitoring. And unless we actually, again, evaluate the risk in terms of that societal responsibility we have, we’re going to under control and systemically grow risk like we have the past 10-15 years already.
The other thing that I think is interesting, when you put it in a different context, is to look at things from a historical perspective. If you think back into the late-1800s, when Kodak first came out with quote-unquote the instant camera back at that time. Previously, before that instant camera, to take a picture of somebody, you really had to work at it. You had to be in a studio, you had to sit there, you had to pose. You not only had to give your consent, you had to cooperate a lot in order to get a good picture.
And, at that time, it was reported even in Britain, that they formed the Vigilance Association for the purpose of chasing down young men that were going with these “instant” cameras at that time, out to the seaside places to take snapshots of ladies emerging from the water. So, even then there was a worry about privacy. And, in fact, Samuel Warren and Louis Brandeis who later sat on the Supreme Court, pondered those developments with some level of alarm in a law article that they wrote, again, in the 1890s and they argued the right to privacy that technology was creating a new harm, because instantaneous photographs and newspaper enterprises had invaded the sacred precincts of private and domestic life.
And so, you know, it’s interesting to contextualize that from that time period to where we’re at today with cameras and drones with cameras and CCTV everywhere and your Amazon Echo or other devices like that listening to you. So again, how do we grapple with that, how do we get in front of the technology evolution and think through the construct of privacy and security and the ethical dilemmas around that that.
That’s where we should be putting some stronger effort. We’ve got to deal with today’s issues but we’ve got to future-cast to where technology is going and think about the choices that we’re making and figure out how to achieve not only the opportunities technology can create. But we’ve also live up to the obligation to do it right.