As businesses continue to transform digitally, privacy, security, and data teams are balancing priorities on multiple fronts
The results of our survey of 125 security, privacy, and data executives, conducted earlier this year, show that keeping up with data privacy regulations was a key priority for executives as they facilitate cyber-secure digital transformation.
However, keeping up with data privacy regulations is not their only concern. Our research shows that respondents are balancing other challenges too, like the potential for role bloat and policy complexity as they scale (50%), data breaches, internal or third-party misuse of data (50%) and rogue datasets (43%).
To face these challenges, privacy and security leaders need to develop a strong working relationship and come together early to develop a strategic roadmap to enable cyber-secure digital transformation.
“It goes back to the age-old saying that you can’t do privacy without security, and you can’t do security without privacy,” says SecurRisks Consulting President Marian Reed. “Most organizations and most security programs are really focused on deploying tools to make sure that the whole network is protected without really understanding the business or the data that’s involved.”
She continues: “You have to look at the overall business risk and figure out what are the security components that really make sense, and what do we need to deploy in this organization to protect it? And you can’t do that if you don’t have your privacy team at the table.”
One method of doing this effectively is to bring key stakeholders together regularly to discuss the transformation roadmap and ensure that data privacy and security concerns are being considered.
“I created an IT security committee, which had stakeholders from Legal, HR, and Privacy,” says Reed. “They felt that they had a stake in the game and that their voices were being heard.”
Collaborating in this way was an essential part of building a digital transformation roadmap that prioritizes data privacy and security by design.
“Don’t design it, bring it to them and then hope for the best,” concludes Reed. “Instead, make them part of the design phase so that they are actually helping you develop the program to meet the needs of both privacy and security.”
When Spinning up New Services is a Problem
The potential for role bloat and policy complexity as they scale is a leading concern for 50% of senior executives, according to our research.
“Things like role bloat and rogue datasets we have versions of in our on-premises environment, too. So, most of those concerns are not brand new,” says Dan Power, Managing Director of Data Governance Global Markets at financial services firm State Street. “But they are bigger, and the velocity and the scale have changed.”
The potential for bloat in the technology stack has been fueled by the explosion of software as a service (SaaS). For enterprises with multiple business functions operating across the US and internationally, this surge in the use of SaaS could cause security and integration issues as well as inefficient spending.
“What happens is that one person doesn’t realize there’s another person on the other side of the company doing much the same thing, but with a different vendor. And they don’t have a way to communicate,” says Power. “The initial expense of buying the license or the subscription isn’t the problem. It’s seven or eight years later when you find out that you’ve essentially paid for the same solution repeatedly.”
Dealing with Internal Misuse of Data
Our research also revealed that the potential for misuse of data, either by employees or by third parties, is a top concern for half of data, privacy, and security leaders.
“When it comes to rogue datasets our biggest challenge from a security perspective is not some hacker, it’s the disgruntled employee who sits down the hall,” says Power. “It’s a constant moving target. Some new file sharing platform comes up that an employee knows about and suddenly they’re uploading data to it, and you don’t even know until it’s too late.”
Of course, internal, or third-party misuse of data need not necessarily be tied to malicious intentions. Negligence can also lead to private or regulated data being exposed online.
In April 2021, Experian, one of the largest credit bureaus in the US, unintentionally exposed the credit scores of tens of millions of Americans to anyone online who could supply a name and mailing address. In this case, poor API security meant that the database could be queried directly, without requiring any kind of authentication.
With more data sharing between businesses and third parties taking place, it’s increasingly important for businesses to share properly encrypted data through secure APIs. “Digital transformation has led to a lot of APIs. So, API security is a concern,” says Voya Financial SVP and CISO Raj Badhwar. “We put a lot of focus on API security to make sure that any API that is exposed externally or internally or otherwise in the cloud environment is fully authenticated.”