[Log In] []

Exploring the science and magic of Identity and Access Management
Thursday, April 26, 2018

GDPR: A Cost vs. Benefit Analysis

Privacy
Author: Mark Dixon
Tuesday, April 24, 2018
8:34 pm

GDPRvalue

With the May 25th enforcement date for GDPR looming before us, it is easy to focus on the huge investment companies are making in efforts to comply.  

However, an Information Week article authored by Dimitri Sirota, CEO and Co-founder, BigID, offers a brighter picture:

The International Association of Privacy Professionals estimates that Fortune’s Global 500 companies will spend roughly $7.8 billion in order to ensure they are compliant with GDPR – no small sum. Yet, viewing GDPR through the lens of compliance cost alone doesn’t reflect the broader change afforded by the sweeping regulation. Yes, there will be substantial cost association with operationalizing specific obligations inside the organization, but the benefits can be argued to far outweigh the investment.

Sirota proposes tangible business benefits arising from work towards GDPR compliance (selected excerpts are shown):

Understanding the customer

First and foremost, compliance efforts help companies better understand their customer by better understanding their data. If customers are the lifeblood of a modern digital business, then knowing customers’ data takes on commercial “life or death” urgency.

Cyber insurance and civil action savings

Companies mandated to comply [with GDPR], and those showing proof of compliance with these stringent regulations will likely see a significant reduction in annual cyber insurance costs. …

A hard rule on public disclosure is understandably daunting, but the role GDPR will play in helping companies better understand what data they have, its risk and how to protect it, will prove greatly beneficial to avoiding a breach all together.

Minimizing response costs

Through increased data visibility required for compliance, funds spent on determining who exactly was affected by a breach will be all but eliminated.

In conclusion, Sirota takes the optimistic view:

GDPR aims to provide better consumer accountability through better data accounting. Ultimately, this helps build trust between a company and its customers. However, in a very real financial way it also has economic benefit. The investments required to comply with GDPR equip companies to better protect themselves and better extract value from its customers. GDPR at first blush looks like a cost for businesses to incur. But dig deeper and you find it opens up new protections and value.

I am a fan of looking for business benefits of security and compliance beyond reducing risk.  I think the most important benefit that Sirota proposes is understanding the customer because of better understanding of their data.  I really like how he puts it:

Data is the new oil, and knowing exactly what kind of oil, how much and where it is running through the engine not only provides a vehicle to safeguarding data, but also a way to unlock value within that data and improve performance, in a private and secure way.

Thanks for the insight, Dimitri!

 

5 stages of data privacy grief

Privacy
Author: Mark Dixon
Monday, April 23, 2018
7:37 am

Do you want some tasty ice cream?  I think Tom Fishburne nailed the essence of why people put up with social media intrusion into their personal space.

Dataprivacy

 

Data Stewardship – Make Data Work

Information Security
Author: Mark Dixon
Friday, April 20, 2018
2:00 pm

Datasteward

Stewardship: “the management or care of something, particularly the kind that works.” (Vocabulary.com)

I think my favorite new term in the business vernacular is “Data Stewardship.”  I like how vocabulary.com emphasizes that good stewardship leads to things that work.

Extending the concept of stewardship to management of data, a recent article in AnalyticsIndia states:

One of the simplest definitions of data steward comes from the problem statement posed by authors Tom Davenport and Jill Dyché in their 2013 research study, ‘Big Data in Big Companies’:

“Several companies mentioned the need for combining data scientist skills with traditional data management virtues. Solid knowledge of data architectures, metadata, data quality and correction processes, data stewardship and administration, master data management hubs, matching algorithms, and a host of other data-specific topics are important for firms pursuing big data as a long-term strategic differentiator.”

The article defines four major areas of responsibility for a data steward:

  1. Operational Oversight
  2. Data Quality
  3. Privacy, Security and Risk Managment
  4. Policies and Procedures

The third area in this list strikes particularly close to home.  I like the fact that security and privacy are considered to be vital components of data stewardship.  I firmly believe they make data work (as vocabulary.com suggests).

 

Everyone is a spidergram now

Freedom, Privacy
Author: Mark Dixon
Thursday, April 19, 2018
12:46 pm

Has mis-use of surveillance and analytics technology become ingrained in our culture?  Not long ago, it was the NSA surveillance scandal the rocked our sensibilities.  Now Facebook and and Cambridge Analytics are in the forefront of public consciousness.  And what technology did Cambridge Analytica use to process the data taken from Facebook? Palantir – a data analytics company that claims “We believe in augmenting human intelligence, not replacing it.”

A somewhat chilling Bloomberg article, “Palantir Knows Everything About You,” the authors claim,

Peter Thiel’s data-mining company is using War on Terror tools to track American citizens. The scary thing? Palantir is desperate for new customers.

The article further explains:

Founded in 2004 by Peter Thiel and some fellow PayPal alumni, Palantir cut its teeth working for the Pentagon and the CIA in Afghanistan and Iraq. The company’s engineers and products don’t do any spying themselves; they’re more like a spy’s brain, collecting and analyzing information that’s fed in from the hands, eyes, nose, and ears. The software combs through disparate data sources—financial documents, airline reservations, cellphone records, social media postings—and searches for connections that human analysts might miss. It then presents the linkages in colorful, easy-to-interpret graphics that look like spider webs.

This leads to my favorite sentence from the article, “Everyone is a spidergram now.”

Imagine that you are at the center off a spidergram like the one for Peter Thiel, but that your relationships and connections are shown, not his. How would you like such information to be revealed? 

Thiel

How is it possible that a company founded to help protect citizens of the United States could mis-use technology to spy on the very citizens it was supported to protect?

I think the article got it right, “The scary thing? Palantir is desperate for new customers.”

In my observation, any mis-use of technology can be traced directly to the desire for money or power, and often both. If we want to understand the motivation behind such mis-use, just remember the famous words of Rod Tidwell (Cuba Goodiing, Jr.) in the film Jerry Maguire …

 

Keep your Personal Data Safe Online

Privacy
Author: Mark Dixon
Thursday, April 19, 2018
11:51 am

DigiMe

In the wake of the US Senate grilling Mark Zuckerberg about the Cambridge Analytics scandal, and as we move ever so quickly towards the May 25th date when the EU will begin enforcing the General Data Protection Regulation (GDPR), it is easy to focus on the responsibilities online companies have for implementing what GDPR calls “Data Protection by Design and by Default.”

All that focus is good, but we should not forget the responsibilities each person has for making sure their own personal data is safe. In her blog post today, Emma Firth of digi.me proposes “10 ways to keep your personal data safe online.”

Please take a few minutes to read Emma’s commentary, but here are the ten points she recommends:

  1. Be clear who can see what
  2. Have strong passwords – and don’t reuse them or write them down
  3. Take care not to post information that is often used as security questions 
  4. Don’t fall for dodgy or so-called phishing emails
  5. Be careful where you log-on – take care to disconnect from a session if using public computers
  6. Make sure your home wifi is password-protected
  7. Be wary about who you befriend online
  8. Beware what pictures and status updates on social media tell a potential criminal about you
  9. Be sensible and always have your wits about you

Thanks, Emma, for your insightful reminders.

And remember, in the words of Sergeant Phil Esterhaus (Michael Conrad) of Hill Street Blues fame …

 

Cyber Security as a Business Enabler

Information Security
Author: Mark Dixon
Thursday, April 19, 2018
11:28 am

Enable business

This morning, I reviewed a proposal for improving a company’s security against data breach.  The main reasons giving for the investment in security technology were:

  • Improve security posture
  • Reduce risk for internal and external data breach
  • Increase compliance reporting capability
  • Increase confidence by locking down data

These are all valid reasons for making the proposed investment, but shouldn’t there be more? Doesn’t good security support good business results in a positive way?

By happy coincidence, just before I reviewed the proposal, I read a thought-providing article, “Reframing Cybersecurity As A Business Enabler,” published by Innovation Enterprise.  The introductory paragraph states the obvious:

Innovation is vital to remaining competitive in the digital economy, yet cybersecurity risk is often viewed as an inhibitor to these efforts. With the growing number of security breaches and the magnitude of their consequences, it is easy to see why organizations are apprehensive to implement new technologies into their operations and offerings. The reality is that the threat of a potential attack is a constant.

But rather than dwelling on the problem, this article challenges traditional thinking:

Though the threat is real, instead of viewing cybersecurity in terms of risk, organizations should approach cybersecurity as a business enabler. By building cybersecurity into the foundation of their business strategy, organizations will be able to support business agility, facilitate organizational operations and develop consumer loyalty.

The article explores each of these three business value areas in more detail. I have included a brief excerpt in each area:

Security supports business agility

Instituting strong security measures enables organizations to operate without being compromised or slowed down. Companies that invest in cyber resilience will be better able to sustain operations and performance – a definite competitive advantage over those caught unprepared by an attack.

Security facilitates business productivity

One survey of C-level executives revealed that 69% of those surveyed said digitization is ‘very important’ to their company’s current growth strategy. 64% also recognized that cybersecurity is a ‘significant’ driver of the success of digital products, services, and business models. 

Security develops customer loyalty

PricewaterhouseCoopers’ 21st Global CEO Survey found that 87% of global CEOs say they are investing in cybersecurity to build trust with customers. 

I recognize the need for strengthening security defense mechanisms for the sake of risk mitigation. However, if we restrict ourselves to the traditional “security as insurance policy” mindset, we are missing the greater value of good information security in supporting positive business success. 

 

Artificial Intelligence – For Cows?

Artificial Intelligence
Author: Mark Dixon
Wednesday, April 18, 2018
11:45 am

Cows

Technology has come a long way since my time time growing up on a small dairy farm in Idaho. A recent AP News article asks: “Is the world ready for cows armed with artificial intelligence?

Answering its own question, the article observes:

No time to ruminate on that because the moment has arrived, thanks to a Dutch company that has married two technologies — motion sensors and AI — with the aim of bringing the barnyard into the 21st century.

The Dutch company, Connecterra  offers a system, “The Intelligent Dairy Farmer’s Assistant (IDA),” to monitor individual cows and predict how to deal with problems that may arise.

IDA uses a motion-sensing device attached to a cow’s neck to transmit its movements to a program driven by AI. The sensor data, when aligned repeatedly with real-world behavior, eventually allows IDA to tell from data alone when a cow is chewing cud, lying down, walking, drinking or eating.

Those indicators can predict whether a particular cow is ill, has become less productive, or is ready to breed — alerting the farmer to changes in behavior that might otherwise be easily missed.

Back in the day, my Dad knew each of his cows well, and called each of them by name.  However, modern dairies may have thousands of cows, not just a few dozen we had on our farm. Technology like IDA can really extend the ability of a dairy farmer to maximize production from all of the cows.

It does my heart good to see AI and IoT technologies applied to boost agribusiness.

 

Which Came First: Harvard or Calculus?

History
Author: Mark Dixon
Tuesday, April 17, 2018
8:37 am

Harvard

History often plays interesting tricks in my mind.  For some reason, I had just assumed that calculus had been around far longer than any institution on this side of the proverbial pond.  But no – Harvard University was founded in the United States in 1636, several years before Isaac Newton and Gottfried Wilhelm Leibniz developed the foundations of calculus.

A Harvard University article, “Which Came First: Harvard or Calculus?”, published last year, confirmed this interesting bit of history.

 

Security and ROI?

Information Security
Author: Mark Dixon
Monday, April 16, 2018
9:49 am

Meeting2

Justifying investment in security technology is tough. Because it is difficult to measure ROI for Security controls, many companies justify security investments in terms of risk reduction.

Recognizing this difficulty, Slavik Markovic, CEO of Demisto, proposes “10 best practices for bolstering security and increasing ROI.” He introduces the topic in part, with this statement:

CISOs are being asked to provide proof that the money spent [on security] — or that they are asking to be spent — will lead to greater effectiveness, more efficient operations or better results.

Rather than proposing a specific ROI calculation method, Markovic recommends taking a more holistic approach to the problem.  His recommended 10 best practices are:

  1. Articulate the purpose.
  2. Dovetail with other projects
  3. Automate and orchestrate
  4. Create an integration plan
  5. IT and security synergy
  6. Leverage analytics
  7. Start small
  8. Go beyond compliance
  9. Shoot straight
  10. Measure and course-correct

I recommend that you read the commentary supporting each best practice.

Two of these recommendations entail leveraging technology to expand the expertise and capabilities of security professionals, rather than relying on just hiring more expensive staff:

3. Automate and orchestrate. Strive for security orchestration and process automation. The current threat landscape is vast, complex and constantly changing. Even a well-staffed security operations center cannot keep pace with the volume of alerts, especially with the ever-increasing number of duplicates and false positives. Use automation for threat hunting, investigations and other repetitive tasks that consume too much of analysts’ time.

6. Leverage analytics. Adopt advanced analytics. Machine learning and artificial intelligence are delivering truly innovative solutions. CISOs should research these two fields carefully to determine which analytics tools best fit their agencies, taking into account the organization’s strengths and weaknesses related to skills, personnel and risks.

I like the way Markovic looks broadly at how to justify security investment.  Security, after all, touches almost every aspect of modern business, and is strategically vital to business success.

 

Bermuda Personal Information Protection Act

Privacy
Author: Mark Dixon
Monday, April 16, 2018
9:07 am

When I give a presentation about the Global Data Protection Regulation (GDPR), someone usually asks how long it will be before the United States has a similar regulation?  I really don’t know, but the Senate Facebook hearings last week show that the topic is certainly on the minds of our elected leaders.

Bermudaflag

Another strong indicator that a US regulation is forthcoming is the emergence of “GDPR-like” regulations in other countries.  For example, the article “A paradise for data privacy advocates – Bermuda’s privacy law now in full effect,” states:

With enactment of the Personal Information Protection Act (PIPA), Bermuda can now count itself among the ever-expanding list of jurisdictions with enhanced privacy protections. PIPA, passed on July 27, 2016, and entered into force in December 2017, shares many of the more stringent requirements and protections with Europe’s impending General Data Protection Regulation (GDPR), which indicates a growing, global trend towards stepped-up privacy regimes. 

Regulations such as this will put pressure on the US to act, in order to facilitate economic interaction with other countries:

Unless and until the United States passes an overarching privacy statute providing comparable levels of protection over the use of one’s personal information, including for non-US Persons, it is unlikely that the Privacy Commissioner will allow for the free flow of personal information between Bermuda and the United States.

A concluding statement

Ultimately, the trend towards greater privacy protections—and the limitation on cross-border data transfers, especially to the United States—is only picking up steam, as this Bermuda law highlights. And more may still be to come.

How soon do you think the United States will act?

 
Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.