We’re almost through the first month of January, can you believe it? The New Year always seems to spur New Year’s resolutions and organization frenzies. Add in COVID-19, and Marie Kondo’s TV series and book must have gone through the roof! For those of you that haven’t heard of her, Marie Kondo is a Japanese organization whiz and recommends pulling everything out of your closet and drawers, assessing what you have, and putting back what you love or that “spark joy”.
What does this have to do with data privacy?
I’ll get there, I promise.
Data privacy isn’t just about keeping sensitive information private. It’s about understanding what data you have (whether it’s structured or unstructured), where it is, and any risk associated with it. How do you decide what to keep? Or what’s important? It’s complicated, and the process of figuring it out can be daunting (and I think we’ll need a bit more help than “does it spark joy”).
This week’s Reimagining Cyber episode, “How data privacy drives business outcomes,” with guest Greg Anderson, Vice President and Chief Privacy Officer for E.W. Scripps Company, tackles this conundrum and also sheds light on the shift of data privacy from data governance to driving business outcomes.
Driving Business Outcomes and the Data Privacy Train – All Aboard!
When creating a data privacy plan, everyone has an opinion – from execs to IT. To get everyone on the same page, Anderson recommends approaching it from the top-down and bottom-up.
“There really has to be buy-in and support from the highest levels of the organization, so the message is repeated, reinforced, that what you're doing is important and has true meaning across the organization,” he says.
“Then from the bottom-up, you really have to win the hearts and minds of the individual contributors,” Anderson continues.
He recommends managers be social (even in these virtual times).
“Get to know the folks that are out there, what their jobs are, what they're doing, how it can contribute or be impacted by what you're trying to do.”
Also, he offers this sage advice:
“Treat the program like a marketing campaign… brand your program and really make that work for you.”
He suggests gamification, buying pizza, stickers, challenge coins, whatever it may be so that when an issue does arise (and we know it will), people tie privacy back to you and your team.
Lastly, he recommends getting to know your DevOps team.
“Really understand what they're trying to accomplish, what the roadmaps look like, get involved in stand-ups, understand what dev cycles look like, and what it takes to make changes and shifts in what they're trying to do so you can work well with them and accomplish what you need to accomplish.”
Don’t Let Your Data Lakes Become Data Swamps
Purpose and context can drive data privacy practices. To add business value:
“Think of the requirement to understand the purpose in the context as an opportunity, as opposed to a burden. I think there can be some real value add to the business,” he says.
Historically, the thinking was to grab all of the data, but by truly having a discipline around data and only collecting what is important, you no longer are searching for a needle in a haystack.
There Is No “I” in Team
Data privacy is complicated. It’s technical, involves legal and security (amongst other departments). Each group views privacy through a different lens. By bringing everyone in, using common vernacular, and getting everyone on the same page, you break down internal siloes, re-enforce business alignment, and drive business outcomes.
Also, by coming together as a group, it allows security leaders to understand the business from different angles and get ahead of any issues that arise.
“I go to multiple stand-up meetings every month. Every quarter, I go to IT All Hands meetings. I go to business division leader Monday morning stand-ups with a lot of frequency, even when I don't have anything to say, even if I'm not being invited for a particular purpose so I can hear what's going on out there, right, so I can understand what people are doing across the business, so you can get in there early,” Anderson says.
We’re left with Anderson’s wise words, “It's a heck of a lot more expensive and more time consuming to fix it after the fact, then if you can apply it at the beginning.”
How have you structured your data privacy strategy? Share below!
Give it a listen, and let me know what you think. Log in or register to comment below.
CyberRes is a Micro Focus line of business focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit CyberRes.com.