How cloud security, data privacy, and cybersecurity convergence drives successful careers
Washington State is implementing major data privacy legislation to protect consumer health data. The My Health My Data Act grants people the right to access, delete or withdraw consent concerning collecting, sharing or selling their health data. It includes express consent requirements and other privacy requirements.
This is the latest in a string of privacy-related laws passed in various states, countries and regions. Such laws have everything to do with cybersecurity. Security professionals are increasingly tasked with ensuring that data remains secure and is being gathered, stored, and deleted by applicable privacy rules.
Learn Cloud Security
The evolution of privacy and compliance
Compliance and privacy regulations are evolving. Rules such as PCI and HIPAA were primarily oriented toward protecting your data in your environment. They provided prescriptive recommendations, such as encrypting data at rest. Modern privacy regulations have a different orientation. They lay out the types of data with privacy implications, such as personally identifiable information (PII) and protected health information (PHI), and tell you that if you lose or abuse it, you will face steep fines. The recent wave of privacy laws tends to be less prescriptive about what you do to protect data and privacy. Instead, they leave it up to you to figure out how to put the right controls in place to comply with the regulations.
This is bringing about a shift in emphasis within the security industry. It is no longer all about detecting, excluding and remedying malicious traffic. Verification of identity is now an essential element to safeguard endpoints and infrastructure often situated outside of the data center. As part of this, IT is tasked with ensuring that user data is stored and used responsibly and that privacy needs are respected.
“Customers will want to do business with you because you are responsible, have the right controls in place and that you are making sure that only authorized entities see the data,” said Ameesh Divatia, CEO of cloud data protection company Baffle. “Privacy is not just good business; it’s also good for business.”
Learn Cloud Security
Privacy know-how broadens career potential
Those about to enter the workforce and those seeking to maximize their earning potential often wonder about the key learning areas they should pursue to assist with career advancement. The powerful combination of skills at the intersection of data privacy, data security, and cloud security will likely be a significant future asset in the job market.
Knowledge of privacy regulations, security technologies and the cloud will put you directly in the center of an expanding field. Instead of a privacy person on the team saying not to do this or that, or an IT person implementing security solutions without a full grasp of the privacy implications, the truly valuable people will be those who can view security, privacy and the cloud holistically.
As the implementation of controls is very different depending on whether they are on-prem or in the cloud, Divantia urged people to obtain privacy certifications as a good way to understand what they’re protecting and how to ensure data protection in an increasingly cloud-based world. That can assist in bringing security into the conversation much earlier. It should be built into applications, not a bolt-on.
The current focus tends to be on privacy controls limited to detecting and preventing data exfiltration. That is too late in the process. It is better to start at the beginning of the pipeline by encrypting data as it is created and tokenizing it as it goes in to make it fail-safe.
Privacy and usability balance
Privacy is more vital than ever in today’s world. However, privacy controls should not get in the way of usability and efficiency. One way to achieve this is to understand what data is public and what is private. For example, a car’s license plate number is viewable by anyone. Adding privacy controls to such information is unnecessary, increases system costs, and can inhibit overall functionality and performance. However, the identities and addresses associated with those license numbers are private and must be kept so.
Divatia said that we must take care in system creation to ensure the requirements for privacy and usability are balanced correctly. Protect privacy completely where needed and either get rid of data you have no business collecting or is no longer needed.
Those that get it right can look forward to an improved image, better customer goodwill, and a growing market share.
Learn Cloud Security
Privacy as a competitive differentiator
Data privacy programs are not just about complying and checking the box to ensure you did all the right things and that no one can come after you. It’s about embracing the right security paradigms to do better and look better than your competitors. Customers want to do business with you because you are responsible that you have the right controls in place to make sure that only authorized entities see their data. Thus, sound knowledge of cybersecurity, the cloud and data privacy can become a competitive differentiator.
Watch the full episode of Cyber Work with Ameesh Divatia of Baffle on the Infosec website.