Wait, We Can Prioritize Data Privacy Before an Incident?

Wait, We Can Prioritize Data Privacy Before an Incident?

Gathering more information about existing and potential customers is critical to marketing and sales. However, the chronic collection and retention of all that personal data has begun to raise privacy red flags. In general, businesses won’t make expensive changes to infrastructure or procedures just on principle (e.g., “we should protect others’ privacy.”). To rectify, CISOs must find a business reason to make these changes before an incident occurs. Where should the conversation start?

This week’s episode is hosted by me, David Spark , producer of CISO Series and Amy Steagall-Hess , CISO, 美国斯坦福大学 . Joining us is Michael Tran Duff , CISO, data privacy officer, 美国哈佛大学 .

(From L to R) David Spark, CISO Series, Amy Steagall-Hess, CISO, Stanford University, and Michael Tran Duff, CISO and data privacy officer, Harvard University

This episode was recorded in front of a live audience at Stanford University as part of their annual Cyberfest event. Check out all these photos from the event.

Turning a mirror on zero trust

Are we not going far enough when we apply zero trust principles? Andy Ellis recently argued in a piece for CSO Online that we need to turn zero trust on our internal IT systems, particularly administrative software used by security teams. These internal tools should operate without inherent trust in the organization's ecosystem, but is that feasible? In environments like academic institutions, achieving complete zero trust is impractical due to the need for flexibility and collaboration, contrasting this with stricter contexts like the Department of Defense. Zero trust is a critical framework, but it is a gradual, long-term endeavor that could take years to achieve fully. Zero trust is valuable but challenging to implement in varied settings, especially where collaboration is essential.

Is AI coming for our jobs?

AI's impact on cybersecurity jobs is an open question. A recent cybersecurity subreddit post wondered aloud if AI could eventually replace a significant portion of roles due to its ability to perform cognitive tasks more cost-effectively and continuously. While there’s no doubt this technology will reshape what work looks like, AI can enhance productivity and aims to help cybersecurity teams manage repetitive tasks, such as contract reviews and incident response. This will enable professionals to focus on more strategic and technical work. While AI brings efficiency, human oversight remains essential, especially given the complexities of cybersecurity.

Responding to skepticism about CISOs

Because CISOs serve as the bridge between the business and their cybersecurity teams, some CISOs encounter skepticism over their capabilities, facing stereotypes or imposter syndrome. A recent cybersecurity subreddit post pegged them as technical micromanagers or underqualified buzzword speakers. These experiences can lead to self-doubt, compounded by personal insecurities and external biases, which many CISOs confront in environments where they feel their authority or expertise is questioned. Building confidence comes from accepting that leadership is about wisdom and openness rather than knowing everything. CISOs can’t be "the expert in the room," it’s not their job. This ongoing journey is supported by mentoring, training, and embracing feedback, strengthening a CISO’s leadership presence and reinforcing their confidence in high-stakes situations.

A CISO at the crossroads?

The federal government’s progress toward a comprehensive privacy law remains uncertain, with the American Privacy Rights Act stalling despite state-level privacy regulations building momentum. Apu Pavithran , CEO of Hexnode suggested on Dark Reading that businesses prepare now by creating robust data protection plans and considering a dedicated data protection officer, aligning privacy efforts with global standards like GDPR. While it can be easy to see privacy as a compliance requirement, it's fundamentally about ethics and responsible stewardship of personal data. This puts the CISO at the crosssection of privacy and security. There are two general approaches to this. Combine them into a unified "PrivSec" program, or split privacy and security into separate functions to prevent conflicts of interest and foster specialized expertise.?

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to Tim C. of 美国斯坦福大学 , Jonathan Rodriguez of Cyversity , Louw S. of 美国哈佛大学 , and Biniam Debrezion, CISA, CISSP, CISM of 美国斯坦福大学 for their questions during the show.?Thanks to Vorlon and Wiz .

Listen to the full episode.

Huge thanks to our sponsors, Vorlon Security and Wiz


Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.


Biggest mistake I ever made in security…

"Two big mistakes in one shot. Issuing a mandate without consultation, 2013, here at Stanford. We were working on this big initiative that affected all the faculty. I failed to consult the faculty, and worse yet, we called it a mandate. So, I failed to anticipate the reaction that would have, but the good news is we were able to work closely with the faculty and make adjustments to the program." - Michael Tran Duff, CISO, data privacy officer, Harvard University

Listen to the full episode of "Wait, We Can Prioritize Data Privacy Before an Incident? (LIVE at Stanford)."


How Are New SEC Rules Impacting CISOs?

"This role is in flux. CIOs and CISOs have wanted to be elevated from a leadership perspective for many, many years, and the CISO is now being elevated in terms of importance, in terms of visibility, and in the US in terms of liability. And it’s one of those things, be careful what you wish for because you just might get it." - Allan Cockriel , group CISO, 壳牌

Listen to the full episode of "How Are New SEC Rules Impacting CISOs?"


Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily?Cyber Security Headlines?newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter?- Twice every week

Cyber Security Headlines Newsletter?- Every weekday


Cyber Security Headlines - Week in Review

Make sure you?register on YouTube?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino .?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be Brett Conlon , CISO, American Century Investments . Thanks ThreatLocker .

Thanks to our Cyber Security Headlines?sponsor, ThreatLocker


CISO Series Podcast LIVE in Dallas, TX (11-14-24)

The CISO Series Podcast will be rustling up some fun, heading down to Texas for another fun live recording!

We’re recording a podcast episode at DataSec Conference 2024. Joining me on stage for the recording will be Rinki Sethi , vp and CISO, BILL and Lamont Orange , field CISO, Cyera . Here’s everything you need to know:

WHERE: Kimpton Pittman Hotel, 2551 Elm St, Dallas, TX 75226 (MAP)

WHEN: November 14, 2024. The event runs from November 13 through 14.

This event is invitation-only for qualified CISOs, CIOs, CTOs, CDOs, cybersecurity VPs, Data Security Architects, and Data Privacy Leaders. Register to attend HERE.

HUGE thanks to our sponsor, Cyera


Join us NEXT Friday [11-22-24], for "Hacking E-Crime Trends"

Join us Friday, November 22, 2024, for?“Hacking E-Crime Trends: An hour of critical thinking about staying on top of an ever-evolving threat landscape.”

It all begins at 1 PM ET/10 AM PT on Friday, November 22, 2024,?with guests Jason B. , principal security consultant, GuidePoint Security and Howard Holton , CTO and industry analyst, GigaOm .?We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, GuidePoint Security


Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at?cisoseries.com.

Interested in sponsorship,?contact me,?David Spark.


Jonathan Rodriguez

Emerging GRC Expert

2 周

David Spark It was great meeting the person behind the mic. Love your podcast and thank you for taking my question. Keep up the amazing work!

要查看或添加评论,请登录