The Cyber Asset Playbook for Data Privacy in the Enterprise
Data privacy is an enterprise priority that is getting renewed C-Suite attention lately. Senior executives are increasingly, and rightly, viewing data privacy as a major concern and shareholder priority for compliance and risk management. There is even a global Data Privacy Day, every January 28, to underscore the issue’s importance. This is all welcome attention for something increasingly governed through the WTO, GDPR, and a growing list of other regulations.
As top executives work to ensure data privacy at the macro level through enterprise policy and C-suite decision making, let’s take a look in this post at data privacy through the lens of the engineers and technologists – those charged with putting the mandate for data privacy into practice every day at the systems and cyber asset management levels of an organization.
Visibilty is Just the Beginning
The technologists, administrators and business users who work daily in the trenches with personally identifiable information (PII) and other sensitive data need a reliable strategy for the countless cyber asset decisions that will determine how well this data remains protected as it gets manipulated, shared and stored in the enterprise. The goal is to ensure agility and reap maximum benefit from such information without running afoul of regulations or consumers’ trust in the organization to keep such data protected.
As with any cyber asset management challenge, clear visibility into all systems and assets is key. But especially in the case of data privacy, visibility is just the beginning. Companies cannot ensure compliance and data security unless they have control, as well as visibility, around cyber assets. Awareness, inventory and general visibility of assets and users represent just one part of the puzzle. For proactive management, issue resolution and decision-making around sensitive data, you must also be able to configure and control assets through multiple lenses such as industry compliance, product regulations and policy legislation.
For any system that deals with PII, the way that system is architected, supported, audited, managed and secured must adhere to a formalized framework that ensures privacy compliance. That framework, in turn, will be shaped by classification and tagging of assets based on characteristics such as the sensitivity of that data; who is authorized to see it; the nature and levels of regulation the data are subject to; and the fines or consequences tied to non-compliance. A reporting function is also needed since, in many cases, the ability to document compliance can be a regulatory requirement in and of itself (for instance, traceability compliance in supply chain).
Designing for the Unknown: How to Future-poof the Organization for Privacy Compliance
Data privacy remains an enduring requirement, despite the fact that enterprise systems are always changing and constantly evolving. How do we ensure data privacy remains protected, even as we introduce new systems, technologies and workflows? The answer involves adopting a cyber asset management perspective on data privacy that mirrors the design for the unknown ethos for developers.
Programmers design for the unknown by architecting code and systems using the very latest approaches to accommodate technologies that may be added in the future. This should be the mindset for data privacy protection as well, with a robust cyber asset management strategy serving as codex for consistent standards and protection of data as enterprise systems evolve. This also makes it easier to “scale to the unknown” – keeping PII and other sensitive data protected even as a company scales to bigger and more complex multi-cloud IT systems.
This future-proofing strategy should place heavy emphasis on embracing standards and best practices for interoperability. In the authentication realm, for instance, industry organizations like the FIDO Alliance are developing interoperability standards for advanced capabilities like behavioral biometrics and other future technologies. Data managers should stay up to date on these and other industry-leading standards – paying special attention to the cyber asset management best practices that undergird them.
The above are just a few of the components involved in a solid, on-the-ground IT strategy to ensure data privacy and security for organizations now and in the future. These and similar efforts to bring enhanced clarity and control to cyber asset behaviors and the privacy factors impacting them will allow the organization to make more informed, compliant and business-relevant decisions around sensitive data.