A CISO’s Perspective on Data Governance, the CCPA, and the Future of Privacy

The global health crisis is causing some companies to delay implementing an effective privacy program. But now more than ever, companies must protect data because privacy is as much about customer experience as it is about privacy itself. EVOTEK’s Chief Information Security Officer Matt Stamper weighs in on the most pressing questions regarding California’s groundbreaking privacy law.

The CCPA is the first major US privacy legislation to be enforced in the wake of the GDPR. Tell us about what the CCPA means for businesses from a high level?

The largest challenge for organizations addressing the CCPA, or any other privacy regulation, is that they will need to assess data governance practices (e.g., data classification, data handling, data protection) and determine whether they are under tooled or inadequately documented. Organizations need to know what type of information they collect, how it is used internally, and with whom they share this information, so they have the adequate procedures in place. This will ensure the consumer is appropriately engaged in the process beginning with the privacy notice, how they manage consent, and the broader privacy lifecycle.

Too frequently, there are important disconnects between stakeholders within the organization. Sales and marketing don’t typically communicate with privacy or security teams, and this lack of coordination exposes the organization to legal, privacy, and security risks.

Like security, privacy is a multi-disciplinary domain that requires the input and collaboration among stakeholders, and most importantly the consumer—their consent should be integral to the entire process. 

When organizations ignore the consumer in the process, they frequently delve into the realm of ‘unfair and deceptive’ trade practices that result in the Federal Trade Commission (FTC) invoking consent orders against the firm. These typically result in 20-year bi-annual audits of the organization’s privacy and security practices. No firm willingly wants that level of government oversight.

One of the biggest criticisms of regulations like the CCPA is that it hinders innovation. What’s your perspective here?

I’m a contrarian in this regard. Good regulation—meaning regulation that protects privacy and security—drives innovation. Just look at the security space. We’ve seen massive improvements with respect to security architecture in the last few years with tools that help with automated data discovery, classification, and protection (including tokenization, pseudonymization, format protecting encryption), privacy management tools, deception to understand adversarial behavior, and security orchestration automation and response (SOAR) tools that automate security functions.

As a case in point, Delphix’s DataOps platform highlights important privacy-protecting and security enhancing innovation that is perfectly suited to address the requirements of regulations such as the GDPR or the CCPA. These capabilities will become requisite features for privacy and security services architectures moving forward. If an organization collects personal and sensitive data,  in all their respective guises, then tokenization, data masking and pseudonymisation will become the norm. Doing this at scale and with minimal impact to operations are capabilities that exist today and should be widely employed..

I believe that good regulation—emphasis on good here—drives innovation. What’s important, however, is that we don’t create a regulatory bar so high that smaller organizations cannot enter markets given the inherent cost of doing business. That would be a market failure. My concern is that too many smaller and medium-sized businesses that are integral to our economy are limited in their ability to implement appropriate privacy and security programs.

Businesses that have undertaken GDPR compliance will have an advantage in addressing the CCPA, but those efforts alone won’t suffice. How does the CCPA differ or go beyond the scope of GDPR?

The CCPA and the GDPR are similar, but there are important differences that security and data governance leaders should be aware of as they oversee their security and privacy programs.

The European Union’s General Data Protection Regulation (GDPR) is pervasive in scope and has important impacts on privacy and security—indeed Article 25 requires ‘data protection by design and by default’—for organizations both within the EU as well those that market to data subjects (aka residents within the EU).

Most notably, the California Consumer Privacy Act (CCPA) is specific to a single state, California, versus an economic union—most of Europe with the ongoing odd case of England, encompassing more than 20 European countries. The economic impacts of the GDPR are certainly more widespread, and the EU has been focused on privacy well before the adoption of the GDPR. The 1995 Data Protection Directive laid the foundation for the GDPR and similarly had expansive impacts on privacy practices throughout the EU and arguably the rest of the world.

Privacy is also a right in Europe. Article 1 of the GDPR outlines the ‘fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data,’ and data subjects must provide their consent (e.g., opt in) prior to having their information collected. The U.S. constitution does not explicitly call out privacy, and generally speaking, U.S. privacy practices—until recently—have placed the burden on the consumer to ‘opt out’ when their information is collected against the consumer’s preferences. Unlike the U.S. constitution, California’s constitution does provide a right to privacy.

Both the GDPR and the CCPA establish important privacy rights for data subjects. Chapter III of the GDPR outlines a number of important privacy rights including the now famous ‘right to be forgotten,’ which is technically noted as the ‘right to erasure’ (Article 17). Other rights include the ‘right to access’ (Article 15) and the ‘right to rectification’ (Article 16). These privacy rights have important analogs in both the CCPA as well as other sector-specific regulations, such as HIPAA where consumers have a right to access their health records. Consumers here in the U.S., as another example, have the right to review credit reports annually and to request that inaccurate information be corrected by the credit reporting agencies.

The CCPA expands privacy rights to include a requirement that businesses clearly notify the consumer what specific data elements or categories of information are being collected about them, and whether this information is being sold to third parties. Importantly, consumers can preclude their information from being sold to third parties, and when they exercise this right or the others established within the CCPA, the consumer should not face any discrimination from the business for having exercised their privacy rights. Like the GDPR, the CCPA establishes an expectation for ‘reasonable’ security over the personal information collected (1798.150).

Ultimately, both the CCPA and the GDPR have driven fundamental change to how organizations think about their data governance practices and have made the topics of privacy and security appear frequently on executive and board agendas. In this spirit, the CCPA and the GDPR have been effective at raising the awareness of how organizations collect, store and share sensitive data about consumers (aka data subjects).

Looking ahead, what is your expectation for how the regulatory and compliance landscape will evolve?

Presently, all 50 U.S. states have breach notification laws. Many states are now also drafting their own privacy laws. A case in point is Washington state’s privacy law (SB 6281) that would have been similar in tone to both the GDPR and the CCPA. But it did not pass through the state’s legislature. Washington state did pass SB 6280, which is notable for addressing appropriate uses and disclosure of facial recognition applications. Vermont also enacted a privacy regulation in 2018 that requires disclosures by data brokers.

Unfortunately, and unlike our neighbors in both Canada and Mexico, the U.S. will likely continue with a complicated patchwork of state-specific privacy requirements. Federal privacy regulation doesn’t not seem to be a priority given the current political climate in D.C. Even if we do have a federal privacy law, it’s more than likely going to be unduly influenced by industry and not consumers, given Citizens United and the lobbying that’s so prevalent in our Capital. What will likely be the status quo for the next several years will be that larger, multi-national organizations will broadly follow the requirements established in the GDPR.

When I was a research director at Gartner, I covered privacy and specifically the GDPR,  and that was certainly the approach many Gartner clients conveyed. I also foresee that California will continue to establish privacy precedent for many other states, so organizations would be well-served to have a solid working knowledge of both the GDPR and the CCPA. In that vein, organizations will be able to validate their processes for handling requests from consumers (subject access requests or data subject access requests) and how they validate consumer identities when these requests occur. Too frequently, these procedures, while well understood by counsel, are never adequately communicated to front-line employees.

What’s your best piece of advice for business leaders looking to tackle compliance—especially for those who will need to make a significant investment?

First and foremost, organizations need to read the CCPA and the proposed regulations offered by the California Attorney General. Unlike the GDPR (which is over 250 pages), the CCPA is relatively short (less than 50 pages). I think too few companies actually understand and read the regulations that apply to their organization.

Critically, organizations should take a data-centric view of compliance—one that is biased toward protecting the consumer’s rights in both the collection and processing of their information. There are fantastic applications and tools available that will help with the technical side of privacy and data protection. Complement these tools by having a strong advocate for the consumer when thinking about business practices that involve the collection of personal data.

Organizations focused on making their relationship with the consumer transparent engender trust and build goodwill.

As a consumer, these are the companies that I want to give my business to. I’d also invite data governance and security leaders to read Recital 39 of the GDPR. It’s just a page in length but sets the tone for privacy expectations not only in Europe but globally. Lastly, map data—data flows are a beautiful thing!


Originally published on www.delphix.com on June 17,2020

Here’s to a more resilient 2020!

Recently I had the opportunity to sync up with two of my colleagues at EVOTEK, Paul Ferraro and Amir Fouladgar. Paul curates an outstanding technology podcast and we had the opportunity to discuss the state of security and some observations as we head into the new year. I wanted to outline what I think are important priorities that will shape not only our security programs, but most importantly, the overall resiliency of our organizations.

1.     We should be passionate about automation and orchestration. Our profession is filled with highly talented individuals doing critical work manually. This must change. As security leaders, we need to empower our teams and given them the tools they need to respond to adversaries that move at network speed. Our adversaries are competent, well-resourced, and frequently more automated in their techniques then we are at defending our own organizations. Let’s make 2020 the year where automation of mundane tasks and the orchestration of more responses becomes the norm, not the exception. I am bullish that SOAR will be part of the modern security architecture. For this to occur, however, we need vendors to focus on interoperability and more reliable API-integration between and among security applications.

2.     Alert fatigue is real. Security analysts are inundated with tickets and alerts that are too frequently false positives. This status quo puts our organizations at significant risk. Analysts who face never ending alert queues and the manual investigation that follows, will miss things. They will also leave our organizations for greener pastures…companies with more modern security architectures. Let’s empower our teams. I’m a huge fan of using deception to focus on real threats that have bypassed existing security controls and traditional security monitoring. Deception is a game changer. The adversary now must worry whether they are interacting with decoy assets (be they credentials, servers, or otherwise). The use of deception technologies offers high-fidelity alerts and greater insights into adversarial TTPs. Deception allows us to effectively push the adversary back on their toes.

3.     Data governance and privacy are driving greater alignment between security practices and the business and its operations. CISOs should consider their colleagues in privacy as natural advocates for good security practices. As the saying goes, ‘you can have security without privacy, but you cannot have privacy without security.’ To reduce data breaches, we need to understand data flows from a business perspective. Privacy Impact Assessments (PIAs) are useful not only to our colleagues in privacy but to our security efforts. They can help outline where trust boundaries should occur, where data validation should be enacted, and where and how data and sensitive information enters the organization and where it’s shared with third parties. With the California Consumer Privacy Act (CCPA) coming into effect, there’s never been a better time to take a data centric or information centric view of security. I’ll be overseeing a track on data governance and security leadership at EVOTEK’s upcoming security conference where we’ll be addressing best practices for data protection and data governance.

4.     Let’s give back to our profession and help new entrants succeed. When I was an analyst at Gartner, I had the opportunity to collaborate on some important research that my former colleague and still friend Sam Olyaei was doing on the cyber skills shortage. This problem is larger than any organization. Collectively we can help mitigate the skills gap by helping new entrants to the cybersecurity profession gain requisite skills and find mentors who can help them with their careers. As a case in point, our local San Diego ISACA chapter sponsors student memberships into the organization. Let’s find ways to be there for those just beginning their careers in cybersecurity.

No alt text provided for this image

5.     The value of collaboration and sharing cannot be overstated. I remain grateful to the San Diego CISO Round Table for engendering a collaborative security community. This collaborative spirit was foundational to Gary Hayslip, Bill Bonney and I working on the CISO Desk Reference Guide. Our books on the role of the CISO would not have been possible had it not been for this collaborative environment. Kudos to Macy Dennis and the other board members for maintaining this community. There are outstanding organizations including other regional CISO Round Tables, ISACA, OWASP, InfraGard, and ISSA that offer fantastic opportunities to share best practices and find creative ways to deal with the many challenges that cross our desks every day. Collectively and collaboratively, we’re stronger.

6.     Let’s not overlook some of the outstanding work that’s being done in security today. Our security architectures are getting better – sadly, so too are the adversary’s techniques. The work being done by MITRE with the ATT@CK Framework is truly second to none. When the ATT@CK Framework is coupled with threat modeling and the use of deception, our adversary’s will face real obstacles and our organizations will become more resilient. Kudos as well to NIST. I love seeing the continued progress and adoption of NIST’s Cybersecurity Framework (NIST CSF).

7.     We will likely see greater consensus on ‘reasonable’ security coming into 2020. The CCPA will drive this discussion forward. I’m fortunate that I’ll have an opportunity to speak on this topic at the upcoming Wall Street Journal Cybersecurity Symposium (https://cybersecurity.wsj.com/symposium/san-diego/) with an outstanding advocate for privacy and reasonable security practices, Justine Phillips, from Sheppard Mullin. As a quick aside, kudos to Justine and the extended team at the University of San Diego for hosting the second annual, and outstanding, Cyber Law, Risk and Policy Symposium earlier this year. The Symposium has become a must-attend conference on the important intersections that now bridge the legal, privacy and security professions.

Given that the topic of ‘reasonable’ security is top of mind for security and business leaders alike, I’d like to offer the following definition to start the dialogue (this is certainly not a legal definition):

“Reasonable security is that level of security capability that meets the organization’s agreed-to risk tolerances while fulfilling regulatory requirements and contractual obligations of the organization.”

I’d like to wish everyone the best coming into 2020. Here’s to a more resilient future.

Happy New Year!


Is there too much choice in cybersecurity?

With Black Hat and DEF CON coming up and this year’s RSA Conference and Gartner’s Security & Risk Management Summit completed, I wanted to reflect on an odd dynamic we face in security, one made all the more poignant for CISOs who have walked the exhibit halls of these conferences. We have an abundance of choice in our profession. Security, however, is ultimately about prioritization.

  • Which assets warrant protection?
  • How should these assets be protected?
  • What is the best technology to protect these assets?

The image below highlights how crowded the security application and tool space has become. Estimates vary, but it’s safe to assume that there’s over 1,000 vendors in the security marketplace today with each vying for a finite security budget. Many security categories have more than 10 vendors battling for market share with their respective products. There’s not only competition within categories but increasingly among categories as one technology purports to address a security control traditionally handled by another. Selecting the most effective technologies when confronted with seemingly limitless choice is not easy.

"Some" of the Security Vendors at a Security Conference

When I was a research director with Gartner’s security and risk management practice, I had the opportunity to speak with a well over 1,000 fellow CISOs as well as CIOs and other risk-management leaders. While most of my discussions focused on my research coverage – incident response, security compliance, privacy, IT risk management, security program design & evaluation and the cybersecurity skills shortage – many discussions delved into the efficacy of specific security applications and tools. My response was consistently that our security architectures have become inordinately complicated Venn diagrams with significant overlap in feature and functionality among the applications used in our security programs.

The amount of choice we have comes at a significant price. All of us in the industry recognize that attracting and retaining technically-competent staff is challenging. Finding security engineers with have hands-on experience with so many different tools and applications is both costly and difficult. Further, there is the issue of defining which application or tool should function as the system of record for a given security control and how other tools and applications should integrate into the defined system of record through APIs and other integration mechanisms.

Beyond the operational complexity of managing so many different applications, there are financial and procurement concerns with so much choice. Too many options and approaches to address security controls generates widespread confusion during the procurement process, especially with non-technical buyers who fund projects. There is also buyer’s remorse when a specific security requirement could have been addressed with an existing application or tool had that feature been enabled or the capability configured and implemented correctly. This buyer’s remorse worsens when newly implemented security applications prove ineffectual and frankly don’t address security risk adequately. There is also the dynamic of “required” security applications – those appearing on an auditor’s checklist – versus newer technologies that solve problems in innovative ways that an untrained auditor may not understand.

Here’s the question that I’d like to posit to the CISO and broader security community. If you could only incorporate 5 security technologies into your environment, what would they be and why? Effectively, which 5 security technologies would produce the best return on security investment and reduce risk by the greatest amount?

I don’t want to unduly frame your response but I will offer some initial broad categories for consideration. Please note, this is not a question about vendor A is better than vendor B. I’d like to explore which technologies are viewed as the most effective and the rationale for their selection. This rationale may include considerations such as ease of implementation, security effectiveness, cost effectiveness, etc. As the image above notes, there are ample categories to consider including deception, network access control (NAC), firewalls, endpoint protection (EPP), endpoint detection and response (EDR), security incident and event management (SIEM), security orchestration automation and response (SOAR), intrusion detection/prevention systems (IDS/IPS), breach and attack simulation (BAS), threat and vulnerability management (TVM), identity and access management (IAM), secrets management, privilege account management (PAM), network traffic analysis (NTA), static application security testing (SAST), dynamic application security testing (DAST), security awareness training, secure email gateways, cloud access security brokers (CASB), secure web gateway, credentials management, web application firewalls (WAF), encryption, among others. Many of the technologies now have their “next generation” variants (e.g., next generation AV, next generation firewall). There are undoubtedly many other technologies. The categories above are to simply start the dialogue.

If you were building your security architecture from scratch, which 5 security technologies would be part of your reference architecture? Which risks are the most critical and how do these technologies reduce that risk accordingly? As I noted at the beginning of this article, security is about prioritization. Given the constraints on our budgets and staffing competencies (which we all experience), which security technologies should be prioritized first and why? Clearly, your industry and your business model will influence this analysis and should be part of how your look at this question.

I look forward to an open and collaborative dialogue.

How CISOs Can Utilize the Ransomware Scare

When NotPetya, Petya, Ryuk, SamSam, WannaCry, CryptoLocker, TeslaCrypt, among many other variants of ransomware, are so frequently addressed in popular media and covered on shows like 60 Minutes, you know we’ve got problems. Ransomware is not only in the spotlight of popular media, it also has the attention of executive stakeholders in organizations. This presents an interesting opportunity for CISOs.

Recently publicized cases such as those for the cities of Atlanta, Baltimore, and Albany – let alone a number of others incidents across municipalities in Florida – along with the frequently cited and historic examples of Hollywood Presbyterian and Maersk – suggest that ransomware is a symptom of a larger issue. Too much of our infrastructure is vulnerable to ransomware and other cyber attacks. The “standard” of “reasonable security” is clearly not being met.

Without getting into the technical details of how ransomware works, it’s important to note that these attacks exploit vulnerable IT infrastructure and many of the protocols used in common applications and operating systems. In many ways, the current challenges with ransomware are reflective – analogous – of broader concerns with infrastructure across the country. When systems are not maintained correctly, they become vulnerable and prone to failure. We see this in our nation’s critical infrastructure including notable examples such as the bridge collapse in 2007 in downtown Minneapolis that took the lives of 13 people and injured over 100. My prayers are with those families.

No alt text provided for this image

More than ten years after this tragic incident, much of our country’s critical infrastructure remains brittle and will continue to fail resulting in injury and the potential loss of life. The risks created by ransomware can have similar impacts. As more operational technology (OT) gets connected to traditional information technology (IT) networks, system failures will impact the physical world. This is happening now with connected devices and the growth of IoT. My fear is that the consequences of security failures will result in the loss of life. This is a game changer.

Imagine a ransomware attack that locks the controls of autonomous vehicles or blocks access to medical devices. The scenarios are many and the consequences are real. Media coverage to date has focused on financial costs including ransom payments and/or the direct and indirect costs of remediation following an incident. Think of the media coverage when there’s attribution that a poorly configured device or application resulted in physical harm or death. Our world will change and quickly. The disclaimers of warranty and limitations of liability that are associated with so many of the products we use will likely not survive resultant class action lawsuits. The consequences of IT infrastructure administration and application and product design have never been higher, but similar to our nation’s physical infrastructure, there is significant technical debt (effectively an unfunded liability) that needs immediate attention.

Clearly, ransomware is a real and present danger to organizations of all sizes and in all sectors of our economy. So too are the numerous other security risks faced by our organizations. Many of us who serve as CISOs recognize that there will never be perfect security and we have to assume that our organizations will continuously confront security incidents. Our objectives are to quickly detect and mitigate these risks and to make our organizations more resilient (the ability to withstand security and other incidents and keep risks within agreed-to parameters). In this context, the topic of ransomware offers us a great opportunity to take pause and evaluate just how prepared our organizations are to confront these exposures. Incident response planning has never been more important. 

I would like to change how we think about ransomware. This current media attention on recent cases offers us an opportunity to evaluate the resiliency of our IT infrastructure and the efficacy of our security programs. We all recognize that we need to maintain our systems, harden our configurations, and patch more timely (effectively security hygiene). This is what we’re paid to do. Too frequently, however, our requests for resources to help secure our infrastructure and make it more resilient are not adequately contextualized to organizational priorities. Bluntly, non-IT and non-security stakeholders don’t fully understand the enterprise risks of not doing the basics well and not funding the resources required to make the organization more secure and resilient. The result, technical debt accumulates. Similar to our nation’s infrastructure, much of the enterprise IT infrastructure we are expected to manage and secure is fragile…subject to exploits and breaches. Too frequently, executives don’t understand these risks and cannot adequately link cyber risk to impacts on organizational strategy and goals. As CISOs, we’ve failed these stakeholder in not conveying security risks in terms they can understand.

When security incidents affect the bottom line, expose the organization to legal and regulatory demands, negatively impact operations and damage an organization’s reputation, executive management and the board will take notice. Frequently, given media attention, CISOs are asked “Are we secure?” This questioning would be better served if it were “How resilient are we?” That’s a question a CISO would love to explore with executive management and the board. The current attention created by highly publicized ransomware incidents should serve as the impetus for stakeholder discussions on organizational resiliency. CISOs and CIOs need to ensure that these discussions are not laden with technical jargon and “the sky is falling” scenarios. We need to explain the benefits of resiliency and preparedness in terms that other members of the C-Suite can relate to and importantly contextualize and directly link to their organizational priorities.

The good news is that our ability to make our organizations more secure and resilient has never been better. We’re seeing advancements in security orchestration automation and response (SOAR) technologies as well as innovative approaches to security visualization and analytics that surface security issues and poorly configured environments in a more intuitive and near real-time manner. That’s empowering. Similarly, improvements in enterprise backup and storage systems mitigate risks to data. Our security toolbox has also improved and covers the proverbial full-stack of infrastructure ranging from code development to in-production applications. Cases in point include a number of preventative capabilities ranging from enhanced endpoint protection, network detection and response (NDR), endpoint detection and response (EDR), web application security, network segmentation, identity and credential management capabilities, network access control (NAC), deception technologies, and even security awareness training – including many popular tools that phish end users to raise awareness. CISOs have never had such a suite of capabilities before. Obviously, these capabilities require access to trained personnel and the budget to leverage these tools.

CISOs today have reason to be cautiously optimistic…we have board and executive attention on our security programs and access to tools and capabilities that are more effective than ever. We still have to deal with the skills shortage our profession faces but our knowledge of adversarial behavior has improved notably thanks to MITRE’s ATT&CK framework and insights on the tactics, techniques, and procedures (TTPs) of those trying to harm our organizations. CISOs should exploit – pun intended – media attention on ransomware to have more open and direct conversations with their colleagues in the C-suite and the board and use this opportunity to drive a business-aligned resiliency agenda. If the topic of resiliency is not on your next meeting agenda with fellow executives, it’s time to add it now. Make resiliency a standing agenda item and ensure that incident response preparedness includes not only the IT and security teams, but stakeholders throughout the organization.