Friday, January 28th was Data Privacy Day in the United States or Data Protection Day in Europe. TechRepublic’s Karen Roby talks with Terry Ray, SVP and fellow with Imperva, about what data security actually means and how companies sometimes struggle to get “eyes on” their private data, and why their thinking around the topic needs to change. He also shares his thoughts on what’s ahead for data privacy in 2022. The following is a transcript of the interview, edited for readability.
SEE: Identity theft protection policy (TechRepublic Premium)
It’s simple, don’t lose the data
Karen Roby: When we talk about data privacy, there is a special day that is dedicated to talking about raising awareness. But as we were talking about off camera, it should have its own week or month, or I don’t even know. We couldn’t talk about privacy, security, all of that, enough, because this is such a huge topic. So many issues, so many breaches. I mean, there’s a lot involved here.
Terry Ray: Without question. I mean, I don’t think people often bundle a breach along with privacy in terms of regulatory compliance element. But the reality is, is customers and companies, everybody else, they come to me all the time and they talk about, “I need to meet this compliance or this regulation,” or it’s a privacy piece.
The reality is, is they all come down to the exact same thing, which is exactly what you said, is don’t lose the data, whatever the data happens to be. My data becomes privacy. A credit card is a bank’s data. That’s not necessarily privacy. So it all depends on what that data is, but don’t lose it. Only let certain people see it. From a privacy world, if I don’t want you to have it anymore, I want you to change it. Then you have to do what I say, because it’s my data. So there’s all these individual facets that go into it. But it is interesting that we’ve been dealing with data security for, I have for 20 years. There’s still an awful lot of gaps, if you will, identified by exactly the breaches you’re talking about.
What does data security really mean?
Karen Roby: Yeah. So let’s dig into that. Where are we really? Where are we with this? What keeps you up at night? Where do we go from here?
Terry Ray: There’s been a lot of different things that have happened in data security over the years. One of the biggest challenges that data security has faced is it’s such a broad topic. Almost anybody can say that they do data security. I could be a network firewall and say, “By protecting your network, I’m protecting your data. Therefore, I do data security.” The same thing would be true of encryption or, even more specific, technologies like tokenization or pseudo-anonymization or all of these things to hide your data in certain ways, all of these are data security and trying to protect data. I think that’s probably the biggest challenge I think organizations and professionals have run into is they just don’t know what is that right thing to do? There’s so many different options to me and everybody says they solve my problem. How do I know when my problem is actually solved? Do I have the right technology? Do I have the right processes?
I’ve said for years, and it’s still so true, if you go to LinkedIn and you type in and you put it in quotes and you put in, database, I’m just picking on databases here, but database security, you’re going to find 36,000 people in the world that even claim to be a database security expert. If you do the same thing for network security, you’ll find 1.5 million people that say they’re a network security expert. So people don’t even claim to be security experts when it comes to some of the most common places where we store our data, which speaks to the fact that there’s not a lot of expertise that exist out there yet. There’s a lot of confusion on how you go about solving the problem of protecting your data.
Getting “eyes on” your private data is crucial
Karen Roby: Yeah. That’s what… We talk to people every day and we’re writing articles and videos with all kinds of different people and different facets of security and privacy. That is the thing, it seems, that it’s confusing. There’s so many different avenues and who’s responsible for what, and as a leader of a company or those responsible for that data privacy, I mean, it’s just a constant battle, I think, to stay ahead of it, and like you said, to know, do you really have the right things in place? Sometimes hard to know.
Terry Ray: You hit the nail on the head. If you take it to its most rudimentary when you think about data privacy or security. Some people will say that you begin all of that with, A, knowing where your data is. Now, that is the traditional path of being able to say, “Before I can ever secure anything., I have to know where it is.” I will tell you that modern data security doesn’t really care where your data is. You should be able to watch… I need to look at every single piece of data I have, and if I’m looking at all of it, it really doesn’t matter where it is because I’m looking for bad behavior. But traditionally, people would say, “I need to know where my private data is.” I’ll tell you two things. One thing is traditionally, the ability to identify where that data is would be a very technic process, and it is a very technical process. It’s a simple process, but it’s technical.
I used to ask a question in a group of CISOs, just in keeping in mind, this is security, but I’d ask a question in a group of CISOs. I would say, “Look, who’s whose job is data security? Is it your job, the CISO?” I will tell you, only half of the hands in the room would go up and say, “It’s my job.” The other half of the room would say, “I know my phone’s going to ring when there’s a breach, but how do I know in 100 databases, which one of these databases is important and which one has private data and who’s managing that data? I’m managing security over there. How can I know about all of these?” That’s just 100 databases. Imagine a multinational bank that has tens of thousands of databases. How can security own all of that? I’m not saying they should or shouldn’t. All I’m saying is it’s one of the challenges that they have.
If you go back to organizations today, you’ll find that most organizations today do not know where their private data is and they don’t know that they really could be able to look at everything, but they even don’t know where the private data is. The last piece here, I would ask them, “Do you know where your private data is?” I will tell you, most of the hands in the room would go up. They’d say, “Yes, I know where it is.” I would say, “Do you know that it is possible that it could be elsewhere and you know for sure it hasn’t gone elsewhere?” They said, “Well, we don’t know that. What we know is that of my 100 servers, two of them have credit cards in them.” “But you don’t know anything about the other 98?” They said, “No, we don’t know about the other 98, but I know those credit cards are supposed to be here.” I said, “Then you don’t actually know where your private data is. You know where your private data is supposed to be.”
But in the real world, as that private data moves all over through your organization, that’s a real big challenge for organizations is if they begin in that world of, “I have to know where all my private data is,” that project never ends. You’re always searching for the private data because it’s always moving, rather than the organization just saying, “It doesn’t matter. I don’t need to know where my private data is. Instead, I need to really have potentially eyes on my data. I need to be watching it just like I do for people with malware, just like I do with my network. I know every packet that comes in and out of my network and I know every file you copy to a USB with my DLP platform. Yet, I couldn’t tell you who touched that table yesterday because I’m not looking at it in a database.” That’s the gap I think is security gets to a point where they just can’t pass this barrier and they don’t have that visibility in a lot of organizations.
2022 predictions for data privacy
Karen Roby: With that in mind, Terry, and as we’re moving into 2022 now, what does that mean? What do you predict? What do you see?
Terry Ray: So certainly, the regulatory compliance split a few years ago. GDPR, was it five, six years ago, GDPR came out. It was this first real big technical with teeth privacy regulation that covers an entire continent and essentially comes out. Companies are scrambling to try and solve the problems for this. I will say that from a security perspective, most of the organizations that existed at that time had the ability to likely answer a lot of the questions that GDPR posed. For example, do you know where your private data is? Well, there were technologies out there to solve for that, but they didn’t necessarily speak privacy. There were also organizations out there that spoke the other privacy angle of GDPR, which is protect your data. Don’t lose data. Don’t be negligent towards your data. You need to have best practices on your data.
Technologies did that, but they didn’t really speak the GDPR speak. Most of these organizations didn’t realize that GDPR, when it called for or a DPO or data privacy officer or chief privacy officer, whatever, when they called for that, this is now a different person in that organization that’s running the project than the people that most security products talk to the CSOs department. So what we find now is over the last five years is there’s been this split in the technology realm of data security. Data security split an element of it that we talked about earlier, that classification angle, that ability to know where your private data happens and where your private data is to the point that you have DPOs running projects that go and classify and find the data to say, “This is where the data exists,” because I have DSARs that are going to come in, and when I need to triage a DSAR request, if Terry says, “What data do you have on me?” I want you to delete it or change it. I have to answer that and respond back to that. So I need technology for it.
What those DPOs or CPOs might not have known is that if your organization was already a highly regulated business, you probably already had technology that could probably do that, just the technology vendors, and I’ll throw myself into that bucket, didn’t do a great job of saying, “By the way, did you know we could solve this problem for you too?” So now you have organizations over the last five years that wind up with overlapping technologies. My full prediction is, what you’re going to see in the next year to two years is you’re going to see organizations start to come to that realization to say, “All right, so what are we classifying our data with? What are we discovering our private data with? What’s this company’s product and what’s this company’s… Do we have two of these going on?” The obvious question is, “Why am I paying for two of these technologies? Shouldn’t we just be paying for one?” What really is that most powerful piece of technology?
I’m not going to answer that here, but I think when you look at the core of regulatory compliance, if you have to meet privacy standards and privacy regulatory compliance, you probably, in many, many cases, have other non-privacy regulations you have to adhere to as well. The overlapping technology that occurs across the board is you need to monitor access to that data. You need to know who touched it, when they touched it, how they touched it, where they touched it from, maybe you need to be able to prevent it, but at a minimum, you need to have proof that you know what’s going on in that organization. There have been a couple of examples over the last year, year-and-a-half where some hospitality chains and some transportation organizations were fined, but they weren’t fined for not being able to do the manual part of the DSAR. They were fined because they didn’t find the appropriate level of data security inherent in those organizations.
So that’s still the common theme, back to the very beginning of what you opened with is these breaches continue to happen, not a lack of DSAR triaging, but we continue to see breach after breach. So in my opinion, I think you’re going to see this rolled into data security is still data security. While it’s broad, it has these fundamental things that regardless of what else you do, you need to answer really basic questions like who touched your data? When did they touch it? More importantly, were they supposed to really touch that data or not? If you can answer those questions, usually you’re going to be pretty good when it comes to the unfortunate incident response or just being asked a question about, where’s my private data?