For years now, lawmakers around the world have been proposing, debating, and enacting scores of data privacy and security regulations at all levels of government. And yet people’s concerns regarding personal data privacy and protection continue to be proven out by debilitating corporate security breaches. From SolarWinds to the Colonial Pipeline shutdown to Microsoft and T-Mobile (again), it’s clear that data privacy and data security must be coordinated to maintain consumer trust and keep markets stable.
Which is why, in June, Okera hosted the first AIRSIDE LIVE conference, bringing together top industry experts to help us understand what’s really going on and how we can better protect ourselves, and to build trust with our customers, partners, supply chain vendors, investors, and market analysts. Speakers included:
- Mike Rogers, national security veteran and expert commentator at CNN
- Stacey Rolland, senior vice president, emerging technologies and data, Forbes Tate Partners
- Alison Pepper, executive VP of government relations, 4As
- Merritt Baer, principal, Office of the CISO, AWS
- Sarah Gadd, head of semantic tech, AI, and machine intelligence, Credit Suisse
These and over a dozen additional speakers all delivered engaging and insightful talks, and I highly recommend listening to them in their entirety. But here are the following top five takeaways from the event, clearly laying out the challenges ahead and the actions we need to take to meet them.
We’re not fully armed against cyberattacks
In his keynote address, Mike Rogers asserted that the United States is not prepared for a cyber war because we don’t have an adequate, unified defense. The US federal government puts a lot of focus on protecting .mil and .gov sites, but private companies are mostly on their own.
Because of the way data is distributed today and the data connections that now exist between agencies and enterprises, we need a national, rational cybersecurity policy that equally protects both the public and private sector – while also protecting the private information of individuals. Universal data protection is possible with today’s technology, but it won’t just spontaneously erupt into existence. And the clock is ticking.
Enterprises have a critical role to play
In the absence of a national data defense policy, according to Stacey Rolland of Forbes Tate Partners, many US companies continue to take a wait-and-see approach to cybersecurity and self-regulate. For the good of their customers, themselves and the nation, this needs to stop.
Having even a basic risk and control framework with clear documentation will immediately improve cyber defense while setting companies up to meet any further new requirements. But to make change happen, cybersecurity vendors must engage with the federal government to educate agencies about their latest tech innovations, so they can influence how the regulatory environment evolves and lay the groundwork for a future national strategy.
Advertisers are at the tip of the compliance spear
Both advertisers and regulatory policy have struggled to keep up with the increasing consumer demand for greater privacy and control over the personal information they share, said Alison Pepper of 4As. But with federal regulation stymied, advertisers face the daunting prospect of somehow complying with 50 different versions of personal data privacy regulations at the state level. If there’s conflict between different state requirements, which rules get enforced? Who arbitrates? No one benefits from all this confusion.
With third-party cookies going away and Apple (and eventually others) limiting the ability to share information in apps, we will see increasing pressure on the advertising industry to change their practices and policies, with the industry likely going back to more contextual advertising and more focus on first-person data. This is a positive trend for consumers, and we will need to track it over the coming years.
Security as the foundation
No matter the final shape of the regulatory landscape, organizations must step up and mount an effective defense. When managed properly, the public cloud is far more secure than most people think. As Merritt Baer of AWS explored during her session, enterprises must recognize that when they put workloads into the cloud, security is a shared responsibility.
The cloud provider, such as AWS, is responsible for protecting the underlying cloud infrastructure and built-in services. Meanwhile, the enterprise must ensure the cloud services and their own applications are properly configured and operated, including security controls, firewalls, data protection, etc.
The enterprise security team is the key – they must have the experience and tools to do the job properly. And here, “tools” includes solutions and strategies for automating as many security processes as possible, including authentication and authorization. Identity access management (IAM) policies are going to be some of the key security guardrails, and the virtual private cloud will be the perimeter.
Architecting your platform for the long term
Credit Suisse’s Sarah Gadd presented actionable advice on how to build a framework for future data success. Being a global bank, they are highly regulated and have to understand all the regulatory requirements across the globe, and make sure they safeguard their clients’ highly sensitive personal and financial data.
To properly govern data, Gadd presents a framework with five key pillars:
- Security: understanding how data maps to various security levels is absolutely key
- Quality and control: quality gaps need to be raised in a system so they can be tracked down, funded, and delivered
- Data governance: assign clear accountability for data governance, whether centralized or decentralized, across all levels
- Architecture: how you deliver value by making data appropriately accessible and usable
- Usage and analytics: enabling your people and your culture within the firm to understand how important data is
Using this framework, organizations can build a data-driven culture based on the principles of securing all data and using it ethically, managing data as an asset, and ensuring that data drives decision-making.
As I mentioned above, I hope you’ll take the time to watch these sessions above as well as the other AIRSIDE LIVE sessions available on-demand. Each session provides so much more context and detail, and there are so many more incredible and insightful speakers to listen to as well.
Meanwhile, with data privacy and governance still a top topic in the boardroom for the foreseeable future, Okera is looking forward to continuing to host AIRSIDE LIVE. We hope to see you at the next event in 2022 (coming to you in-person in New York as well as virtually!). Stay tuned for more details in the coming weeks!