Rayban’s recent collaboration with Facebook resulted in a pair of wayfairers with a tiny camera hidden in them which allows you to record your every move without others really noticing it. As expected, the privacy community were quick to express their concerns about this new gadget, which led privacy supervisors to look into this. But unlike with Facebook’s many other privacy mishaps, this one might actually concern your average consumer and even impact Rayban’s bottom line. To know how, imagine every time you see someone with a pair wayfairers, be it when shopping, getting a coffee, or sitting on the beach, you have to wonder whether you’re being recorded and your image is being shared without your consent.
Eventually, you’re going to grow suspicious of people with wayfairers, and what once used to be the pinnacle of cool worn by cool cats such as Mohammed Ali, is now going to be associated with creepy dudes.
This is privacy. Privacy is a gut feeling. And our gut feeling is a major driver in almost all of our purchasing decisions. And as with any gut feeling, customers won’t notice when you’re doing privacy well, but they will when you’re doing it wrong.
Evidently, privacy & security professionals have been aware of the competitive advantage of privacy and security for a while now. Therefore, it’s no surprise that they’ve been worried lately. The companies they work for are moving their data to the Cloud to offer better goods and services in order to stay competitive, but with this new technology comes a new set of privacy and security risks we’re only starting to understand. To their dismay, things aren’t looking bright. In the wake of general cloud adoption, data breaches have been on the rise, both in number and in size.
But data breaches are just one of the many concerns that privacy & security professionals have to address. They’re also occupied with complying with the many privacy regulations and security standards, keeping track and adapting to privacy rulings such as Schrems II, limited budgets, remote working, cyber warfare, and an increasing privacy awareness with their customers.
As a result, privacy and security professionals feel they’re always trying to catch up. They feel like they have to slow down the business, where they want to root for and enable the business.
The resulting stress is increasingly leading to burn-outs.
Over the past couple of years I’ve talked to many data & privacy professionals working across all sectors, and the near impossibility of governing access to cloud data was a recurring theme.
Where data used to be neatly separated per domain and stored on premise, data is now increasingly stored in the cloud where it is merged, mixed and copied resulting in a data proliferation which has become impossible to protect. As a result organizations are often faced with the unfortunate dichotomy of using versus protecting their data. Some of the recurring symptoms can be that:
Fortunately, it has been many days since we abided by the mantra “Move fast and break things”. Cloud providers used to relentlessly focus on speed and scale and organisations on amassing ever larger droves of customer data. All the while customers were lenient for all the privacy & security flaws as long as they got new products and better services in return. We were in the Wild West of data.
Today, the long string of privacy & security breaches, new privacy regulations and a growing privacy awareness with the customers is turning privacy & security into a competitive advantage. This hasn’t gone unnoticed to the cloud providers who are increasingly investing in better security features such as row and column level access controls, which I will discuss in another article. Although these features will enable the organisation to configure the fine-grained access controls much needed to comply with privacy and security standards, they’re absolutely not a silver bullet. It will be impossible for the security teams to keep the access controls up to date in an environment where data proliferates, technology evolves at lightning speed, regulations and standards change, and colleagues switch teams.
Fortunately, the CISO and DPO can find an unlikely ally in the CDO who are responsible for maximizing the value of their company’s data. To achieve this, CDO’s are increasingly relying on Data Catalogs, which list all the organization’s data sets and their associated metadata so that the business can browse for and request access to those data sets similarly to how you would shop for items on Amazon. This creates an amazing opportunity for the CISO to simplify access management. Imagine your CDO catalogs all the organisation’s data sets that contain customers’ payment card information and labels them as such. Now instead of having to find these data sets and configuring the ACL’s on the data sources manually themselves, the CISO can specify their access controls once at the level of the label Payment Card Information, and have the ACL’s on the data sources configured automatically according to that access control. This approach of meta-data driven access management will save the privacy & security professionals loads of time on access management, freeing up their time to focus on ways they can enable the business. The same counts for managing retention, and enforcing consent and other privacy preferences.
The need for good meta-data has been long known among data governance practitioners, and as data is becoming more strategic we’re seeing an increasing interest from the broader market and investors. Next to the established data catalogs such as Collibra and Alation, there are more and more open source catalogs and metadata stores such as CKAN, LinkedIn’s DataHub, WeWork’s Marquez, and OpenMetaData. Automation is a key aspect in these open source projects because if the CDO were to manually tag all that data it would take them an eon and by the time they’re halfway, the catalog would already be outdated. This explains the appearance of tools that focus on automated data discovery & classification tools such as BigID, 1Touch, Scale AI, Labelbox, CloudFactory, and Watchful, and open source products such as Amundsen and Snorkel. These tools let you scan your data landscape in days rather than months.
The open source movement will make automated catalogs readily available for companies of all sizes which will have a huge impact on how we use and protect data.
I’ve been a strong proponent of meta-data driven access management, and over the past couple of years I’ve had many discussions on the topic where organisations responded to new privacy regulations or a warning from the supervisor with a tactical solution starting from a set of tools. A result of this tech-driven approach is that the solution is never taken out of project phase, and that privacy & security professionals are bound to having to play catch up again. More on that in a later article.
Organisations where the CDO manages to successfully collaborate with the CISO and DPO to leverage meta-data for access management will have: