How CISOs Can Manage the Intersection of Security, Privacy & Trust

By Alym Rayani

There’s an old adage among cyber security professionals: “You can’t protect what you can’t see.” And with data exploding literally everywhere, it has become increasingly hard to protect. In fact, the World Economic Forum estimates that by 2025, the volume of data generated each day will reach 463 exabytes globally. To put that number into perspective, one exabyte is equivalent to one billion gigabytes. Chief Information Security Officers (CISOs) are already required to guard sprawling corporate and customer data at all costs or risk hefty legal and compliance fines; however, they now face an even tougher challenge.

Deploying a robust data privacy program is a complex job for CISOs who wear many hats these days – in fact, the CISO job description keeps growing and growing. CISOs are often asked by the Chief Privacy Officer (CPO), compliance and legal teams to provide data protection solutions that span security, privacy and legal issues. On top of that, they must keep employee data safe while balancing security with user productivity. They often have accountability directly to the Board, who is constantly asking for ROI on security investments to protect the organization from a brand-damaging data breach.

We are sharing data more than ever before and while it has simplified our day-to-day tasks, it also creates security and privacy risk for both individuals and organizations. That’s why we’ve seen countries around the world passing regulations with comprehensive privacy requirements. In fact, 71% of countries already have some form of data protection and privacy legislation in place. With increasing complexities and changes in the regulatory landscape, organizations must ensure that privacy protection remains central to their business. That means educating and empowering employees to make privacy-compliant decisions, driving policy awareness and automating policies to improve productivity and reduce costs. Companies should be concerned about data privacy issues because, in addition to the protection of privacy being the right thing to do, today’s missteps in this area hold real business risk with legal, financial and reputational ramifications.

Data Privacy and Data Protection Challenges

There’s a significant overlap between data privacy and data protection. You can’t have one without the other, and improved data security and transparent commitments to customer privacy can increase trust. Consumers and businesses need to trust that their data is protected at all times. In fact, they are demanding that their data be private, and if they don’t have that trust, there is an overall loss in brand equity and brand loyalty. CISOs play an important role in driving that overall trust by selecting the right mix of automated, next-generation data protection solutions that can protect data and respect customer preferences for how data is used.

In the last few years, customers have been asking for data privacy solutions embedded into the cloud services they use to drive their businesses. They were facing three key challenges:

1. They struggled to identify and manage personal data in their existing cloud environments. They also didn’t have the right tools in place to discover it and define what personal data actually is.
2. They had lots of archaic, manual processes in place to manage risk. They were using spreadsheets to keep data private, and they struggled to keep up.
3. They were facing subject rights requests which were introduced by GDPR, CCPA and many other regulations. Customers needed a way to execute on these subject rights requests.

Introducing Microsoft Priva

Microsoft has taken a particular interest in data privacy and we recently launched a new solution, Microsoft Priva, to help our customers manage privacy in a scalable and automated way. Priva includes two core modules:

1. Priva Privacy Risk Management: This tool helps our customers proactively identify and remediate privacy risks in their own environment. For example, Priva can discover overexposure or oversharing of data, risks arising from data transfers and data hoarding. It empowers information workers to make smarter data-handling decisions.
2. Priva Subject Rights Requests: This is an automated data discovery and privacy issues detection solution with built-in review and redaction capabilities as well as secure collaboration workflows. It allows you to search for data in one place, correlates it with other signals to identify privacy conflicts such as a collected requestor’s file containing confidential information. It leverages automated data discovery capabilities to conduct the search requests and you can integrate it with your homegrown or other privacy tools via an API.

The good news for CISOs and privacy professionals is that Microsoft Priva is not a rip and replace tool. It actually complements existing data loss prevention and encryption tools and helps privacy operations teams deal with specific challenges, sitting on top of the other solutions. It helps security teams to operationalize data privacy in a modern way and deal with all aspects of privacy for the organization. Priva also empowers employees to make smart data handling decisions, helping to foster a proactive privacy culture by increasing awareness of and accountability towards privacy incidents and risks, without hindering employee productivity.

Even better, Microsoft Priva solutions are readily available for customers as an add-on to all Microsoft 365 or Office 365 enterprise subscriptions. Learn how it works and start our 90-day trial of Microsoft Priva. You can also read our article on managing subject rights requests at scale.