July 13, 2022

Privacy Professionals & Regulatory Headaches with Adam Stone

by Cyber Ranch

Listen Now

test
00:00:00

Show Notes

Adam Stone, Chief Privacy Officer at TrustMAPP, brings his decades of security and privacy knowledge to the Ranch this week to talk about the disciplines of security and privacy.  Where do they intersect?  What makes security professionals and privacy professionals different? And, maybe most important of all: How can these two disciplines work together within an organization without being perceived as useless regulatory headaches?

Timecoded Guide:

[00:00] Comparing and contrasting security and privacy responsibilities

[08:30] Privacy, GRC, and building trust with stakeholders

[15:28] Coordinated and cooperative efforts of security and privacy teams

[20:57] Security awareness training vs the lack of awareness of privacy

[27:26] Drawing the line with privacy laws for security professionals

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour

Where do privacy and security intersect? Where don’t they intersect?  

Privacy professionals need the security professionals within their organization to make privacy work and implement a certain protocol within a privacy policy. Although each group may want to draw division, there needs to be a healthy and divided dose of both privacy and security within a company, and they cannot just be handled by one person tagged in for both. The main reason this shared responsibility of privacy and security under one roof doesn’t work is the differences in priorities. While Adam points out that both seek to serve stakeholders, security professionals are protecting property with technology and privacy professionals are protecting individuals with processes.

“Information security professionals are in place to protect property. Namely, they are in place to protect the property of their sponsor, usually a corporation…The privacy professional is protecting the individual from the accesses of a corporation, or from a larger entity.”

 

What does an information security professional need to know about privacy?

Within the world of security, privacy regulations and laws are often seen as a headache. However, according to Adam, privacy is misunderstood by many security professionals, who group privacy policies with the same technical protocols they use throughout their work. Privacy is administrative and reliant on how someone behaves within their workplace. Although technology may aid in privacy policies, the steps companies have to go through to maintain privacy for their customers is dependent on individuals and on the ways they are able to enforce strict protective privacy protocols on these individuals.

“What security professionals need to understand about privacy is that many, if not most, of the solutions to privacy problems, are not technological. They are process. They are administrative.”

 

If security awareness training is a norm, why isn't there privacy awareness training? 

There are a lot of perceptions about privacy, and Adam admits that many of them are unfortunately negative. Between the headache of privacy law and the lack of privacy awareness within companies and organizations, what are people supposed to think about privacy? In Adam’s opinion, the perspective on privacy needs to shift and companies need to better understand that privacy is a customer service concern. Caring about how you market to someone, how you sell your wares, and the impact you have on your customers is a way to build trust with them and to provide them a higher quality of customer service, and all of that falls under the umbrella of privacy.

“In my view, [privacy awareness] is awareness of how you are communicating, how you are selling, how you are marketing, that potentially endangers the privacy of the individual.”

 

How do you keep up with the myriad of privacy laws that are constantly coming out and changing? 

Adam has heard from security and privacy professionals alike about the anxiety of changing privacy laws, but his answer to the concern is to point out that someone simply can’t keep up with these privacy law changes on their own. Whether relying on the International Association of Privacy Professionals, or IAPP, or calling in the counsel of a legal team or privacy lawyer, there are numerous resources available for privacy and security professionals to learn about privacy laws, study them, and come to the conclusion of where to draw the lines and what decisions to make about privacy policies.

“There’s a line to be drawn between interpreting and operationalizing statutes and regulations, versus interpreting a given statute or regulation for purposes of defending oneself in court. That is where we really need the expertise and the authority that a lawyer brings to the table.”

-------------

Links:

Learn more about Adam Stone on LinkedIn and the TrustMAPP website.

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Read more

Recent Episodes

February 1, 2023
by Cyber Ranch

Joining Allan today are two folks who are passionate about leadership – not just practicing good leadership, but instilling good leadership in future generations.  Joey Rachid is CISO in the ecommerce and financial services industry, is on advisory b...

January 25, 2023
by Cyber Ranch

This week Allan is joined by Nipun Gupta, and industry veteran who has been a consultant, practitioner, vendor, advisor and investor. The topic is "What are we really protecting in cyber?" and the nuances of that question are explored in depth - as w...

January 18, 2023
by Cyber Ranch

This week, Allan is joined by Peter Schawacker, CEO @ Nearshore Cyber, former CISO, advisor to MSPs, etc.  Another one of Allan's illustrious guests with 25 years in cyber.  (https://www.linkedin.com/in/schawacker/).  The topic started as all that th...

January 11, 2023
by Cyber Ranch

This episode is jam-packed with wisdom that is delivered at a rapid pace.  Some folks will find themselves rewinding and taking notes.  Luis Valenzuela, Director of Data Loss Prevention and Data Governance at InComm Payments, joins Allan Alford to ta...

January 4, 2023
by Cyber Ranch

To celebrate the 100th episode, Allan decided to let the audience participate in the show.  21 people called in and answered a wide variety of questions about cybersecurity.  It is a fantastic show and it is very fun to hear all the different perspec...

December 14, 2022
by Cyber Ranch

This is another "'E' for explicit" show as this one is another LIVE! show from the CISO XC conference in Dallas-Fort Worth. Why the 'E'?  Because halfway through Allan Alford's conversation with Andy Ellis (CISO at Orca, Operating Partner at YL Ventu...

December 7, 2022
by Cyber Ranch

In this episode, Allan Alford plays Devil's advocate - challenging the practitioner community to refute the idea that we should quit trying to make the organization care and simply make suggestions and accept the organization's level of risk toleranc...

November 30, 2022
by Cyber Ranch

Scott Schindler, veteran CISO, vCISO, and adjunct professor joins Allan at the ranch to talk about how to build, strengthen, participate in, contribute to and benefit from a cybersecurity community. Allan chose Scott for this show because of his incr...

November 16, 2022
by Cyber Ranch

Dan Holden, a 20+ year industry veteran, former vendor, and current CISO at Big Commerce joins Allan Alford at the ranch to talk about the BIG picture.  Join them on this wild trail ride that goes as far back as the Monroe Doctrine of 1823, the pre-c...

November 9, 2022
by Cyber Ranch

This week Allan Alford is joined by Duane Gran, Director of Information Security at Converge Technology Solutions to discuss three different aspects of the CISO craft -- and to offer practical, concrete guidance on how to achieve the right outcomes: ...