July 13, 2022

Privacy Professionals & Regulatory Headaches with Adam Stone

by Cyber Ranch

Show Notes

Adam Stone, Chief Privacy Officer at TrustMAPP, brings his decades of security and privacy knowledge to the Ranch this week to talk about the disciplines of security and privacy.  Where do they intersect?  What makes security professionals and privacy professionals different? And, maybe most important of all: How can these two disciplines work together within an organization without being perceived as useless regulatory headaches?

Timecoded Guide:

[00:00] Comparing and contrasting security and privacy responsibilities

[08:30] Privacy, GRC, and building trust with stakeholders

[15:28] Coordinated and cooperative efforts of security and privacy teams

[20:57] Security awareness training vs the lack of awareness of privacy

[27:26] Drawing the line with privacy laws for security professionals

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour

Where do privacy and security intersect? Where don’t they intersect?  

Privacy professionals need the security professionals within their organization to make privacy work and implement a certain protocol within a privacy policy. Although each group may want to draw division, there needs to be a healthy and divided dose of both privacy and security within a company, and they cannot just be handled by one person tagged in for both. The main reason this shared responsibility of privacy and security under one roof doesn’t work is the differences in priorities. While Adam points out that both seek to serve stakeholders, security professionals are protecting property with technology and privacy professionals are protecting individuals with processes.

“Information security professionals are in place to protect property. Namely, they are in place to protect the property of their sponsor, usually a corporation…The privacy professional is protecting the individual from the accesses of a corporation, or from a larger entity.”

 

What does an information security professional need to know about privacy?

Within the world of security, privacy regulations and laws are often seen as a headache. However, according to Adam, privacy is misunderstood by many security professionals, who group privacy policies with the same technical protocols they use throughout their work. Privacy is administrative and reliant on how someone behaves within their workplace. Although technology may aid in privacy policies, the steps companies have to go through to maintain privacy for their customers is dependent on individuals and on the ways they are able to enforce strict protective privacy protocols on these individuals.

“What security professionals need to understand about privacy is that many, if not most, of the solutions to privacy problems, are not technological. They are process. They are administrative.”

 

If security awareness training is a norm, why isn't there privacy awareness training? 

There are a lot of perceptions about privacy, and Adam admits that many of them are unfortunately negative. Between the headache of privacy law and the lack of privacy awareness within companies and organizations, what are people supposed to think about privacy? In Adam’s opinion, the perspective on privacy needs to shift and companies need to better understand that privacy is a customer service concern. Caring about how you market to someone, how you sell your wares, and the impact you have on your customers is a way to build trust with them and to provide them a higher quality of customer service, and all of that falls under the umbrella of privacy.

“In my view, [privacy awareness] is awareness of how you are communicating, how you are selling, how you are marketing, that potentially endangers the privacy of the individual.”

 

How do you keep up with the myriad of privacy laws that are constantly coming out and changing? 

Adam has heard from security and privacy professionals alike about the anxiety of changing privacy laws, but his answer to the concern is to point out that someone simply can’t keep up with these privacy law changes on their own. Whether relying on the International Association of Privacy Professionals, or IAPP, or calling in the counsel of a legal team or privacy lawyer, there are numerous resources available for privacy and security professionals to learn about privacy laws, study them, and come to the conclusion of where to draw the lines and what decisions to make about privacy policies.

“There’s a line to be drawn between interpreting and operationalizing statutes and regulations, versus interpreting a given statute or regulation for purposes of defending oneself in court. That is where we really need the expertise and the authority that a lawyer brings to the table.”

-------------

Links:

Learn more about Adam Stone on LinkedIn and the TrustMAPP website.

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast



Transcript

Adam 00:00
Now, there is a line to be drawn between interpreting and operationalizing statutes and regulations, versus interpreting a given statute or regulation for purposes of defending oneself in court.
Allan 00:17
Howdy, y'all, and welcome to the Cyber Ranch podcast. That's Adam Stone, Chief Privacy Officer at TrustMAPP, former CISO in the medical equipment manufacturing space, and a 20+ year veteran of both security and privacy, with a strong background in GRC. I have a disclaimer to make: Adam and I work together at my day job, but Adam has straddled the security and privacy fences enough that I regard him as one of the experts in the industry, on the nuances between those two disciplines and the ties that bind them together. We're having a great conversation on the subject, and I think you will enjoy it too. Adam, thank you so much for coming on down to the Ranch.
Adam 00:50
Thanks for having me, Allan.
Cyber Ranch Intro 00:55
Welcome to the Cyber Ranch podcast. Recorded under the big blue skies of Texas, where one CISO explores the cybersecurity landscape with the help of friends and experts. Here's your host Allan Alford.
Allan 01:16
Alright, so why don't you briefly tell us a bit about your background in cyber and a bit about your background in privacy there, and a bit about your day job.
Adam 01:22
I've been in the privacy and security business for well over 20 years at this point. I served a number of leadership roles in privacy and security, across a number of different industries, again, various financial services, organizations, as well as other healthcare organizations, and a smattering of other industries as well. My day job is working with you as serving as the Chief Privacy Officer for the organization.
Allan 01:49
Alright, fantastic, man. Let's just dive in and get into it. Where do privacy and security intersect? Like, talk to me about the intersection between these two disciplines.
Adam 01:58
Well, I think the common understanding, which I agree with fully, is that privacy has a need for security. In order to make privacy work within an organization, we need the assistance of our information security professionals to make that happen. Why? Privacy professionals have a real specialty on the administrative side of managing data. However, privacy professionals don't necessarily have the technical acumen that the security folks bring to the table. And so, when a privacy professional needs to adopt or implement a particular policy or particular control within an organization, oftentimes, that privacy professional will seek the assistance of the security professional to make that happen from an operational standpoint. That is really the key point of intersection.
Adam 03:03
Now, there are secondary points of intersection. Namely, in that many of the laws and regulations and best practices that we're all familiar with in the industry, many of these frameworks do tend to mix or to collate, shall we say, the needs of privacy within the realm of security, or sometimes the other way around. I don't necessarily agree with that, but that is the way it is. And so, if we take regulations, such as the HIPAA Security Rule, which itself this is pretty straightforward in talking about how we protect so called "protected health information," or PHI. We have a need to protect that information, of course, from a policy standpoint, from an administrative standpoint, but importantly, there are key technological
elements where we need assistance from the security professional in order to ensure that protection. For instance, encryption, or access controls, or things of that nature, those sorts of technical controls necessary to ensure that the information that we commit to keeping private stays private within the technical or digital realm.
Allan 04:18
Okay, so, one thing you and I talked about before the show was this idea that security professionals need to be very cautious when meddling in the affairs of privacy. Not in the affairs, but in the rules and regs, right? In other words, privacy is relying on security to get some things done, but I think a lot of security professionals because of that, tend to feel as if they've got some privacy chops. So, my next question is kind of the opposite of what we just discussed. Where don't they intersect? What are some of those warnings for security folks about, "Hey, tread lightly in this area"?
Adam 04:50
That's a great question. Here's my sense. Privacy professionals and security professionals each have their own sponsors, or their own individuals, that they are protecting, their own things that they're protecting. An information security professional's responsibility, if you break it down just to its most essential part, is information security professionals are in place to protect property. Namely, they are in place to protect the property of their sponsor, usually a corporation, but sometimes other organizations. Their job is to protect stuff, whether that stuff is digital or whether that stuff is physical, doesn't necessarily matter, but the point is, is that when a security professional acts, they're acting in the interests of their sponsor, protecting their sponsor's stuff.
Adam 05:39
Now, that's a little different than your privacy professional. I would argue that a privacy professional is protecting something different. The privacy professional is protecting the individual from the accesses of a corporation, or from a larger entity. The privacy professional is protecting a certain standard of ethics, a certain level of morals that they are governed, of course, by laws and regulations, but also just buy good old-fashioned customer service. Do unto others as you would to yourself. And the idea is, or the difference is, that privacy professionals are looking at a different constituency when they are thinking about protection than the security professional. A security professional tends to look inward, protecting the property of his or her sponsor, whereas the privacy professional is protecting the agency of individuals when those individuals interact with an organization. Frankly, the power imbalance is substantial between the corporation and the individual. Privacy professionals serve as a bulwark to protect the individual against the accesses of the corporation.
Allan 07:06
That's a really interesting way to look at it because I've been in the situation before as a security professional where the company orders unto me, "Thou shalt protect our intellectual property, thoushalt protect us from brand damage and reputational harm," and one of those is automatically and intrinsically then, "Thou shalt protect our customers data," right? You never want to be the corporation whose partner, customer, or employee data got leaked, you never want to be that person. So, I would argue there is still some overlap there in the sense that, yes, I'm protecting those individual things when I'm operating under those privacy rules, as opposed to those security rules, but from a strictly "protect my entity" perspective, I am in fact, also jointly protecting both, right? By protecting the employee data, I am protecting the company. By protecting the customer data, I am protecting the company.
Adam 07:49
That's exactly right, and that's a very good way of explaining both the relationship. Why these two functions need to live very close to each other, but also, why these two functions are a little different. Because it's really the purview, it's really what is being protected at the end of the day, whether you're talking to a security professional or a privacy professional. And therein lies, I think, some of the disconnect, because by virtue of the fact that security professionals are in place to protect the property of their sponsors, they may not always be thinking outwardly towards the property or the agency of the individual.
Allan 08:30
And I guess, at the end of the day, it's first order and second order concerns as well, right? That's kind of what I'm describing. Okay, so information security professionals then, differing in that key way, and I'll go with your definition. I like that it's a matter of the sponsorship in the agency, let's go with that. So, what is it that an information security professional needs to know about privacy? Like, I kind of alluded to it in the last question, but not just what they need to know, but what they need to be wary of, right?
Adam 08:58
Yeah, I think the most important thing that information security professional needs to understand about privacy is that many, if not most of the solutions to privacy problems, are not technological. They are process. They are administrative in nature. They're about establishing rules and enforcing those rules within organizations. Now, yes, you can use technology to help you enforce certain rules, but at the end of the day, it comes down to individual behaviors in the workplace, and the individual decisions that executives make within the workplace.
Allan 09:35
Okay, so, I guess one thing we're seeing right there is, from a security leader's perspective, they're gonna get better bang for their buck aligning GRC with privacy over aligning the tech stack with privacy. Because, to me, GRC focuses on people ans process more than tech stack, because obviously that's focusing on tech stack. Are we kind of going that way with?
Adam 09:54
Well, yes, I think so. GRC has an important place in this equation, both for security and privacy
professionals. However, I would argue that privacy is a little larger than simply complying with this or that law, or reducing this or that risk. I believe that privacy is a means towards trust and confidence. When we want to sell something to somebody else, we are going to have a heck of a time selling that individual something if they don't trust us first. Privacy is that means towards gaining and maintaining the trust and confidence of those stakeholders who interact with us, whether customer, partner, or other stakeholder.
Allan 10:42
Got it, okay. I'm gonna argue security has got some higher mission and higher cause there as well, but I see your point. I get where you're going with it. Okay, so, standards and frameworks like SOC 2, you alluded to these earlier, where both privacy and security are required. HIPAA gets into this, SOC 2 gets into this, PCI even gets into this. In fact, most of them nowadays, from a security perspective, always have at least a splash of privacy, and I think most of the privacy rules, even GDPR, has a splash of security, right? What should be the battle plan, right? If you're given a framework or a regulatory situation, and you've got to do both, what's the battle plan? How do we address them both?
Adam 11:16
I think, at a high level, the battle plan ought to be to avoid battling in a vacuum. The information security professional should seek collaboration with other important functions within the organization. If we are talking about privacy in any way, shape, or form, in some assessment that we're doing, we need to think about the things that impact privacy most acutely. The way we market our wares, the way we sell our wares, the sorts of ways we communicate with our stakeholders, customers, partners, whomever. These are key points of information necessary to make informed decisions about which direction to take from a privacy slash security perspective. When we're thinking about security, it is very efficient
and usually quite effective to focus on risk. When we are contemplating how to address this or that framework, such as SOC 2, for instance, where we look at a requirement in SOC 2, and we say, "Oh, we're not there yet, we're not doing it, and it's going to lead to this level of riskiness, and therefore we need to do X to address that."
Adam 12:27
That's one element of a SOC assessment, but if you are getting into features that start to span into the world of privacy, we need to start thinking about the squishier subjects. Customer service, marketing, communications, all those sorts of squishy soft subjects, that may not be appealing to a lot of folks, but in the privacy world, that is where they live, is in the squishy shades of gray topics, which is— I forgot to mention this earlier, but that is, in my view, one important distinction between the world of privacy and security, is that security tends to find itself most comfortable in a world of yes or no. Is it protected or not? Whereas privacy is more focused in shades of grey. To what degree is this thing that we're doing going to potentially impact the privacy of whomever we're talking about? Customer, constituents, so on and so forth. There are, in fact, in those professions, you'll see two very distinct skill sets of folks that
are in security versus folks that are in privacy, that are well aligned to those needs to both think in black and white, as well as think in shades of gray.
Allan 13:48
I'm sitting here thinking of things like CMMI, and COVID, and ITIL maturity overlays, and thinking in terms of all the areas where security isn't so black and white, but I think I get your point. I think the squishiness factor and the gray factor are greater for privacy than they are for security, but I would argue there's still some gray insecurity, too. Is it secure enough? Okay, so we got encryption on the critical fields, but we don't have full disk encryption. Yeah, we'll do that next cycle. Do we have EDR? Yeah, but not on every host. So, right now we've got some firewalling around these key hosts. Like, there's always those mitigations, those compensating controls that represent the gray area for security. But I think to your point, maybe security folks feel a little uncomfortable with compensating controls and would much rather have it be "check the big box that it's secure and move on." So, I think you're right, I
think there's more gray and more squishiness over on the privacy side of the fence, but to be fair, we've got gray over here on the security side, too, right?
Adam 14:38
I get it and I completely agree with you.
Allan 14:42
Let's pause right there and hear a brief word from our sponsor.
Ron 14:45
When it comes to IT and security: we can all agree on two things: Complexity is increasing and the manual asset inventory approach no longer cuts it. It's time to adapt, and that's where Axonius comes in. Axonius correlates asset data from existing cybersecurity and SAAS solutions to provide an always up to date inventory, uncover gaps, and automate actions, giving you the confidence to control complexity. Sign up for a free walkthrough of the platform at Axonius.com/Get-A-Tour.
Allan 15:28
Alright, so, if we've got all these shades of grey, and we've got this mutual battle plan of— First of all, don't battle in a vacuum, second of all, don't battle with each other, right? Security and privacy working hand in hand. Kumbaya. What do we think next steps are? Let's imagine we get hit with a SOC 2 and now, privacy and security are sitting at the table. What are some concrete steps these guys are going to take? Security and privacy both, as a coordinated and cooperative effort, do you divvy up the framework? Do you say, "Privacy team, you handle the privacy requirements. Security team, you handle the security team requirements?" Because it seems to me that overlap and intersection, it seems that you can't be as divisive as perhaps the standard makes it seem. Here's your security section. Here's your privacy section.
Adam 16:09
That's a great question, and it's not an easy answer, as you would expect. Not every organization has the resources or expertise internally, to separate out a bonafide privacy person from a bonafide security person. There are many, many circumstances that we see where you have one individual who has been tagged. You're it, you're the privacy and security guy, or security and privacy guy, whichever way it comes. A lot of that is, in addition to resource constraints, it could be a misunderstanding at the executive level of the differences between privacy and security and where they have a need for two different skill sets. But that all withstanding, I see it being a joint effort between the privacy and security professionals when trying to tackle an assessment like a SOC 2, with privacy added on. Now, SOC 2 is a great example because it makes it pretty easy to separate the privacy from the security because it says so in the SOC 2, it's in sections, right, and so, that's an easy one.
Adam 17:15
Not every one is as simple, but I think that there is an equal place at the table for both parties. What they need to have is mutual respect for each other. The privacy folks need not view the security professional as merely some sort of an IT nerd can only speak in bits and bytes, and the security person need not only view the privacy person is some sort of squishy, legal soft subject, policy wonk. There needs to be some mutual respect between the two parties, and importantly, I think that each party can and ought to learn, not only from each other, but just in general, they should learn eachvother's profession to a certain degree. Privacy people ought to get into some of the technical gobbledygook that we see in the security world, and the security people should have a better understanding of what and how and why the privacy people worry about the stuff that they worry about. It comes down to looking outside of your own backyard, and having a willingness to understand other people's points of views, of course, and to embrace it versus fight it. With that sort of attitude, an assessment, such as a SOC 2, should be a relatively smooth exercise, where both parties are feeding off of each other, both parties recognize the expertise of the other, or each party recognizes that, and it
feeds into a larger goal, which is the completion of that activity.
Allan 18:50
Okay. So, one of the ways I know I'm winning as a CISO, right? People talk about: What are your criteria for knowing you're doing it right, knowing you're running a good program? As a security professional, a security leader, one of the ways I know I'm winning is people start coming to me and saying, "Hey, I was thinking about doing this over here and that over there, and then it occurred to me, there might be some security implications. So, here I am talking to you, Mr. Security Professional, before I actually pulled the trigger on whatever cockamamie scheme or brilliant idea, or whatever it might be that I was up to." I assume there's kind of an analogue in the privacy world, and I assume part of what this cooperation you're talking about is maybe even the security people starting to clue in and proactively be like, "Hey, I was gonna do the thing, but what about privacy?" Is that a tell for you when you know you're succeeding? Who in the organization are you looking for, to start alerting on these
privacy things and coming to you proactively?
Adam 19:38
Yeah, that is a great point. I do view that as a key indicator of success. When we have people that you didn't expect to come to you with a problem suddenly saying, "Hey, you're the privacy person," or, "Hey, you're the security person. I was just thinking about this thing that we're doing, and it kind of makes me feel a little uneasy. I just wanted to bounce some ideas past you." And I'll tell you something, I know for a fact that folks in security love it when folks that don't normally come to talk to them are starting to talk to them, because that means that they've actually gotten through to somebody, where they otherwise may not have. And, you know, that can apply, of course, to the privacy folks as well. A lot of it comes down to the way one presents him or herself in the workplace. What I mean is to present oneself, not as "I do privacy and that's all I do," or, "I do security and that's all I do," but rather to say, "I'm in it for the big picture. I want to protect both my sponsor, aka the company, and I want to protect individuals, because I happen to be one of those people myself." And when you're thinking in that way, at that sort of meta level, I think that really serves the individual well in the workplace, whether privacy or security professional.
Allan 20:57
Yeah, it's interesting that we have— I'm thinking of security awareness training, and privacy training, right? Every company, every big company I've ever worked for has both, but it's interesting to me that security includes the word awareness, and privacy almost never does, right? In other words, we want you to be more aware of the dumb things you might do and the smart things you might do and the implications of what you're doing and how that will impact security we want you aware. And for privacy, it's like, these are the rules, these are the regs, note and acknowledge here that you've absorbed them, right? They don't incorporate the word awareness, and I wonder if that's a flaw in our thinking with privacy versus security, if we don't have some sort of need for, "Hey, guys, here's why privacy matters." To your point, I'm one of those people myself, right? Getting that stakeholder buy-in, getting that interest from the community, getting them to recognize they have skin in the game. Why isn't their privacy awareness training, right?
Adam 21:50
Yeah, well, I'll tell you that perception of privacy not providing the gray area, as it were, with the awareness versus that privacy telling you "this is how it's done," that's an interesting perception. It's regrettable perception. I know, from my standpoint, I treat the two subjects the very same way. It's awareness regardless. Now, the awareness might be a little different. What I mean is, in security, we tend to want to make people aware of the sorts of mistakes that they can make that will get the company in trouble, or get themselves in trouble, or both, right? "Don't do this. Because if you do it, it may cause a breach and oh, terrible things will happen and blah, blah, blah." Now, in the privacy world, the awareness is something just a little different. In my view, it is awareness of how you are communicating, how you are selling, how you are marketing, that potentially endangers the privacy of the individual. And so, instead of asking questions about avoiding dumb stuff, it's rather asking questions about: Are we selling our wares in a way that potentially endangers the privacy ofbindividuals? Are we marketing our wares in that way? And more importantly, are we thinking about privacy in terms of trust and confidence? Or, are we thinking of privacy in terms of simple compliance with this or that law? I would argue that anybody who approaches privacy as merely a function of complying with this or that law is doing it wrong. They're missing an opportunity, because privacy, in my
view, is a customer service issue. It's how customers want and expect to be treated by the companies that they do business with. They don't want surprises, they want to maintain a certain level of agency. They, meaning the customer. The customer, or the stakeholder, wants to know that he or she has at least a modicum of control of the information that they hand over willingly, or unwillingly, to the companies that they do business with. And so, it's looking at the question from awareness from a slightly different angle in my view.
Allan 24:16
I get it. Yeah. So, okay, that's interesting that it is so compliance-oriented, in my experience, and that brings me to two more questions that are kind of the same thing. So, I've been the security guy tagged with privacy. To your model, in some organizations, congrats, you're both, right? And I've also been the security guy working in conjunction with a named privacy lead who was not me, thank goodness. General counsel sometimes, actual Chief Privacy Officer yf the company is that mature and that sophisticated in that realm. And so, I learned early that as a security person, even deconstructing GDPR and saying, "Well, these are the technical controls I would administer to help fulfill these requirements," that I not be the one interpreting those requirements, that is best done by someone besides me, the security professional. I had to recognize I'm not qualified and I'm in over my head. I went to the boss who tagged me with both of those labels at the same time and said, "At a bare minimum, we need some outside counsel to come in for a few hours and meet with me, because I'm reading this stuff and I'm now interpreting law." And it struck me that I'm over my skis here, this is crazy for me to be doing this. I can work with an attorney, or a chief privacy officer, or a general counsel,
whoever it might be and say, "Okay, you tell me, what does this actually mean? And what are they actually requiring? And what are the rules and regs that we are going to choose?" Because every bit of law is interpretation. I'm sorry, I don't care how crystal clear they think they wrote the legislation. There's always room for interpretation, and you need somebody to make that hard call of, "This is where we draw the line." Okay, if that's where the line is, and that's my target as a security guy, I can take it from here. I know what technology gets me to that line, right? And so, that's the caution I've learned in going through this exercise. The piece I'm interested in, and the two questions I have for you kind of around this is: First of all, do you agree that there's a line the security person shouldn't be crossing here and that there's danger and risk there? And then, the second question is: As somebody who is monitoring and managing this stuff, how the heck do you keep up with the myriad privacy laws that are constantly coming out, it feels like every other month?
Adam 26:15
I'll answer the second question first, because that's easier. You don't. You don't. The leading
organization for privacy professionals, which is called the International Association of Privacy
Professionals, or IAPP, it's the gold standard organization for the privacy profession. That organization provides a tremendous amount of resources available to privacy professionals, including keeping up with this and that law, the changes in the law, at an international level. So, too, do law firms provide that. Many, many large law firms provide free blogs and other sorts of informational services that help people like me stay on top of the changes. Outside of that, you do need some pretty expensive tools to stay really close to the changes in law as it's happening, which not every privacy professional has access to. And so, for the everyday privacy professional, it's really just kind of keeping your ears open and staying on top of the key headlines, and just staying abreast of that information. Once you are forced then to dive into the details of a given topic, then at least you know where to find it.
Allan 27:26
Okay. Alright, so that ties into my first question, then, which is: Can the security professional relying on those outside resources, say they interpreted and they drew that line in the model I described where the line must be drawn here? Do we feel like a security professional can get away with using those outside resources? Or, should they still be seeking someone else?
Adam 27:44
Well, to give you a lawyerly response, it depends. It really depends on the skills that the security professional brings to bear. If the security professional is not a particularly strong writer, or reader of very esoteric materials, then probably not. But if the security leader is rounded and is equally adept at technology as they are with humanities and the squishy subjects, then quite possibly. Now, there is a line to be drawn between interpreting and operationalizing statutes and regulations, versus interpreting a given statute or regulation for purposes of defending oneself in court, from either a contractual standpoint, or from just tort actions. That is where we really need the expertise and the authority that a lawyer brings to the table.
Adam 28:47
However, I will argue strenuously that there are many, many privacy professionals, who are not
practicing attorneys, who are absolutely adept and very competent when it comes to interpreting and operationalizing this or that security privacy requirement within the organization, because of what you said. It is, it's just an interpretation, and if you're talking about regulation, frankly, the only body that can formally interpret that regulation is the regulator themselves. And you don't want to be in that position. You want to avoid being in that position and so, you make your best efforts to interpret whatever that reg or whatever that statute is saying, in a way that makes sense for your organization, but you need to have a spidey sense to know when the line is drawn and when there is a cut off between
operationalization— it's a big word— and interpretation.
Allan 29:52
Get up against that "I'm nervous" line, and that's when you go upstairs and say, "Hey, outside counsel, even just four hours, here's my eight points of nervousness." Okay, so my next question was going to be: Which do you prefer to work in, security or privacy? But I think I know the answer to that one.
Adam 30:08
Actually, I enjoy both worlds. I will say that my personality is more attuned to the world of privacy, because I tend to think in big, fluffy clouds, venn diagrams, how things connect to each other from a 3- million-foot view. That doesn't always serve me well in the world of security, but I do like security as well. I like what security brings to the table. I like what privacy brings to the table. So, I'll say both, with a little edge towards privacy.
Allan 30:36
Alright, I'll take that answer. Okay, so, final question. This is what I ask every guest and this one is going to be slightly unique for you, because I'm going to add "or privacy" to this sentence. Normally, it's just the word security. If you could wave a magic wand, and change any one thing and security or privacy, what would it be?
Adam 30:52
I'll stick to privacy, and I will reiterate what I said before. I believe that organizations do themselves a disservice when they treat the topic of privacy as merely a regulatory headache. I believe that privacy is a means towards differentiating oneself in the marketplace. I believe it is a means towards improving the client experience from start to end. I believe that privacy is a key element of the golden rule that we all follow. Do unto others as you would to yourself. I see far too many instances of privacy being treated as merely a regulatory headache, for which we adopt the absolute least that we have to do to meet the spirit of the regulation, and nothing more. That kills me because I see a lot of organizations losing opportunity as a result of that.
Allan 31:50
I get it, and you know, it's funny, because in the security world, there's two mantras that we all say, or at least us modern CISOs do. One is security is more than compliance, right? You have to be wary of the frameworks and letting them dominate and dictate everything. Security is more than compliance. And then, the other mantra is: Align with the business, align with the business, align with the business. And what I just heard you say was essentially that same two things for privacy. Alright, well, Adam Stone Chief Privacy Officer at TrustMAPP, thank you so much for coming on down to the Ranch. Thank you, listeners. Y'all be good now.

00:00:00