Why Privacy Matters in Cybersecurity | Ep 32

00:01

breaches and cyber security incidents

00:03

are making headlines every day what are

00:05

you doing to be prepared

00:07

welcome to the tripwire cyber security

00:09

podcast brought to you by tripwire the

00:12

show that explores cyber security for

00:14

the enterprise and how to identify and

00:17

protect against cyber threats before

00:19

they happen

00:20

listen for techniques and best practices

00:22

to harden your defenses against hackers

00:25

now here's your host tim erlin

00:29

welcome everyone to the tripwire cyber

00:30

security podcast i'm tim erlin a vp of

00:33

strategy at tripwire and today i am

00:36

joined by jarel oshody who's the deputy

00:39

chief privacy officer at the cdc i am

00:42

glad that you are here so on this

00:44

podcast um we generally talk about cyber

00:47

security information security which is a

00:49

pretty broad topic and that that that

00:52

topic can include privacy but i think

00:55

there is really a distinction between uh

00:58

privacy and security when you sort of

01:00

get down to the the details that they're

01:02

they're pretty distinct and uh the two

01:05

disciplines security and privacy don't

01:06

always align with each other so i'm i'm

01:08

excited to have you here to talk a

01:10

little bit about the the privacy side of

01:12

the the larger cyber security industry

01:15

um and i wanted to start with maybe just

01:16

that a topic of understanding what the

01:18

difference is so jarrell from from your

01:20

perspective how do you see privacy and

01:22

security as as different how are they

01:24

distinct

01:26

well with security um i should say with

01:30

the security professionals that i work

01:32

with they're

01:33

generally

01:34

concerned with the what they call cia

01:38

the confidentiality integrity and

01:40

availability of data so you know they

01:42

don't want they want to make sure it

01:43

doesn't get in the hands of bad actors

01:45

they want to make sure it doesn't get

01:46

tampered with um they want to make sure

01:49

that it's available when we need it and

01:51

those are the things that they um tend

01:54

to focus on however um

01:56

as a privacy professional i are we tend

02:00

to focus on um

02:02

the rights

02:05

the rights that individuals have to

02:07

control their personal identify

02:08

information and how it's used um so

02:13

um basically

02:14

as a security professional they may

02:17

feel like

02:18

uh you know we've guarded against these

02:21

malicious threats

02:23

um and that like um

02:26

but and on the privacy side we're more

02:28

so focusing on the life cycle of data

02:32

how the personal information is

02:33

collected

02:35

shared used

02:37

destroyed

02:38

retention policies

02:41

things like that when it comes to

02:43

not just information but

02:45

information that includes personal

02:48

identifiers and so if i i mean if i

02:50

think about that as sort of you know two

02:53

over you know a venn diagram with two

02:55

overlapping circles

02:57

um you know security as you say is

02:58

focused on bad actors i mean privacy

03:01

obviously cares about bad actors as well

03:03

if they're

03:04

you know violating the the the privacy

03:07

rights that are you know of concern and

03:09

and security i would think cares about

03:12

some of the privacy aspects um because

03:14

obviously if you if you fail to protect

03:16

the data it can then fall into the hands

03:18

of bad actors definitely but keeping

03:21

personal data away from hackers doesn't

03:23

automatically make an organization

03:25

compliant with data privacy regulations

03:27

if that makes sense yeah that makes

03:29

perfect sense and i always um i always

03:31

that always makes me think back to the

03:33

the payment card industry the pci data

03:35

security standard

03:37

um which is a a security standard but um

03:40

when you dig into it you you have to

03:41

remember that it's there actually to

03:44

protect the the card brands not the

03:47

organization so understanding the

03:48

motivation behind the controls and

03:50

protections in place

03:52

even if they're the same is really

03:53

important it changes what the the

03:54

objective is like yeah yeah most

03:56

definitely and in privacy we definitely

04:00

especially with regards to privacy

04:02

impact assessments or what some people

04:04

may call

04:06

data protection impact assessments we

04:08

are definitely looking at the controls

04:10

we're looking at technical

04:11

administrative physical controls or

04:13

questioning them

04:15

making sure um

04:17

we are collaborating with security

04:19

professionals to find out like hey what

04:21

do you think about these technical

04:22

controls because you know i'm not as

04:25

well versed as

04:27

my counterparts so um it's definitely

04:30

collaboration

04:31

um more than anything

04:32

well so so let's talk about that that

04:34

role a little bit um of a privacy

04:36

officer you know uh because it's

04:39

different from being a security analyst

04:40

as we've talked about what is your your

04:43

job as a privacy officer

04:46

it encompasses a myriad of things all

04:49

identifying um pii so when it comes to

04:53

mapping data or i actually shouldn't say

04:56

mapping data because i know in the

04:57

security world that

04:59

means something else so just keeping

05:01

up to date with our data inventory

05:04

um

05:04

implementing privacy by design so we we

05:07

want to be we want people to reach out

05:09

to us and contact us to ask us questions

05:12

and guidance

05:13

um when new products

05:15

are being thought about or new systems

05:17

are being thought about we want to be

05:19

reached out to in the beginning because

05:21

we want privacy to be embedded into the

05:24

entire process we don't

05:26

when we're contacted after the fact

05:30

we realize holes we realize gaps realize

05:33

things where

05:35

data privacy wasn't taken into

05:36

consideration and you know it cost more

05:39

money to go back and fix something than

05:41

to basically be included throughout the

05:43

process

05:44

also

05:46

notifications are a huge

05:48

deal so

05:50

no making sure employees third parties

05:52

uh customers

05:54

are notified or given cons the

05:57

opportunity to consent with the

05:59

opportunity to withdraw consent um

06:02

also just

06:03

uh

06:04

developing privacy operations all

06:07

together from trainings um

06:10

annual trainings

06:12

uh tabletop exercises uh contracting is

06:17

a big part of it as well

06:19

especially when personal identifying

06:21

information is involved we want to make

06:23

sure

06:24

even with a

06:26

data use agreement we're sharing

06:27

information for research or what have

06:29

you we still want to make sure that

06:32

the party we're sharing information has

06:35

the proper controls in place and they're

06:37

going to take as good care of

06:39

this data um

06:41

just as we would and and they aren't

06:44

going to share it with other people um

06:46

we want to just make sure that

06:48

risk assessments are done so as i spoke

06:51

about pias we want to make sure that

06:54

when a new

06:55

system is being developed we're doing a

06:57

pia but also when that same system

07:01

decide our authorities decide hey we're

07:04

going to use the same system but we're

07:06

going to collect a different type of pii

07:09

or more pii or we're going to use the

07:11

same pi but for a different purpose

07:14

um you know what i mean it may

07:17

you may have a system where no social

07:19

security numbers were involved and now

07:21

we're going to be adding

07:22

we're going to be collecting ssns now so

07:24

that requires different controls

07:27

or um you were going to be using the pi

07:30

for a different purpose

07:31

that requires different consents that

07:33

requires what they call fresh consent

07:36

things like that and also collaborating

07:38

with the security function when it comes

07:39

to data incident response

07:42

so um our security

07:46

department they incur different types of

07:48

data incidents and breaches

07:50

but we may not be needed if it doesn't

07:53

involve

07:54

personal identifying information but if

07:56

it does

07:57

we're immediately notified and we have

07:59

to

08:00

mitigate those risks and determine how

08:02

notice should be given um

08:05

to those affected uh things like that

08:08

and

08:09

more

08:10

more so related in the government sector

08:13

we have the system of records notices

08:16

and those are published in the federal

08:17

register so if we do have a system of

08:19

record a system of record is basically

08:22

just a system where

08:24

um

08:25

information is retrieved

08:27

by using uh some personal identifier

08:31

like a social security number

08:33

or something like that so if

08:34

um if it's considered a system of record

08:37

then we have to

08:39

provide notice to the public allow a

08:41

30-day comment period in the federal um

08:43

before it's

08:45

allowed and then we have these routine

08:47

uses

08:48

for these systems

08:50

that allows us to utilize people's pii

08:53

to do our job to do the job that the

08:55

system was created to do

08:57

um

08:58

to process information or what have you

09:01

uh so i mean it's a it's a myriad of

09:04

yeah there's a lot

09:05

yeah i'm i could go on but

09:08

um

09:09

yes definitely so we're working with all

09:12

the business units privacy is involved

09:15

uh we're not siloed at all

09:18

anywhere there's pii basically exactly

09:20

so marketing

09:22

uh finance

09:24

hr

09:26

research and development

09:28

uh you

09:29

name it pii is likely involved

09:32

but and honestly we would love to

09:34

minimize the use of data that's like our

09:36

main goal

09:38

yeah yeah shrink the environment as much

09:41

as possible yeah so that's so is it

09:43

highly valuable for you to have sort of

09:45

cross-functional knowledge of how those

09:48

different functions operate in order for

09:49

you to do your job more effectively it

09:51

seems like it would be it's important to

09:54

have cross-functional knowledge but it's

09:56

more so important to have

09:59

cross-functional relationships

10:01

because i don't know everything i'm not

10:04

interested in knowing everything but i'm

10:06

interested in having relationships with

10:09

all of these different business units um

10:11

making sure they know that

10:13

my door is open the lines of

10:15

communications are always open and based

10:18

on um privacy by design please reach out

10:21

to us please let's talk about this um

10:24

you know i mean you're not bothering me

10:26

if anything you're making my life much

10:28

easier

10:29

and also creating privacy champions with

10:32

these people and these different um

10:36

in these different

10:37

areas um

10:39

as i impart knowledge on them

10:42

they can because you know

10:44

in many organizations the privacy unit

10:46

is

10:47

generally a small

10:49

uh

10:50

group

10:51

you know tasked with doing more with

10:53

less and so the more privacy champions

10:56

you have the more

10:57

trainings you can do

11:00

the less risk for human error uh

11:04

incidents

11:05

uh things like that and they get they

11:07

notice they see how

11:10

as we work together more we can create

11:13

faqs we can create uh

11:16

flowcharts things like that where they

11:18

don't necessarily have to reach out to

11:20

us as much because they are um empowered

11:24

by the knowledge that they have

11:26

because of our relationship

11:30

[Music]

11:32

you are listening to the tripwire cyber

11:34

security podcast thousands of

11:36

organizations rely on tripwire to serve

11:39

as the core of their cybersecurity

11:41

programs why because we detect

11:43

suspicious activity before it becomes

11:45

breach

11:46

our systems work on site and in the

11:48

cloud define monitor and minimize a wide

11:52

range of threats with deep system

11:54

visibility and automated compliance we

11:56

help you shorten the time it takes to

11:58

catch vulnerabilities and ensure your

12:01

organization is following the absolute

12:04

best practices in cyber security today

12:07

for more information visit tripwire.com

12:10

that's tripwire.com

12:16

when we talk about cyber security like

12:17

security analysts there's often a you

12:19

know sort of a technical background

12:20

there it's pretty common for people to

12:22

move from

12:23

uh you know sort of an i.t role and then

12:25

they become interested in security and

12:26

they move into a security role from

12:28

there that's a you know today there's a

12:30

you know educational career path that

12:32

people can take but in the past it was

12:33

off an i.t

12:34

your background hover is in in law as

12:37

opposed to

12:39

technology is that right

12:40

yes i am not

12:42

i am not technical at all um i rely

12:45

heavily on um

12:48

so we have our technical privacy

12:50

analysts and we have um

12:53

more so our

12:55

compliance privacy analyst um so

12:58

it's a team effort i definitely you know

13:01

i am an attorney i know the law

13:04

i know how to apply the law

13:06

operationalize the law um but also i

13:09

know how to be resourceful

13:12

and uh

13:14

leverage those that do have the

13:16

technical backgrounds to translate

13:19

uh what i would like like to implement

13:21

they can

13:22

though there are translators between the

13:25

technical um

13:26

and the compliance

13:29

so for someone who's interested in

13:31

privacy as a career is that law

13:33

background a requirement is it just

13:35

um particularly helpful or is it that

13:37

they're as you sort of were describing

13:39

there are two disciplines there's a

13:40

technical side and a legal side oh no

13:43

yeah it's definitely not required i mean

13:45

there's privacy counsel council

13:48

so those are generally attorneys people

13:50

with legal

13:51

background they call jd adjacent or

13:54

legal adjacent type positions also

13:57

privacy compliance where jay-z helps

14:02

there's also

14:04

a new growing field there there's

14:06

actually a new

14:08

um

14:10

certificate for it

14:12

but the privacy engineers

14:14

privacy engineers is

14:16

that field is growing they are basically

14:19

uh

14:22

they are the tech people who are the

14:25

translators

14:27

yeah yeah they're the best of both

14:29

worlds if you ask me

14:31

um but then there's and then we have the

14:34

security and the people who are more

14:36

technical or someone that may have their

14:38

cissp

14:40

or something like that

14:41

um

14:42

may not be able to

14:44

uh communicate as easily with someone

14:47

like me who has my who you know i may

14:50

speak legalese and the privacy engineer

14:53

is the perfect middle person

14:56

uh to help uh get the job done

15:00

yeah to split that difference or provide

15:02

that as you said that translation

15:04

of the the legal language into the

15:05

technical implementation

15:08

so you you obviously work at a you know

15:10

large government agency but privacy

15:12

isn't something that's exclusive to to

15:15

government so

15:17

what are sort of the key differences

15:18

between privacy considerations for

15:21

a government agency versus a you know a

15:24

commercial organization

15:26

well um

15:28

so for instance in the government

15:31

the privacy act of 1974 is

15:36

the main law that we follow and

15:38

operationalize and

15:40

under it you know that's that required

15:42

that's why

15:44

the under the privacy act or under

15:47

privacy like there's the ego

15:49

um

15:50

act and

15:53

that states you know for every system a

15:56

privacy impact assessment is required um

15:59

those system of records notices i spoke

16:02

of are required um people can um

16:07

request information that the agency has

16:09

on them

16:11

in a system of record through a privacy

16:13

act request and where to respond in a

16:15

certain number of days

16:17

um on the other side in the private

16:20

sector

16:22

there's

16:23

all of these sectoral privacy laws state

16:26

privacy laws um other countries they

16:29

have their own

16:30

privacy laws

16:32

and they

16:33

they have the same principles but for

16:35

instance uh data subject access requests

16:40

and

16:41

under in the private sector

16:44

states like california or

16:47

like gdpr they have a long list of

16:50

individual

16:51

rights

16:53

that they have with organizations so

16:55

they can request access

16:58

deletion correction

17:01

they have a long list of

17:03

requests that they can make and there's

17:04

they also have a certain amount of days

17:06

that

17:07

those things must be completed um

17:10

there's all but there's no

17:12

system of records notices required or

17:15

things like that there's no uh need

17:18

there's no mandate that a privacy impact

17:20

assessment must be completed for every

17:23

system that a company has generally i

17:26

know with gdpr

17:28

dpia is only required

17:31

uh when sensitive pii or high risk pii

17:35

is involved uh things like that those

17:38

are uh

17:40

differences

17:41

of the obvious differences

17:43

um that i see and and also with

17:47

contracts

17:48

uh the contracts and the private sector

17:51

i know that

17:52

um

17:54

there's less red tape um

17:57

many of the because there's no

18:00

federal privacy law

18:02

i mean every state doesn't have a

18:04

privacy law lots of the data protections

18:07

that are in place are contracted there

18:09

are data protection clauses involved

18:11

that um that are mandating uh how data

18:15

is protected shared used destroyed

18:18

things like that

18:20

so the privacy act of 1974 obviously

18:23

predates

18:24

much of the technology that we're using

18:26

today but it still provides the

18:28

foundation for

18:29

the privacy requirements and practices

18:31

that are

18:32

you know that we apply today in you know

18:34

our sort of much more connected world

18:36

um was the the second piece that you

18:38

mentioned in there sort of an update

18:40

that allows

18:42

updates the law to apply to the current

18:44

technology how does that work actually

18:46

that's fascinating well actually the

18:49

privacy act um is based on

18:52

the i believe it's the fair information

18:55

practice principles

18:57

and

18:58

the fair information practice principles

19:01

are actually

19:02

what

19:04

i personally feel

19:06

all of these privacy laws are based upon

19:09

um the are you familiar with the effect

19:11

with that

19:13

no well no i'm gonna say yes but you

19:15

know for the benefit of the the

19:16

listeners that you should explain it

19:18

so yes the whole um the collection

19:21

limitation

19:22

data quality

19:24

purpose specification

19:26

where you need to you know state the

19:28

purpose or the reason that you need pii

19:31

the use limitation

19:34

saying you can't disclose it or you

19:36

can't collect it for one reason and use

19:38

it for another the security safeguard

19:40

principle the openness principle

19:43

uh the individual participation

19:45

principle that's just all of the rights

19:47

that individuals have with regard to

19:50

their information

19:51

and the accountability principles and

19:53

that's saying that the person who is

19:55

controlling my data has to be

19:57

accountable by you know complying with

19:59

whatever reg or measures are in place um

20:02

so

20:03

though the um fibs is really what uh

20:08

all privacy laws are based on but yes

20:10

the privacy law of 1974

20:14

i find it interesting that

20:15

um

20:16

10 years ago when i

20:19

was handling privacy access requests for

20:22

individuals and four-year requests for

20:24

individuals

20:26

now i see all of i always

20:29

i always i felt like i was speaking

20:31

another language

20:32

when uh

20:34

people my friends were in the private

20:37

sector and didn't

20:38

uh they would they just were like they

20:40

didn't they weren't aware of how much

20:43

or how many rights we had with regard to

20:44

our personal information and now

20:47

many of them with these the data subject

20:49

access requests in the private sector

20:51

they get it

20:52

so

20:53

yeah and it seems you know from an

20:55

external perspective

20:57

it seems like gdpr was really sort of a

21:00

a watershed moment for

21:02

changing the public perception of

21:05

you know sort of uh

21:06

data data rights 100

21:09

people didn't even know that

21:11

uh

21:12

that was a thing

21:14

you know what i mean and it also

21:16

caused

21:18

it also caused companies and

21:20

corporations

21:22

to

21:23

um manage their data better because if

21:26

it was mapped properly

21:28

you're able to you know if it's created

21:31

in a way back to privacy by design

21:34

uh is created in a way

21:36

to where if you need

21:39

all the information on jarrell oshody

21:42

it's the data's mapped in a way that you

21:44

can see with systems

21:47

uh

21:48

and you know and you're able to carry

21:50

out that action or carry out that

21:52

process

21:53

yeah if you're required to to be able to

21:56

delete all the data on an individual you

21:58

better be able to find all the data on

21:59

that individual exactly and that's how

22:01

it starts that's why uh data inventory

22:03

is the very beginning you can't manage

22:06

what you don't know you have yeah yeah

22:08

which is you also can as far as data

22:10

incidents and data breaches yeah

22:13

it's an interesting corollary to the the

22:16

security phrase you can't you can't

22:17

secure

22:18

uh you know what you don't know you have

22:20

as well and same same is true for data

22:22

and privacy yeah

22:23

definitely and yeah they definitely uh

22:27

overlap most definitely

22:30

[Music]

22:32

you are listening to the tripwire cyber

22:34

security podcast thousands of

22:36

organizations rely on tripwire to serve

22:39

as the core of their cybersecurity

22:41

programs for more information visit

22:43

tripwire.com

22:45

that's tripwire.com

22:50

so i i want to i want to end our

22:52

conversation with maybe a sort of a

22:54

little practical advice for

22:56

uh the security folks who are listening

22:58

to security analysts and professionals

23:00

um so coming from from from the privacy

23:02

side of of the industry

23:04

what what lessons do you think

23:06

information security can learn

23:08

from privacy

23:10

it would be nice if they understood

23:13

that

23:15

we that our job isn't done

23:19

just because

23:21

we've mitigated a breach

23:24

or

23:25

just because we prevented

23:27

uh access

23:30

in a particular

23:32

place like we're always focusing on best

23:34

practices minimizing data where we can

23:40

just constant

23:41

risk assessments

23:43

when data is used in a certain way

23:47

that's that's really interesting

23:49

you you you touch there on this this

23:51

idea of sort of minimizing where data is

23:54

used as a means to

23:56

you know essentially shrink the

23:57

footprint of what you have to be

23:58

concerned about and

24:00

that seems like something that that

24:01

security could could look at um you know

24:04

sort of the the concept of minimizing

24:07

the surface area if you will

24:09

um for attack or for for an attacker as

24:12

a as a you know a means to to reducing

24:15

the amount of work um to secure an

24:16

environment yes

24:18

yes so if we

24:20

the less pii involved

24:23

the lower the risk the less

24:25

uh high risk

24:27

uh

24:28

the less risk as far like if if a system

24:32

is hacked and

24:34

all the information is

24:36

uh

24:37

and none of the information involves pii

24:41

then

24:43

the risk is a bit tends to be a bit

24:46

lower um

24:47

because companies

24:51

it's their reputation at risk it's the

24:53

trust of their clients um things like

24:57

that that it's a competitive

24:59

differentiator if you will these days

25:02

uh so the the more de-identified

25:04

information we can use or anonymous uh

25:07

anonymized information we could use the

25:09

better

25:10

i want to thank you jirel for joining us

25:11

i thought it was a super interesting

25:13

conversation i learned a lot about

25:16

privacy and what it means to be a

25:17

privacy officer

25:19

and i really appreciate you spending the

25:20

time with us oh thank you i appreciate

25:24

you asking me and i appreciate

25:25

discussing it as well because i feel

25:26

like no one knows what i do so

25:29

well now now some people do at least

25:32

and thank you to everyone for listening

25:34

uh i hope it was enjoyable and i hope

25:36

you'll tune in for the next episode of

25:38

the tripwire cybersecurity podcast

25:42

you have been listening to the tripwire

25:44

cyber security podcast join us next time

25:47

as we explore stories of people

25:49

protecting people and techniques and

25:51

best practices to harden your defenses

25:53

against hackers

25:55

we'll talk to you next time on the

25:56

tripwire cyber security podcast

26:02

[Music]

26:17

you