It’s a reality of this decade that technological innovation is outpacing privacy protections, creating a mandate to include privacy as a central component of a strong security posture. Vasu Jakkal will discuss the shared responsibility to protect privacy for all, as well as key ways you can lead, build trust, and create enduring business value through comprehensive privacy and security practices.
- Hello. I'm Vasu Jakkal. We are in an era of accelerated digital transformation and rapid advances in technology. It's exciting. I'm hopeful to see what amazing things people are able to accomplish together to technology and how technology can empower us to achieve more and live our purpose and our best lives. But it also means that we as business leaders and security professionals must be even more focused on building and preserving trust and mindful of the timeless value of privacy. Now that's not an easy task. The COVID-19 pandemic has brought on dramatic changes in digital activity. Remote and hybrid work has increased by more than 300% over pre-pandemic levels. And today people are moving more fluidly online between business and personal activity thanks to technologies that are increasingly entwined in every single aspect of our daily routines. This means more personal and sensitive information is being generated and shared across a wider area of devices and clouds. Now compounding this challenge for security professionals is this evolving cybersecurity landscape that puts data at risk. Today we are seeing a new wave of advanced attacks that are more sophisticated, more destructive and more difficult to detect than ever before. The collective result is growing concern about trust in the technologies and organizations that handle personal and sensitive data. Now more than ever before people are thinking about organizations they interact with and asking themselves, is my data secure? Is it being handled properly with care, and in accordance with the laws governing its use? And ultimately, who do I trust with my data? Now that's an important question because trust will likely be a defining characteristic of business success in the next decade, in this decade, and more. As security professionals creating a better and safer world for all now requires us to think about security and privacy in an interconnected and comprehensive way. For many, privacy is a relatively new area of responsibility and one that's garnering increasing visibility. So let's begin by taking a look at what do we mean by privacy protection? There are two primary components. One, data protection, which means protecting personal and organizational data from any unauthorized third party access or malicious attacks and exploitation of data. Now, this is certainly core to the role of security professionals including things like access control management data classification and encryption. Second, data privacy is the proper handling, processing, storage and usage of personal information. What is interesting is that the proper handling of data is now becoming an important part of the security teams function. Today, more organizations are working to ensure that employees are trained and knowledgeable about privacy, risks and requirements, especially those who are directly responsible for an organization's data and keeping it safe. In fact, increasingly security professionals are ranking data, privacy and governance as a key part of their role on par with assessing and managing risks and analyzing and responding to threats. Isn't that interesting? What this means is that along with the traditional security functions privacy has become a core competency for many teams. They're responsible, not only for keeping unauthorized people out but also for partnering with privacy teams to ensure those who are authorized to have access to data will handle it properly. Today, privacy matters more than ever. It's no surprise that privacy is becoming a top of mind issue for organizations of all sizes. And in turn for security professionals who are charged with data protection. Data has become a cornerstone of innovation, of economic growth, and of societal advancement. For many organizations, it is their most valuable asset but data generation has led in some cases to excessive data collection, ineffective security and undisclosed sharing, all of which puts organizations at risk. In a YouGov survey commissioned by Microsoft. 90% of the people surveyed said they're concerned about sharing their information. Current data also shows that consumers are making purchasing decisions based on trust and that they would stop buying from a company or using a service due to privacy concerns. In many organizations, privacy is now a board level issue. Both are recognizing that in a post pandemic world, organization obligations and risks around privacy, data protection, security and compliance are greater than ever before. And quite truthfully more complex. Today the protection of privacy is a balancing act, a shared responsibility between government, individuals and organizations. Each must respect and protect privacy. And each has a very important role to play in its preservation. Gartner, an analyst firm, estimates that by 2023, 65% of the world's population will have its personal data covered under modern privacy regulations, up from 10% in 2020. That's great news! More countries around the world are introducing modern privacy laws. That's the parody to the GDPR which has now become the defacto global standard. In the U S there's an urgent need to modernize privacy laws to better protect people and help ensure trust in technology. We at Microsoft have long been vocal proponents of national privacy laws and are encouraged by state efforts such as those in Virginia, California, and Washington that extend data protection rights to people in the U.S. and still there's more to do because today, particularly in the U.S., prevailing practices place the vast bulk of responsibility for privacy protections on individuals. Now, although this approach complies with the current U.S. law, it seems almost perfectly designed to undermine trust. The large number of websites, devices, apps that people rely on to remain connected and engaged makes it nearly impossible for individuals to navigate the privacy information overload and make informed decisions about how the data is used. So where do organizations come into the equation and what is their role in the protection of privacy? On a most basic level, organizations must adhere to all laws and regulations and be accountable for the data they handle which is why compliance is such a critical part of a strong security posture. But at Microsoft, we also believe that there are some fundamental protections that organizations are uniquely in a position to enable. We spend a lot of time thinking about privacy because we ourselves sit at the center of the data ecosystem, servicing millions of companies and helping to enable strong privacy operations for customers. As defenders of people and data, we believe in building upon legal protections with an approach that fosters trust and empowerment. Now, here are three critical areas for your consideration. First is user control and transparency. We believe in giving users control of the information they share and providing meaningful choices and how it is used. We think that organizations should be transparent about the data they use and how they use it so consumers of their products and services can make informed choices about what they wish to share. Second is data security. We believe that organizations have a responsibility to rigorously protect and encrypt personal data at every single stage of its collection or handling. And this extends to data loss prevention from both internal and external threats. Often when organizations think of data loss prevention they are thinking of security solutions that protect against outsiders getting in. That's important, but comprehensive security also requires organizations to have an inside out approach that protects against intentional or unintentional data loss from insider threats. Third, and finally, we believe in defending privacy for all. We believe that organizations bear a responsibility to legally defend the choices users make about what they wish to share, and also to continue to fight for stronger privacy protections in their own communities and around the world. After all, these protections benefit everyone. In addition to engendering greater customer trust and loyalty, strong privacy laws provide customers and companies with clear guard rails about how they can use data for responsible innovation with greater assurance. So with all of this in mind how can security teams build a comprehensive posture and not only address data security but also protect privacy and ensure that an organization is meeting its regulatory requirements? At Microsoft, we are passionate proponents of zero trust as a framework for security and privacy protection. Verify explicitly, grant least privileged access and always, always assume breach. And we think of zero trust as not only the practice of protecting against outside in threats but also protecting from the inside out. Addressing the area of compliance includes managing risks related to data and privacy in order to help organizations implement strong security and privacy protections across the entire digital estate. Now, the great news is that today security teams have access to more security compliance management and identity tools for protecting privacy than ever before. From protection and governance, for identities and data to insider risk protection, data loss prevention and risk management. Investments in these tools and technologies not only reduced risks associated with privacy and data loss they can also help to drive business growth. Industry studies show that companies are realizing a meaningful return on privacy investment and that users are increasingly recognizing privacy as a differentiator and showing preference to those companies that demonstrate trustworthiness. Security teams may also want to consider investments in organization-wide, privacy training and the proper handling of data. These skills are particularly critical for employees who handle personal or sensitive information or are authorized to have access to it. The bottom line is that there are a growing number of tools, resources, and expertise available to you today that can help guide you through this journey. I, for one, am inspired every single day by those organizations, including my own that are taking a leadership role in the protection of privacy. It is a right worth fighting for because one of the things we know for certain is that empowerment begins with trust. For all of us to feel empowered, to innovate, create and solve problems, we need to feel safe and be safe. We must be able to trust in the security of the technologies we've come to rely on and in the companies we interact with. We have to be able to trust that our privacy and confidentiality will be protected across everything we do, and that our data will be used only in a way that is consistent with our expectations. Safeguarding privacy, with purpose and passion empowers people and organizations in every community around the world to do more. So let's inspire and let's be inspired. Thank you for watching and enjoy the RSA conference.
Risk Management & Governance Business Perspectives
compliance management data security PII privacy GDPR
Share With Your Community