Chief Information Security Officer (CISO) and President of Forensics at HaystackID John Wilson discusses how organizations can best leverage a data-centric approach to ensure data privacy and compliance.
Security: What is your background? Could you discuss your current role as CISO at HaystackID?
John Wilson: My career had an odd start with varied experiences that first began in the US Army and then the US Navy, which is certainly not a usual military career path. After I got out of the Navy in 1994, I started running an ISP which led me toward the direction of IT. I started programming, and engineering data center plans where I would have clients call and say their hard drive failed or their server crashed. They would ask if I could figure out what the issue was, and once I identified the problem, they would ask if I could repair it. From there, I entered into data recovery and reverse engineering hacks, which eventually led me to testify in court cases. Ultimately, data recovery and reverse engineering evolved into computer forensics. At this point, I have been doing digital forensics and cyber security for 20 years, which has taken me to every state in the US and 47 countries. I have led projects for the Fortune 100, conducted investigations for US Senate committees, and many other small to large projects.
My current role as CISO of HaystackID is the culmination of those experiences that have enabled me to guide our security practices here at HaystackID and share my knowledge and experience through our Professional Services offerings with our many large corporate and enterprise clients.
Security: We have seen an increased focus on the concept of privacy. Can you share your thoughts on what is driving this increased focus? Is it only a state focus? Federal focus? International focus?
Wilson: I believe the privacy movement started as an international concern with the various iterations of privacy protections in the European Union, including the International Safe Harbor Principles, Privacy Shield, and finally, GDPR (General Data Protection Regulation). It wasn’t until 2018, when GDPR went into effect, that concerns over the substantial fines caused privacy to obtain significant attention. At the same time, California introduced the CCPA (California Consumer Privacy Act), also with threats of significant fines that kicked off the growth of privacy focus across businesses of all sizes. Since then, a growing number of states have adopted varying privacy protections, and there continue to be federal privacy protection initiatives, though nothing has been adopted yet on the federal level. So, as you can see, international privacy has been the driver, but state-level privacy concerns are rapidly gaining momentum, and likely there will eventually be federal privacy protection regulations of some nature.
Security: Privacy and security are more intertwined than ever before due to the increased focus on security regulations. Why should chief privacy officers and CISOs work together to ensure true compliance?
Wilson: Chief Privacy Officers and CISOs must work together now more than ever as Privacy and Security are codependent. You can’t have privacy in an organization without the security controls in place to protect the privacy data, and security can’t protect the private data if it doesn’t understand what and where it is. Increasingly, cyber events are focused on privacy data as the primary target. In many instances, the ransom for privacy data far outweighs the value of the financial or business information that was previously the primary target of cyber events.
Security: As a CISO, how do you personally balance privacy, compliance, security and systems?
Wilson: There is a lot to unpack here. Balance might be a bit of a misnomer. I do strive to ensure that there is balance in all these initiatives, but more often, we discover that if we secure the privacy data, the compliance initiatives will have the necessary frameworks to be successful. Not all compliance requirements are centered around privacy, but implementing privacy data controls using a data-centric approach provides a sound framework for the classification of data that can be easily leveraged to drive the rest of the compliance requirements. Similarly, once you implement security controls and policies around your privacy data, it is easy to extend them to all classifications of data. Using the data-centric approach allows you to scale your security from highly sensitive data to the least sensitive data, which also allows you to focus on the most critical data sources first and step through the tiers of diminishing returns to maximize the impact of your security dollars. Lastly, this approach allows you to focus your efforts and resources on the systems that deliver protection to your most valuable data first and step down to the least essential assets. Overall, it’s not a question of if but when an event will occur. You must plan for that eventuality. Taking a data-centric approach helps ensure that when an event does occur, the organization’s most valuable data will be protected, and you will have the systems in place to detect and respond to any event faster.