How CISOs can explain privacy to the C-suite

With the recent moves by the FCC, it is imperative that chief security officers make the company aware of privacy issues.

executives sitting in board room at conference table

With the recent decisions the Trump administration has made around FCC policies and net neutrality, it has become even more important for security and privacy professionals to educate internal and external stakeholders. It’s the CISO’s role to help inform the C-suite, investors and board of directors about potential security. 

If CISOs are wondering where to start, Malcolm Harkins, chief security and trust officer at Cylance and Ruby Zefo, vice president of the Law and Policy Group at Intel Corporation have put together four privacy and security topics to talk with stakeholders about. 

1. Privacy is not equal to security: Just because an organization keeps its data secure does not mean it had the right to collect or even store the data in the first place. Privacy and security are certainly intertwined and CISOs can explain them as relating to each other like two magnets. Though independent of each other, when turned one way, they are perfectly binding, showing that you need good security to have privacy.

On the other hand, executives do need to remember that security practices can go too far by not understanding the nuances of privacy, which creates a polarization between the two magnets. Under the guidance of their CISOs, we advise executives to take the time to educate themselves on both topics, which will lead to a cohesive approach within their organizations.

2. Blind spots do exist: We all misperceive, misunderstand and overlook things at times, which means that when making decisions, organizations need to collect a variety of input from as many people as possible. We encourage CISOs to explain how important it is that executives consult a variety of departments like finance, legal and marketing, or even to perform risk reviews and bring in business unit leaders and IT folks. Having this 360-degree point of view will help organizations avoid the inevitable blind spots and consider all potential risks. 

3. Prep execs for tough questions: Executives are going to get hit with serious questions, especially when it comes to security topics and even more so if they are data-intensive. It’s important that executives feel comfortable and not defensive. To ensure this, it’s important that CISOs put executives in a mock interview situation so they can answer tough questions about security protocols, while still avoiding the two poles of “sky is falling” or “everything is rosy” commentary.

When executives simplify the information and communicate clearly to key stakeholders, they can be factually correct and avoid a PR or legal issue. CISOs should also suggest continuous external and internal reviews to pinpoint any news issues or industry trends, whether that’s privacy, encryption or IoT security.

4. BYOD and monitoring: Executives should be more cognizant of the types of things that employees are connecting to the organization's network. CISOs should help their executives set rules that need to be enforced - not only for smartphones and laptops, but newer IoT devices like smartwatches and exercise wearables, etc. that will only continue to become more common.

With this in mind, organizations need to determine how they can appropriately monitor employees once these devices are connected to the organization's network. CISOs should train their organizations, from leadership to HR teams, about what data and information is being collected from employees on the network, while still complying with company security guidelines and not crossing an ethical line. It takes a lot to gain employees’ trust, but one mistake to lose it.

VPN or proxy to protect privacy

With the recent ruling that gave ISPs the right to collect and sell user data without their consent, it has opened up the discussion of what companies can do to protect that privacy. Thoughts have turned to technologies such as VPNs and proxies. NordVPN, a VPN service provider, has noticed their user inquiries triple after the latest development in the U.S.

Overall, Google searches for VPN increased by quarter after US Congress decided to cast away ISP privacy rules.

What is the difference between a VPN and a proxy, and how to choose the best option? Both VPNs and proxies hide one’s IP address and make it seem that a user is connecting from another location. However, the main difference is that proxies do not encrypt Internet traffic, while encryption is what makes VPNs security and privacy oriented.

Proxies are great for streaming geo-blocked content, as they do not slow Internet traffic, or for by-passing content filters. However, any entity such as an ISP, government, or a hacker who can snoop on anyone using Wi-Fi in a coffee shop, can access your data despite the proxy. In addition, certain Flash or JavaScript elements in a user’s browser can easily reveal their identity. Moreover, a proxy is only configured for a certain application, such as a web browser, but is not installed computer-wide.

VPNs are set up computer-wide and protect the traffic of each application used – each internet browser, email app or online game. A user’s internet traffic gets encrypted and routed through a secure tunnel between two points: the computer and a remote VPN server. This way, no one can access the data that passes through the tunnel – it becomes completely invisible to ISPs, government snoopers, advertisers, identity thieves and hackers. When a user installs a VPN and goes online on an unprotected Wi-Fi at a hotel, restaurant or airport, their data will also be automatically encrypted, and they can even proceed with their online banking or shopping.

Explain your way through our comments section on Facebook.

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)