by Heidi Wachs | April 10, 2013 | 1 Comment
I attend a lot of conferences. I mix and mingle with technologists, educators, attorneys, and privacy professionals and I can’t tell you how many times I’ve heard them all say “we need a translator.” This may have been true as all of these fields collided, but in 2013 we shouldn’t need a secret decoder ring to communicate with each other.
In every project, meeting, or crisis I’ve confronted a team of people with diverse backgrounds was required to bring the issue to resolution. Privacy professionals are often unwillingly thrust into the translator role, but I don’t think it should be one person’s job. Effective communication involves each person breaking down their own vocabulary so that things can be easily explained regardless of whether the letters following the name on your business card are CISSP, CIPP, PhD, or Esq.
When I think about ways to overcome this communication barrier I’m often reminded of the movie Philadelphia. Denzel Washington’s character, attorney Joe Miller, asks people throughout the movie to explain things to him as if he’s a four or six year old. Children, and attorneys, don’t need to be able to understand the intricate details of an ERP system, but they can understand that there is software on the computer that tracks how package A moves from location X to location Y. And children, and technologists, don’t need to understand the differences among all the various data privacy laws, but they can certainly understand that there is information about individuals that needs to be protected from someone using it badly, and when that happens, we have to tell the people so they can protect themselves.
Changing the way we communicate overnight is far too daunting, so achieving this goal takes small steps. For starters, the next time you send an e-mail, take a moment to reread it before hitting send. The most powerful question to anticipate when preparing communications in these cross-functional situations is “why?” Don’t simply state that something needs to be done. Explain the cause and effect, the rationale.
Broad questions are often met with broad answers. Consider communicating with more detail, explaining why you need an answer. I’ve found that bullet points in e-mails can be extremely helpful in focusing the exchange. Find a partner in this process who works in a different field or part of the organization than you and develop your communications with each other. As you’re discussing things ask, “Was that clear? How could I have explained it better?”
The challenge here is to not expect one person to translate among all of our languages, but rather for each of us to choose our words more carefully when we’re collaborating. I know this is not an easy task. Putting this level of effort into communication does not come easily to most people. But technology, privacy, and the law no longer operate in silos. If you want to be part of the solution, you have to be able to speak to the rest of the team with words they understand.
Category: Uncategorized Tags: privacy
by Heidi Wachs | April 8, 2013 | Comments Off
Default often has a negative connotation – what we settle for when there’s no better option. In information classification terms, we reinforce the idea of a default classification for things that don’t fit nicely into other categories. But in the case of Amazon’s S3 buckets the default is a good thing. So how did so many customers screw it up?
That’s right, this time it was the customer’s fault. A researcher from security vulnerability firm Rapid 7 discovered that the contents of one in six of Amazon’s S3 buckets are publicly accessible. The objects in each bucket aren’t all publicly accessible, but the names of the first 1,000 objects in each bucket are visible. In some cases, however, the objects were also publicly accessible. These buckets contained objects ranging from benign to highly sensitive. Examples of the contents included pictures for social media sites, source code, sales data, and employee data. My colleague, Kyle Hilgendorf explains the incident on his blog in a bit more detail and agrees – Amazon is not to blame.
But Amazon’s default setting for the buckets is private. Somewhere along the way, the customers controlling these buckets adjusted the settings and switched them from private to public. While in some cases this may have been intentional, let’s hope that where the bucket contained employee data or source code, it was not.
The bottom line: when organizations move enterprise data to the public cloud, they must be vigilant about that data’s privacy. The lesson here is not that this data shouldn’t have been stored in the cloud, or that each of these customers is on the hook for a breach notification (although some of them might be.) Amazon, and other cloud providers, offer a wide range of tools and controls for customers to protect the privacy and security of data being stored on their servers. Amazon developed a catalog full of documentation and guidance on how to use all of the security features. But the cloud providers can only do so much. At the end of the day the customers bear the responsibility for their settings.
So what can organizations do, or do better to protect the privacy of their enterprise data in the cloud? Here’s a checklist to get started:
- Determine who is the point person for each and every cloud deployment. If you don’t have a person in that role, delegate one. Make sure this person is intimately familiar with the full suite of controls offered by the cloud provider.
- Map the required privacy and security settings for each type of data stored in the cloud and align the controls and settings with each cloud provider accordingly.
- Educate the entire user community on how to preserve the privacy of data in the cloud. Provide step-by-step guidance on appropriate data handling and settings.
- Check and double-check the controls on a regularly scheduled basis to ensure that there haven’t been any unintentional modifications, such as switching from private to public.
Category: Uncategorized Tags: AWS, cloud, privacy
by Heidi Wachs | March 13, 2013 | Comments Off
The International Association of Privacy Professionals (IAPP) has only been around for 13 years. Compare that, for example, to the American Bar Association, which was founded in 1878, or the Institute for Electrical and Electronics Engineers (IEEE), which traces its roots back to 1884. But for a profession still in its infancy, there already seem to be some established “generations.”
I view the emerging generation as the fourth generation. The opportunities available for them as privacy professionals are unprecedented: undergraduate and graduate coursework, privacy-centric graduate degrees, fellowships, and internships with established privacy departments. But they face the same question that the generations before them faced: is privacy a viable career?
The first generation, the founders of privacy as a profession, are predominantly attorneys who pioneered a new field. They found creative ways to define privacy and established the position of Chief Privacy Officer, a high-level point person essential to preserve the integrity of data and prevent it from being inappropriately or inadvertently shared. The immense amount of respect for these luminaries is easily identifiable among their fellow privacy professionals, but their career paths are varied and unique. There is no discernible pattern that a student could emulate.
A second generation “came of age” as federal and state legislators established a new set of data protection laws. Privacy Officer positions increased throughout the public and private sectors and this second generation was ready, willing, and able to take on the challenges of privacy in the mobile and digital age. This generation drew the outline for a career path in privacy and is eager to mentor those in their wake, always generous with their time and advice.
The third generation of privacy professionals, of which I consider myself a member, were the first to seek out privacy as a career. Our options have flourished. In addition to privacy counsel and privacy officers, we now have privacy analysts and engineers, but the path is still not well-trodden. We struggle to craft our resumes wisely and map a long-term privacy career. When members of the fourth generation ask us for advice, we want desperately to help, but are often at a loss since we still rely so heavily on the second generation for advice and networking and obsess over making the right career move for ourselves.
So how do we help the fourth generation define themselves and, by extension, a traditional privacy career path? The IAPP can facilitate mentoring opportunities by bringing all the generations together as often as possible. As a community, we need to define what privacy professional career paths look like, from undergraduate through retirement. Most importantly, we need to ensure that no generation rests on their laurels. In building privacy as a viable career, we must invite the fourth, fifth, and sixth generations to stand on our shoulders and continue to build on our foundation.
Category: Uncategorized Tags: privacy
by Heidi Wachs | February 7, 2013 | Comments Off
Time flies when you’re having fun, or so it would seem as I’m now entering my fifth month with Gartner and working on “finding my groove” as an analyst.
My fantastic GTP Identity & Privacy Strategies teammates wasted no time throwing me into the mix. I was on the road more than home in November and December, which left me feeling a bit like Dorothy in the twister. The difference between Dorothy and me, however, is that rather than cows, houses and witches swirling around me were vendor briefings, client dialogues and research interviews.
In my previous life, I advised on identity-related projects from a privacy perspective, but am now fully engaged. The journey I’m embarking on with Gartner will take me down a new yellow brick road, and I even have a Wizard and Glinda to help guide my way.
In the meantime, I’m focusing my research and writing on privacy, a subject matter in which I’m well-steeped. My first document, A Guidance Framework for Implementing a Social Security Number Remediation Program, was just published on February 1st and is available to GTP subscribers. My next area of research is attempting to explore how organizations can mitigate privacy risks in the public cloud, and how to rein in shadow IT that has already moved there.
If you’d like to join me on this adventure, you can check back here for updates or follow me on twitter, @hlwachs.
Category: Uncategorized Tags: