Talking privacy with Harvey Jang, Cisco’s chief privacy officer

The biggest mistake IT leaders make in trying to secure sensitive data is not understanding where their data is and how it flows, says Cisco Systems’ vice-president and chief privacy officer.

“Some of the challenges where there are slip-ups is when organizations don’t fully understand or know their data flow architecture,” Harvey Jang, the company’s vice-president, chief privacy officer and legal head for privacy and security, said in a wide-ranging interview. “You really have to understand your data. You have to understand what you’re collecting, what you’re processing and who you’re sharing it with. I think that’s a critical piece … “Understand when it [data] is going from one [data] processor to another … and that has to be documented … from the point of collection to the processing, to sharing to archival storage and deletion. You have to spend some time in information governance and understanding the data life cycle and each step of vulnerability along the way and address it. … “There’s got to be due diligence in vendor management, vigorous security reviews — which includes privacy assessments — to really understand the risks of the dataset you’re asking the third party to processing data for you.” “You may secure one environment,” he added, “but when you use a third party, or third party cloud or an API, they may not be as secure or under scrutiny as your own environment. “We have a whole security division and consulting services where I see a lot of things escalating because of the third party. So if you have a zero trust organization, you have very strict standards and control your environment. That’s when vendor selection becomes critical. Can your vendor live up to your privacy and security requirements and standards your organization has set up? So as you go from one vendor to the next and to to next and further downstream, that’s where I think the danger or the risk [to data] increases. Third party risk and insider risk are probably the two biggest areas I’m seeing.” A lawyer and a member of the research advisory board of the International Association of Privacy Professionals (IAPP), Jang leads a team responsible for developing and orchestrating Cisco’s global data protection policies, compliance capabilities, privacy engineering methodologies, certifications, and accountability frameworks. Before joining Cisco he was senior director of legal affairs at McAfee, lead counsel for privacy, security, marketing, consumer protection, and antitrust at Intel, and the director of privacy and information management as well as chief privacy and security counsel for HP. Two years ago he moved out of the legal side of Cisco to its operational side to focus on privacy. This month he moved back to legal to help transform the department’s approach to privacy and other issues. He talks about “doing right by our customers and stakeholders, including our employees, and go beyond compliance.” “If you are approaching privacy or data ethics or environmental for compliance’s sake, you’ve probably already failed. That’s not the direction the law wants you to go, it’s not the direction that we need go as a company.” It helps that privacy is top of mind for Cisco’s customers, he said. A recent survey of customers in 28 countries this year showed over 90 per cent of respondents believe privacy is mission-critical. “It is our customers that are driving [Cisco] quite a bit in terms of privacy and security,” he said. “And they often go far and above what the law requires … and they really push the envelope to constrain what we at Cisco do with [their] data. First they want to make sure it’s secure. So for Webex, we tell them that it is secure. But we went a step further and achieved some of these industry standards, certification though the security and privacy standards that are ISO. We achieved the EU Cloud Code of Conduct making sure that our Webex cloud meets European standard for privacy. The customers push it above and beyond what the law requires.” Smaller companies that don’t have robust privacy programs “are just grateful that we have enterprise customers and governments that have pushed this all the way through … they get all the high standards [in our products] that our European government customers get.” However, he admitted, “hackers are very sophisticated. Unfortunately what we’ve seen in breaches is it’s not so much brute force attacks any more. What we see more is social engineering,” with hackers either guessing passwords or installing keyloggers. “Hackers aren’t busting firewalls,” he said. “They’re finding ways to get login credentials through phishing attacks or other ways and entering through that.” Asked if organizations are pushed to collect too much data, Jang said there’s an inherent tension between big data and data scientists and privacy requirements. “Privacy pushes this notion of data minimization — only [collect] what you need to service the explicit, articulated purpose that you set forth. The data and data scientists [say] ‘Give me all the data that is possibly out there, we’ll run some algorithms, and patterns will emerge, and then we’ll tell you the meaning behind it.’ So there’s a bit of tension. But the interesting thing where you can manage that tension is [asking], ‘are the patterns that you’re looking for, do you need to have them individual identifiable?’ Every time that’s come up at Cisco the answer is ‘No … we want to look at macro-level patterns’. That’s where artificial intelligence and machine learning come into play. So we give privacy-enhancing techniques for removing or masking the actual identifiers and replacing it with a [generic] string. So when you do things like using those privacy enhancing techniques you can play a bit more with the data.” The CPO should ask the CEO what the outcome the organization is trying to achieve with all the data it collects, he said. “More often than not they don’t need the individual, or linking to a specific person, or looking at micro-level patterns of behaviour,” Jang said. Asked why organizations don’t put a priority on data-protecting technologies like encryption and network segregation, Jang said he’s not sure they don’t. “You want to make sure data is encrypted in storage and in transit,” he said. But he also noted that “we’ve seen slip ups where employees leave open Amazon S3 buckets that are unencrypted, and that causes a lot of problems. Encryption and [secure storage] … are some of the basic aspects of security. There’s more guidance out there than ever before, so it’s harder to play ignorant.” That guidance includes the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) framework, as well as other cybersecurity frameworks. No one can say they’re too small for security, he added: They just need to prioritize. “People are less able to make excuses any more for sloppy or poor security.” On that, he added, implementing multifactor authentication to protect logins is vital. Privacy “can be super-complicated. You can get overwhelmed with the laws, the rules, the standards, all of that stuff.” But, he insisted, “everything all boils down to three core principles: Transparency, fairness and accountability. If I try to distill all the laws, what are they getting at? Even a hundred pages of GDPR [Europe’s General Data Protection Regulation] comes down to, you’ve got to be transparent, you’ve got to be fair and you’ve got to have accountability and controls to live up to the promises you make. I think the more transparent you are, the more opportunity you have for others to test your fairness. And that you’re willing straight-faced to say, ‘I believe in what we’re doing, I believe what we’re doing is responsible so I’m going to tell people about that.’ That piece is critical.” Asked whether every organization needs a chief privacy officer, Jang was equivocal. “Whether you need one, you should have someone with the responsibility over personal data … Does it have to be a full time job with an enormous team? It depends on the risks and the data set that your organization is handling. “Where should the CPO report? There is no single answer. Because it [privacy] is multidisciplinary, no matter where that individual reports they will draw on the expertise from multiple teams. If you’re selling product that handles personal data, you need to have a connect point into the engineering team. Whether that’s a dotted line or a community of practice or some executive or leader designed with that responsibility, it varies from organization to organization. I don’t think there is one way to do it. You have to look at the privacy risk of the organization, and where would that person fit who is responsible for properly handling personal data. Wherever that person needs to be, authority to drive behaviour is what matters.” The post Talking privacy with Harvey Jang, Cisco’s chief privacy officer first appeared on IT World Canada.