Boards, CEOs Should Take a Lead Role
"The definition of what privacy is will continue to evolve as we understand this information that big data is able to provide us," says Jeff Spivey, ISACA's international vice president.
"What big data represented five years ago is somewhat different now and the risks that we talk about today are going to be different than the risks we talk about in three or five years from now," he says in an interview with Information Security Media Group (transcript below).
That means organizations must ensure they protect the privacy of the data as they collect and analyze massive amounts of information, Spivey says.
Organization face challenges to ensure the validity and correctness of the data they use, leading Spivey to advise that businesses and government agencies must safeguard processes originally designed to protect privacy during the data analysis process.
"Big data is allowing us at a faster speed to understand what may be private information about people in a way that has never happened before," he says.
"Somebody who's 60 years old, their idea of privacy is different than the digital natives that grew up putting everything [online]," Spivey says. "As that evolution has occurred, that expectation of privacy has changed and is changing."
In the interview, Spivey explains:
- Risks big data pose to privacy;
- Challenges organizations face in protecting the privacy of big data; and
- Steps enterprises should take to protect privacy as big data volumes grow.
Spivey is international vice president of ISACA, an international professional association focused on IT governance. He also is president of the consultancy Security Risk Management and vice president of RiskIQ, a risk intelligence service. He holds a number of security certifications and has authored articles for professional journals. Spivey has been a featured speaker at various security, risk management, criminal investigation and counter-terrorism conferences.
Big Data Privacy Risks
ERIC CHABROW: What privacy risks does big data present and why?
JEFF SPIVEY: If we look at big data as a whole in its evolution over the last five-plus years, what big data represented five years ago is somewhat different now and the risks that we talk about today are going to be different than the risks we talk about in three or five years from now. Because of the power of the technology, we're able to correlate data at a speed and a frequency that gives us insight and visibility into a lot of business decisions, or decisions that will be made from the data. From this gathering of information then, we also have greater visibility into people, and the definition of what privacy is will continue to evolve as we understand this information that big data is able to provide us, the visibility that it's able to provide us.
From a risk standpoint, what was not available before, because the technology wasn't there, is now available. ... I've got the Google Nexus 7 Tablet, and that tablet on the third day that I had it understood where I lived. It understood where I worked. Five minutes before I would leave from where I worked, it was telling me the best route to get home without me interjecting or putting any information into the tablet. The ability of data to understand people and people's movements, from a commercial standpoint it's going to give the sellers of products insight into our personal buying habits that before may have been guesses or found because of people in the field. Because of data collection and data analysis, our privacy is going to take on a whole new impact if you would.
Evolution of Privacy
CHABROW: You talk about privacy evolving. Is it the definition of privacy or is it the technology itself that's evolving to a point where it makes it harder to defend privacy?
SPIVEY: It's probably upon whose providing the definition or maybe the expectation of privacy. If we look at somebody who's 60 years old, their idea of privacy is different than the digital natives that grew up putting everything that they do and say on Facebook for the world to see. As that evolution has occurred, that expectation of privacy has changed and is changing - the technology is part of that evolution that gives us different information than we had before. It's going to give the government different information. It's going to give commercial business a different set of information and insight into who I am or to group me with a group of people that have similar interests, understandings or habits.
The ability to understand that this is going on and that technology is enabling it allows us to take a step back and, as a society, be able to identify what's the line that we as a society or we as a culture will now set and say that this line is defining privacy for the United States. In the EU, they have defined privacy differently than they have in the U.S. of what's private. What's considered private is different than some of the words and some of the context that's being used in the EU or some other countries. The whole idea of privacy is changing, not only collectively but also personally.
CHABROW: Is this idea different for big data than it was for more traditional forms of data?
SPIVEY: Big data is allowing us at a faster speed to understand what may be private information about people in a way that has never happened before. If we go back before NSA programs or before commercial business programs of understanding the customer or understanding people, if we go back to that level, these tools weren't available. The tools have just continued to get smarter and faster, and now with big data they're very fast. They're able to take unstructured and structured data and be able to start to make sense of all that a lot faster. Also with that, companies are able to make better business decisions than they would have otherwise. They're able to anticipate and limit waste or model different business opportunities and decide which is best based on certain rules. Big data allows them to do that almost in real-time because it's taking current evolving information and including that into the equation of understanding reality right now and people are able to make decisions off of it.
Challenges around Privacy Protection
CHABROW: What are the main challenges organizations face to get a handle on privacy protection as technology advances as you just described?
SPIVEY: Some of the main challenges that the organization will face in trying to get a handle on the privacy protection as it relates back to big data is going to be the validity and correctness of the data that's brought into the big data analysis, and ensuring on an ongoing basis that the organizational processes that were originally designed and considered correct for that organization ... are being followed as it relates to private information throughout the data analysis process. Also, the outcome of that big data as it relates to privacy protection and the different rules that we have all around the world regarding that information all need to be met. Make sure the rules are being met, that you've got good and valid data, and that it's being protected all the way through. From a security standpoint, we've got the understanding of providing protection of data at rest or in transit, and all of these components come into play when we're looking at big data, which is somewhat of a new process to understand. How are we protecting the data? How are we protecting privacy throughout the entire big data evolution and processes before they have an output?
CHABROW: Generally, you need to get a handle on big data itself; in other words, the good processes, whatever you need to do to really understand the data you have, because you can only provide privacy protection if you have a handle on the big data. Otherwise, it's going to be very difficult to do.
SPIVEY: That would be correct, as well as just the pure information that exists in different states for that organization, making sure that the information is protected throughout all of those processes so that there's not a breach from outside of the organization and there's private information that's stolen, but also that there's not private information that's manipulated or taken from insiders.
Steps to Protect Privacy
CHABROW: What steps should organizations take to protect privacy as big data volumes grow?
SPIVEY: Organizations have the opportunity with the new technology around big data to assure that they're providing governance and also management of this new capability in big data that they now have. The governance is placed at the highest level of the organization with the board of directors to where they would understand what big data is, what the risks are of big data, and how that organization plans on managing what those risks are. Below the governance sector is also the management from the CEO down of the governance directives to assure that the data's being protected, managed as intended, and that if there's any exceptions to that, those incidents are also managed appropriately so that big data's providing the value that it needs to within the organization and is not exposing the organization to additional risks.
Involving the Board of Directors
CHABROW: When you talk about the involvement of the board of directors, the chief executive officer, is this anything different than in the past in dealing with privacy protection, or is there something about big data that's necessary to bring to the attention of these executives?
SPIVEY: I think there's a difference in that the technology is so significant that it's different than analyzing data in the way that we have before. It's an enormous opportunity for an organization to make information the leader of the value that they're creating. But without comprehensive policies and principles, the data can generate enormous risk for the organization. We had talked before about how the laws of Europe are different than the laws in the U.S., which are different than other laws in different countries. Ability is understanding what is that risk for the company, for the organization. How we're handling that risk I think is different. Than the massive amount of information ... is different than the exposure and the significance of risk that we've had in the past.
CHABROW: Does this put additional burdens on the chief information officers and chief information security officers to educate the board and CEOs on big data and the risks?
SPIVEY: It would be their responsibilities to make sure they grasp what it is and make recommendations to the board and management on how those risks are being handled. Make sure that they're able to measure those risks initially and on an ongoing basis so that the risk tolerance in the board is understood and that appropriate management decisions are being made on resources that need to be applied to manage what those risks are. Without knowing what the risks are, there will be gaps, there will not be resources applied where appropriate, and there will be either risks that are being accepted without anyone knowing about it, or there will be a better managed risk and full transparency in the organization to where they know their risk, they know how to manage it, and they accept those risks knowingly in their whole business processes.
CHABROW: Any final thoughts?
SPIVEY: As we look at big data, the shift is upon technology and that our society is being inundated by more and more technology. The increased risk that this technology provides the organizations demand that the organizations have a framework with which they can understand any of these new technologies and any of the new risks that are being put in their way. As we look at what is the framework, my involvement with ISACA has enlightened me to the understanding and the value of COBIT 5, which is a governance and management framework. It also provides for a methodical and open way to understand new risks that may be interjected into an organization, and a framework with which those risks and that new technology will be analyzed and understood more fully by the organization, so that they can decide whether or not that technology is worth the risk, and, if it is, under what circumstances is it under the risk and how will it be managed and monitored over time.
There are many organizations that are being blindsided to the new technology and just riding the top of the wave wherever it takes them. Who's creating the framework to better understand the risk and what the reward would be? I think big data is a great technology. I think it's going to provide competitive advantage for those that embrace it and understand it, but it also has a set of risks that need to be managed.