Coming Soon

The 2FA Show On-demand security-based streaming content. A new initiative from KBI:

Episode 113: Rebecca Herold

Rebecca Herold, CDPSE, FIP, CISSP, CIPM, CIPP/US, CIPT, CISM, CISA, FLMI, Ponemon Institute Fellow, has over 25 years of IT, info sec, & privacy experience; CEO & Founder (2004) of Rebecca Herold, LLC, aka The Privacy Professor(R); CEO & Founder (2020) of Privacy & Security Brainiacs; and host of the radio/podcast show “Data Security & Privacy with the Privacy Professor“. Founder (2014) & Engineer/Architect, and Owner of all IP for content, specifications and architecture of SIMBUS, LLC and all derivatives thereof.

Rebecca is an entrepreneur, author & was an Adjunct Professor for the Norwich University Master of Science in Information Security & Assurance Program for 9 years where she also created program curriculum. Rebecca led the NIST Smart Grid privacy group for 7 years and is a founding member of the IEEE P1912 Privacy and Security Architecture for Consumer Wireless Devices Working Group (June 2015). Rebecca has received numerous awards and recognitions for her work throughout the course of her career. Rebecca has is currently finishing her 20th published book to date, plus chapters in many books and hundreds of articles. Some of Rebecca’s books include:

  • Security & Privacy when Working from Home & Travelling
  • The Practical Guide to HIPAA Privacy and Security Compliance (2 editions)
  • Data Privacy for the Smart Grid
  • The Privacy Papers
  • Managing an Information Security and Privacy Awareness and Training Program (2 editions)
  • Link to ISACA report: Privacy in Practice 2022

Rebecca has a B.S. in Math & Computer Science & an M.A. in Computer Science & Education. Rebecca is a longtime member of ISACA, Infragard, IAPP, ISSA, (ISC)2, IEEE & ACM.

 

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Introduction (00:16)
You are listening to KBKast, the Cybersecurity podcast for all executives cutting through the jargon and height to understand the landscape where risk and technology meet. Now here's your host, Karissa Breen.

Karissa (00:30)
Rebecca, welcome back to the show. I'm really excited to have you here. I love your energy. I love your passion. I love your drive. I'm really excited to talk you through the recent ISACA report, Privacy in Practise, which we will link in the show notes below. So, yeah, I'm really keen to sort of get into the key insights in that report and some of the key findings that really jumped out at me, which were around the Privacy training side of things. So I want to sort of kickstart today's episode with 71% of respondents perceive Privacy training to have a positive impact. But then I'm curious to know what the other 29% think. Why wouldn't they believe training is a positive thing?

Rebecca (01:14)
Oh my goodness. Well, this has been a battle for those of us who strongly believe in training for many years. And I'll tell you just a few of the reasons that I've heard not only for many years, but recently, too. So the first one is that when it comes to Privacy training, there's often a misconception that only lawyers need to know Privacy. And the executives that are the ones to approve of training programmes and resources and time and funding oftentimes say, well, you know what? Privacy is a lawyer only issue, and our lawyers already know what they need to know. So we don't need to provide training. Well, of course, they aren't thinking beyond the lawyer's office. Right, because anyone who touches personal data needs to know how they need to secure that personal data and comply with the policies of the company and the applicable compliance regulations and laws. So that when I hear a lot. Another one I hear and very Interestingly, by the way, often comes from technology vendors is that technology should be able to do everything. If technology is doing what it's supposed to do, then the people who are using the technology should not have to need training because the technology is doing it.

Rebecca (02:52)
By the way, we can't depend upon workers to do the right thing anyway. And it bothers me to say the least when I hear those kind of comments. I see those kinds of statements in articles that are published online and in magazines and so on. And it's just simply not true. There's always the human element because you're never going to take the humans out of the equation for ensuring Privacy. Three others that I hear a lot too, just very quickly. And it bothers me too, because people care. I've seen people care. But when it comes to investing in Privacy training within the workplace, the statement often is where people don't care, so they aren't going to pay attention and they won't actually learn. They're just going to be doing something else while the training is going on. It just makes training a waste of time and a waste of money. Here's one that I hear a lot, especially from small and medium sized businesses. They often say we are not going to invest the time and money into training if we are not legally required to provide training. Of course, they obviously don't understand all the legal requirements for it when they have that opinion.

Rebecca (04:16)
But they're saying we aren't going to do training. It's not going to make an impact anyway. And here's one that I've heard a lot of not just executives say, but also even employees. Well, we still experience Privacy breaches, and we did training. We gave a fishing training course, but yet we had a breach. Now, it doesn't matter that the breach was not related to phishing, but that is how they try to justify that they aren't supporting training. So it's a very wide variety of reasons why they don't support training. And it's really sad to see.

Karissa (04:56)
I can definitely understand when they sort of think Privacy is for lawyers. I can sort of understand where they're coming from from that perspective. One thing I don't understand, though, is technology to do Privacy. I don't get that. Could you share a little bit more as to why people would think that perhaps?

Rebecca (05:15)
Oh, definitely. So here's a very incorrect assumption that too many folks who are implementing it in their companies believe they believe that every type of it, every type of technology, device and system and network comes secured and protecting personal data kind of out of the box. This is a very big problem with even IoT devices. Too many people who use IoT within the work area and consumers, they're like, well, why didn't the manufacturers build IoT to protect my Privacy by default? I mean, my goodness, these are devices that are in the vicinity of where we live and where we work. So it seems like they should be doing that already. And of course, that just demonstrates that this assumption can be very risky because that's why we still are getting more and more Privacy breaches instead of fewer.

Karissa (06:21)
Wow. Yeah, that's an interesting observation. And yeah, definitely a fallacy that people need to change their mindset. So just moving on from that, one of the other things that I noticed on the Privacy training front is nearly 70% indicate that they evaluate the success of Privacy training by looking at the number of employees who complete the training rather than measuring sort of the efficacy of the training. So this kind of seems counterintuitive, and this appears more of a cheque in the box exercise. So can you share your opinion on why people are thinking like this?

Rebecca (06:59)
Well, when it comes to metrics, oftentimes it's hard for organisations to really think about what is going to be an effective metric versus what's a simple metric. And of course, having a certain percentage of people to take the class is a very common metric. In fact, I know here in the US why there are many financial companies who still have the metric of you have to take the training. And if you don't get 100% of our folks who are taking the training in our organisation, then that is going to impact bonuses and we're going to immediately cut off people from accessing the network and so on. So what needs to be done is to really think about what is an effective indicator that can show that the training was effective. Well, you need to consider what was the topic of the training. So one that I use often because it's one that most people can relate to, is what if you provide training to the help desk area for how they need to do identity verification? They go through the training, they make sure that they're doing identity verification according to what's legally acceptable and by the policies of the company.

Rebecca (08:27)
But then after that, that's where for your KPIs, you can set up a set of tests where the Privacy office and perhaps some others throughout the organisation who's working as a team on this, they can actually then test the call centre to see if they're following then the procedures, let's say a week after they took the training or a month after or quarter after that is truly beneficial because if you see within just one week that after they just had this training, they are not following the identity verification procedures that can tell you either that the training wasn't effective or that maybe the procedures are not feasible, but it can help the organisation in so many other ways beyond just retention of the learners. So yeah, there needs to be more really critical thinking around how to set those KPIs.

Karissa (09:30)
So going back to the metrics, could you maybe give an example of an effective metric versus a simple metric?

Rebecca (09:36)
Sure. So like I just mentioned about how many of the people who were learners in the class are actually then using what they learned in the class to actually follow their procedures. You can also then after the class gives a type of quiz or test that's very popular in a lot of training modules. Anyway, I like to give the training more than just immediately after the class because you want them to retain this information. So you give it maybe a week after, a month after that's, another one, how many of the folks pass the quiz a week after the training, the quiz that covers it, and then also asking about complaints from customers or questions from employees that can be useful if those numbers actually apply to the type of training that was provided. And I think, again, that is something that organisations need to think about what is the appropriate type of metric to use for each of the classes and the topics that were covered.

Karissa (10:54)
Thanks for sharing that. One of the things that came to my mind as you're talking through that a little bit more was when sometimes you get the feedback or the quiz or the form to say provide feedback on the training. Would you say that people are honest in that? Because more often than not, like, I never want to be horrible towards someone or be rude and say, oh, that trainer sucked or that sucked. I'm not that type of person. So would you say perhaps the metrics could be skewed because people have the right intention, like no one wants to be like an unkind person. So do you think that people go say, yeah, it was great, but maybe that's not the truth.

Rebecca (11:28)
That's a good point. I would say that's where it's important in those evaluations to maybe keep those types of questions out because really what should be asked in evaluations is something like does the information in the training class help you to perform your job responsibilities in a way that will help you to better protect personal data, make it about the class and how it relates to their job responsibilities as opposed to making it about the individual themselves. Now, of course, you can be creative and ask questions that are indirectly related to the person who's the trainer like, was the method of providing the training effective that way? The person who's answering it is not necessarily directly judging the person, especially if it's their friend, right. As you kind of were referencing earlier, but it's talking about the method for learning this type of topic. So again, it really needs to be something that is thought about more than I think a lot of times I see so many different training classes out there and sometimes it really seems like the focus is more on flashy presentation and not really about the true learning aspect of how the information is being delivered and how the topics are being presented.

Rebecca (13:04)
So that's another important consideration as well.

Karissa (13:07)
So what I'm hearing from what you're saying is it's how you frame these questions, because more often than not, maybe people need to sharpen that perhaps a little bit to what you alluded to around it's more about the training rather than did you like this person and did it help you in terms of on the day, like working through the educational side of why you need to do certain things. So would you just say as a rule of thumb, perhaps this is a big area that people that's a blind spot for them because maybe people don't think about this as much as they need to because maybe this is really going to dial in those metrics to provide better insights on how effective their training is, because I think maybe people just overlook it and to be like, oh yeah, we'll sound like a quick questionnaire, but they're not sort of thinking it through as thoroughly as they should.

Rebecca (13:54)
That's a very good point. Definitely they need to think through it. In fact, I've given a lot of classes at conferences. Right. And at conferences, when you answer those evaluations after the class, it could be a one day class, two days, full week. But oftentimes it seems like there's more questions about was the food good and did you have enough breaks and was the temperature okay? Which is important to know, of course, if you're the person that is putting on the training and the conference, because that's something that can help you for future ones. But really what would be ideal is if you ask about the environment issues, separate from asking about the training itself and the content of the training. And I think looking at all of those times, I've done classes at conferences and seminars, it just always disappointed me as an instructor as well to see people talking about either, oh, the food was not something I liked or it was too cold. And then half of the other say, oh, it was too hot. So it's like, well, this isn't helping me as an instructor either. If all they're talking about is just what they ate, drank and what the temperature was, that is exactly, yeah.

Rebecca (15:19)
So to your point, yes, I think how the evaluations are presented and separating those two issues, let's have an evaluation for the class separate from just the environmental issues surrounding how the class was presented.

Karissa (15:34)
So I'd like to switch gears now and talk about the Privacy programme management side of things and some of the biggest challenges that I read in the report. And so one of those was talking around the lack of executive or business support, which was 39%. Now it's not too high, but it's still pretty high. So I'm just curious to know why that's the case is, even if you've got some hypotheses around, why that is still relatively high.

Rebecca (16:02)
Well, yes, because ideally you want 100% of your executives or the business to support the Privacy programme. And yes, they are linked because if the executives don't place importance on Privacy, then the influence is going to suffer. And the Privacy programme really needs to be a separate Department. It should not be ideally. And of course, it depends on the size of the organisation and also the industry oftentimes. But ideally, the Privacy programme being a separate Department, a separate unit, and having the chief Privacy officer at a level where there is recognised authority, it shouldn't be just a title, there should be authority behind it. And when there is authority, there does come influence them. Because when the Privacy officer does have the power, if you will, to authorise certain activities that are related to Privacy, to implement policies that all employees must follow. And that really does help the Privacy programme much better than if that part of the organisation is not seen as being that important or not that much value simply because of the way the business leaders talk about it.

Karissa (17:31)
So the other key insight that I noticed as well is the lack of business support, which was 39%, which we just talked about. But the other side of that was the lack of visibility and influence within the organisation at 38%. So how can companies generate better visibility within their organisation from your perspective? Because the last two stats that we've gone on about are on par with one another. So do you think they are more linked than perhaps people are aware of, or what are your sort of thoughts on this?

Rebecca (18:03)
Yes, they are linked because if the executives don't place importance on Privacy, then the influence is going to suffer and the Privacy programme really needs to be a separate Department. It should not be. Ideally. And of course, it depends on the size of the organisation and also the industry oftentimes. But ideally the Privacy programme being a separate Department, a separate unit, and having the chief Privacy officer at a level where there is recognised authority, it shouldn't be just a title, there should be authority behind it. And when there is authority, there does come influence them. Because when the Privacy officer does have the power, if you will, to authorise certain activities that are related to Privacy, to implement policies that all employees must follow. And that really does help the Privacy programme much better than if that part of the organisation is not seen as being that important or not of that much value simply because of the way the business leaders talk about it.

Karissa (19:20)
So touch on it before, but it probably does come down to how we're framing this. And perhaps maybe people need to acquire maybe stronger soft skills or better influencing skills to be able to communicate the value of this. Do you think that perhaps people are still going wrong in that area?

Rebecca (19:37)
Yes, that's a very good observation. And in fact, what organisations need to do more is to start relating Privacy and the need for Privacy at work to also how they can use this information about protecting Privacy in their own personal lives, especially when there are so many people working from home. Now, those two parts of their lives are intermeshed with each other. So when the Privacy Department is talking about the need to protect Privacy to protect customers and patients and consumers, they can also say, oh, by the way, you can use the same concepts in your personal life too, in order to help protect your own Privacy and the Privacy of your family and your friends. And when I've seen that tactic used to say this is a valuable thing to do, not only here at work, but also away from work, then that gets more people on board, especially those who have had to deal with their data being breached and so on. They're all on board for help trying to protect their own Privacy. So then they see why they need to do at work more.

Karissa (20:50)
Do you think that maybe companies don't think about as much as they should because of big tech companies and third party cookies and all these types of things and targeted advertising? Do you think that they may be thinking like, oh, well, it's a lost cause now we'll just move on.

Rebecca (21:06)
I think a lot of folks might think that and instead of trying to deal with the Privacy part, they try to think of ways to maybe address the issues from a different perspective, kind of like what you're saying. So instead of doing that, I think that they need to take an approach that is much more thoughtful and really does address the employees and their views of Privacy and not just let's get away from that common perspective of, oh, we're just going to do what's legally required, and then we will have all of our Privacy problems addressed. No, you won't, because laws only address a subset of the true Privacy risk. I mean, laws are always lagging in what is necessary to truly protect the Privacy of different areas of life and business, where personal data is accessed and used and where laws do not apply. So, yeah, there needs to be a different viewpoint of how to address Privacy.

Karissa (22:22)
So it leads me to my next point, as I'm curious to know why the majority of the survey respondents, at 53%, felt that their board of directors adequately prioritises Privacy. And so we just spoke about before that it was quite 38%, and then even the point before that was 39%, so eliminated that number was lower than this number. So can you maybe shed some light on the Delta?

Rebecca (22:46)
Yes. And even both of those numbers are still way too low. The board of directors is something that if board of directors do not understand the risk of not addressing Privacy, then they're not going to prioritise Privacy. And so the business is going to be negatively impacted. And too many boards view Privacy through a strictly compliance perspective. They really need to understand that Privacy goes far beyond that. That breaches can be financially, reputationally, and even physically harmful to the people whose personal data was breached, and that identity theft can take decades to recover from, even if recovery happens at all. It's just one of the types of harms that can happen. Historically, board members have viewed their role as being primarily helping the business to be more profitable. Right. And it's still apparently the view of many board members based upon many different study results. But they don't see the need to spend any money on something that does not bring a return on investment. So the board needs to see how addressing Privacy is something that will benefit the business. And look at it from a perspective that, of course, it will consider financials, it always will from the board.

Rebecca (24:16)
But yet they still need to see how those soft numbers, the soft costs come into play. And it truly is something that addressing Privacy will bring a return on investments when they don't have as many breaches and when they don't get compliance fines and when they aren't sued by their customers because of the data breaches that are occurring.

Karissa (24:40)
So would you say, generally speaking, most companies are driven by compliance? Because I do get what you're saying. They don't see the ROI necessarily. They got to pull money into something that they can't see any tangible sort of like object that they can feel and touch. So it's a hard one to sort of go, okay, let's just throw more money at this. So do you think most people are driven by compliance? And yes, as we know, compliance doesn't mean you're secure. We all know that. But how do we get people past that point where they are focusing on it more rather than just for compliance reasoning?

Rebecca (25:13)
Yes. And that is a challenge for most organisations. And Besides, compliance to the sad thing is the Board often thinks, well, it kind of takes an ignorance is bliss type of view. If you don't know anything bad is happening, then nothing bad is happening. And that, of course, is not the case. And so they're thinking, well, if we aren't addressing things and we aren't identifying problems and that means we don't have problems, so we don't need to do it. But it's really important to point out that more and more regulatory agencies in the US and around the world, of course, are making statements. They've issued statements, multiple statements, about the role of the Board of directors in supporting Privacy programmes. In fact, just in 2021, they put out a publication that emphasised that the Board must be actively supporting a Privacy programme and a data protection programme. And that's one of the things that they will be looking at if there is any type of incident or audit or anything else. So I think what the board needs to understand is, as the board, they may very well share in responsibility for not being in compliance, for bad things happening when there's not enough Privacy protections in place, and that these agencies that do apply huge fines and penalties, they're aware of this and they're telling you, hey, we expect the Board to support Privacy programmes.

Rebecca (26:59)
And that's something that we are going to take into consideration when we come to your organisation, either to do an audit or to answer complaints or after a breach.

Karissa (27:11)
Another key insight I'd like to explore is 24% of respondents don't feel that their board adequately prioritises Privacy. But 19% of that, which is the part that I'm really interested in, is they don't know why. That's pretty high, 19% out of 24% it is.

Rebecca (27:30)
And that tells me that those folks, those roles who have responsibility for Privacy programmes. They are not communicating with their board enough about the Privacy programme. If that is their answer, they should know what the board of directors is thinking about and how strongly they support them. I mean, the first thing that I would do as the CPO of a Privacy programme is to find out who are the board of directors and let's set up at least a quarterly meeting with them to say, here's the state of our organisation with regard to Privacy protection. And I would call it Privacy protection as a larger umbrella term than just Privacy compliance, which is again, an implication that it's just a legal issue. But I would start having regular discussions with the board and making presentations so they're aware of it. And you know what? While you're doing this and I've done this before, throw in some tips to the board members about things that are the newest technology that everybody is using and then say, hey, while I'm here, here's some issues that impact us within the organisation, but they may impact you at home too.

Rebecca (28:57)
So here's how to make sure your new IoT device, your smart TV, isn't recording you and your family when you're watching something and you may not even realise it, you know? So that communication is important. You need to build a team of stakeholders from across your organisation to truly also be communicating with the board. I mean, you already have stakeholders across the organisation speaking with the board of directors about their business unit, so have them also incorporate the Privacy activities within that. And even better, or in addition to establish a board level type of Privacy programme oversight, ask them, say, hey, it would be really great if one or two or three of you, a subteam of the full board, could actually provide oversight for my programme. So that way you can give me feedback, let me know how we're doing, where you have questions, where you have concerns, and then hold regular Privacy briefings with them. So then that way you can see what they think about how you're doing things, and then you can communicate and answer questions about them to them too. Face to face communication is absolutely critical for Privacy programme success.

Karissa (30:18)
Gee, it's hard for people, though, to even get a meeting to get time with people because they've got other people sort of knocking on their doors saying, oh, we've got to talk about human resources and finance and all these other things. And so do you think it just gets deprioritized and maybe they're not getting the airtime that they deserve and then as a result, like they're checking in maybe once a year, if that.

Rebecca (30:39)
Well, it is, but here's what I've done and it's very helpful. Don't just wait and ask for a meeting instead of that, provide value add and get to the point where you're sending messages and just say, hey, this is Joe Smith and I'm the Privacy officer here and I saw this in the news and the Wall Street Journal and one of our competitors, they experienced this Privacy issue so I just wanted to let you know that that's something that we need to address and that my programme is addressing as well. Whenever you see things in the news that you know the board is likely to see or that is related to the type of work and services and products that your company is offering, just send those little notes just as FYI's and what I found so interesting too is that when you send messages like that is just FYI's oftentimes they read them more closely that if you send something as high priority and please read us set up a regular set of communications, they don't have to be long. So it's kind of the squeaky wheel concept but in a more planned out way that's maybe not squeaky wheel is then I'm complaining and I want to get things done.

Rebecca (32:12)
It's more like here's something I just thought you should know about because it's something that we are addressing here at the company as well and you know, after a few messages they're going to start to watch what you're sending. They're going to get to know that you are the head of the Privacy programme and that's when you are more likely than to get that face to face meeting with them instead of just waiting until once a year to ask for that.

Karissa (32:41)
Wonderful. Appreciate your answers, Rebecca. That's all we have time for today so thanks for sharing those insights and that summary and we'll definitely be linking the report in the show notes. Thanks Rebecca, thanks very much for your time. Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. If you'd like to find out how KBI can help grow your cyber business then please head over to KBI Digital.

Karissa (33:15)
This podcast was brought to you by KBI Media, the Voice of cyber.