Data management has become a concern for organizations to protect their sensitive information. The strong foundation for a robust and resilient defense against online threats must be our priority.
Data protection, data privacy, and Zero Trust are intrinsically linked to a better security posture. And, adequate data protection is the prerequisite for maintaining data privacy, while the Zero Trust model ensures that, even within trusted networks, data remains secure.
Today, we are in discussion with Bruno Romulo Costa, an expert who will be sharing his experiences when it comes to data protection and privacy. Mr. Costa works at IBM on the Expert Labs team, helping organizations succeed in their cybersecurity journey and has been awarded many achievements for improving cybersecurity practices.
Let’s learn from him about effective data management and controls.
Hello Mr. Costa, Thank you for investing your valuable time in us. We are looking forward to gaining insight from your work.
Thank you for inviting me to participate in this roundup.
My cybersecurity journey started with a simple question: how can I protect myself in this digital world? I’m absolutely delighted to contribute to this roundup and share my data security expertise and cybersecurity journey. If this piece empowers even a single person, that would be my greatest reward.
Q1: You have worked across different organizations; what is the best practice you’ve observed in implementing effective data protection strategies that fit all industries?
Mr. Costa: Interesting question, thank you for asking.
In my experience, building effective data protection strategies requires a holistic approach that considers each organization’s unique needs, risk profile, and industry regulations.
If I had to choose a single best practice applicable to all industries, it would be cybersecurity and data privacy awareness training.
Human behavior often presents the weakest link in the chain. Phishing attacks and social engineering scams frequently exploit our vulnerabilities, putting valuable data at risk and, that is why leaders across the organization should consider training a priority.
Investing in training to raise awareness of the cybersecurity and privacy risks that the organization faces is a wise investment for any organization, regardless of its industry.
Q2: What are the main challenges in adapting data protection measures to various organizational cultures, and how can we successfully address these challenges?
Mr. Costa: Different companies have different ways of doing things, different levels of understanding about data security, and even different attitudes towards risk. This diversity can make creating a data protection plan that works for everyone complex. For example, a startup might prioritize rapid growth over data security, while a financial institution would mandate stricter data handling protocols. This inherent diversity in risk tolerance and security understanding can make buy-in challenging for data protection initiatives.
Companies, like people, learn at different paces. Some are ready for advanced data protection, while others need to start with the basics. Trying to push everyone too fast can leave some confused and frustrated, slowing down the whole process.
Tailoring the plan fosters an inclusive approach by recognizing and addressing specific needs, ensuring everyone feels engaged and able to contribute.
Today, organizations have a free and widely adopted starting point for improving their cybersecurity posture, such as NIST and CIS frameworks for critical infrastructure protection. National and state regulations, laws, and industry standards are also forcing organizations to comply and adapt their cybersecurity strategies. The push for compliance can provide organizations with a clear and structured path to improve their security posture. However, it is not enough.
Remember, the most effective data protection plan is one that fits the company like a glove.
Q3: How should we tailor the data protection solutions (training, access controls, or incidence response) to meet the unique needs and risk profiles of different organizations?
Mr. Costa: Every organization is unique, so there is no one-size-fits-all solution. Therefore my suggestion is to focus on the basics, which could be the simple 3W1H questions (What/Where/Who/How).
For data protection specifically, my starting point would be simple questions that are relevant to the organization, such as: What data do they need to protect? (PII, HPI, financial data), Where is that data located? (databases, cloud, files, paper), Who poses the threats? (external/internal attackers, privileged users, users) and finally the H question HOW can we effectively safeguard it? (monitoring, access control, data encryption).
This is a trick that helps me to think about the needs and to implement data protection solutions that are tailored to the organization’s specific needs.
By answering these questions through a formal risk assessment, organizations can profile their specific needs and vulnerabilities. For example, organizations with a higher risk profile may need to implement more robust access controls, monitoring and incident response procedures while organizations with a more distributed workforce may need to provide more training on data protection best practices such as phishing awareness or cloud security best practices for remote employees.
Understanding relevant data protection regulations and compliance requirements further strengthens this approach. Remember, tailoring data protection isn’t a one-time effort.
Q4: Can you share with us an example of a particularly innovative approach you’ve taken to data protection that had a significant impact on an organization’s security posture?
Mr. Costa: That is a good question. To be honest, I don’t have an innovative approach in mind, but I’m really excited for the next few years.
For sure AI is and will continue pushing us to completely rethink how we can protect not only data, but also privacy, intellectual property, copyrights, and so on. There are problems with securing AI that haven’t been solved yet, such as data model poisoning and malicious manipulation of models to exfiltrate sensitive information or proprietary data. Of course, encryption is about to change completely with the coming of homomorphic encryption and quantum-safe cryptography.
I’m grateful to be part of an innovative company like IBM where I can stay around brilliant minds and where I can stay in touch with new and emerging technologies like AI and quantum computing.
I’m confident that over the next few years I’ll have great stories to tell you about how I’m approaching data protection with innovative and exciting technologies.
Q5: Data privacy laws and regulations can vary significantly by region. How can we adapt to the complexities of international data privacy requirements in roles across different organizations?
Mr. Costa: This is certainly one of the most challenging aspects of working in data protection and it’s difficult to ensure that an organization is compliant with all applicable laws and regulations. Variations in data localization, consent, and breach notification across regions can be overwhelming, with non-compliance leading to legal penalties, reputational damage, and operational disruptions.
It’s not really part of my day-to-day job but in my experience, regular legal assessments conducted by internal legal teams is crucial to identify the applicable laws and regulations. Furthermore, it’s important to have seamless communication between internal teams (legal, IT, compliance) and seeking guidance from regional data protection experts are essential for success.
Q6: Different organizations have different cultures and data privacy techniques, what’s the best way to bring them all on one page?
Mr. Costa: As I mentioned before, I strongly believe that training is the most important – and cost-effective – way to start with.
It’s important to develop a global data protection/privacy strategy establishing common principles such as data minimization and guidelines for data privacy for different regions. But remember, cultural differences influence data privacy perceptions, so tailoring training and communication is crucial.
By integrating cultural understanding and best practices, organizations can build a resilient and compliant global data privacy strategy.
Bringing this all together, the key is to focus on training and communication strategies aligned with processes, techniques, and regulations. This ensures the organization stays in tune in this fast-moving and complex world. This is a continuous process, not a one-time solution.
Q7: Compliance and trust work together. How have you balanced legal requirements with the ethical aspects of data privacy in your roles, and what challenges did you face?
Mr. Costa: Absolutely! Compliance and trust are two sides of the same coin in data privacy. The challenge here is to strike a balance between legal requirements and ethical considerations.
I strive to ensure that data privacy measures are implemented in a way that is both compliant with applicable regulations and ethical towards individuals and organizations.
Therefore, I believe that it is important to take a holistic approach to data privacy, considering both legal and ethical factors, to develop effective and responsible data protection strategies.
My suggestion here is to keep focus on three key pillars:
First, practice data minimization and purpose limitation by collecting and storing only the minimum data necessary for the specific purpose.
Second, implement comprehensive transparency and control mechanisms to ensure that individuals have the right to know how their data is being used and to have control over it. Transparency is key to building trust.
Lastly, conduct regular privacy impact assessments to proactively identify and mitigate privacy risks. These assessments help ensure that legal requirements are met while also identifying potential ethical concerns that may not be explicitly addressed in the law.
Balancing legal and ethical considerations with business needs can be challenging, but following these steps can help ensure compliance and build trust through responsible data practices.
Q8: Zero Trust principles are challenging to implement in heterogeneous IT environments; what is the most challenging task?
Mr. Costa: In heterogeneous environments, the most challenging task is often finding the right balance between data security, operational efficiency, and user experience. A one-size-fits-all approach rarely works because each environment has its own unique set of constraints and pain points.
Legacy systems often lack crucial features such as granular access controls or multi-factor authentication, and furthermore, the diversity of devices, a mix of old and new technologies, and data sources across on-premises, cloud, and hybrid setups can make the journey to Zero Trust across the entire ecosystem a major headache.
Another challenge is educating employees and external stakeholders about the Zero Trust and how it impacts their day-to-day routines. It is important to clearly communicate the benefits of Zero Trust and how it can help to protect their data and privacy. A tailored approach, balancing security with seamless user experience, can boost adoption.
Overcoming these challenges can strengthen organizational security. Zero Trust implementation is a marathon, not a sprint. It requires careful planning, phased rollouts, and continuous monitoring and adjustments. But with the right approach, you can build a robust security posture that adapts to any ever-evolving IT landscape.
Q9: What strategies have you employed to ensure that employees and external stakeholders understand and embrace the principles of a zero-trust security model?
Mr. Costa: Shifting to a zero trust model across your organization requires more than just firewalls, hardware, and software, it’s not just about technology.
It’s about cultivating a culture of security awareness and shared responsibility for all employees and external partners to adopt the “never trust, always verify” mindset, which is the core idea behind the Zero Trust model.
I believe that the most effective way to ensure zero trust is to provide regular training and education, and beyond traditional training, I’ve suggested interactive workshops, and role-playing exercises to address different learning styles and keep everyone engaged. Using real-world examples and avoiding technical jargon can help ensure clear communication for everyone. It is also important to address any concerns they may have about zero trust through Q&A sessions and dedicated channels like FAQs.
These simple but effective strategies can help you communicate the benefits of zero trust and achieve success. Remember, cultural change takes time and effort, but the rewards of a security-conscious workforce are invaluable.
Q10: What are the key considerations when implementing encryption for data at rest and in transit to ensure both security and usability socially when dealing with third-party vendors?
Mr. Costa: Balancing security and ease of use with third-party vendors and data encryption can be tricky. I would say the key considerations are:
Encryption standard: Choose widely accepted standards like AES-256 to ensure robust data protection both at rest and in transit. Opt for open and known encryption algorithms over ‘black box’ solutions for transparency and trust.
Key management: Implement secure key rotation and access controls, utilizing systems that integrate seamlessly with vendor platforms and open protocols like KMIP. This ensures strong protection of encryption keys, which are the foundation of data security.
Performance optimization: Consider options like key caching or hardware acceleration to mitigate performance overhead and maintain efficient data operations.
Compliance: Ensure your encryption strategy aligns with relevant data privacy regulations and industry standards to protect your organization from legal and reputational risks.
And lastly but no less important, train users on the importance of data security and encryption best practices to minimize human error and create a security awareness culture.
Q11: What advice would you give newcomers wanting to start their career in this field?
Mr. Costa: Passion is fuel! It’s what keeps us fueled through late nights and complex challenges. Cybersecurity can be demanding, but a genuine passion for protecting data and systems will keep you motivated and engaged throughout your career.
The journey to becoming a successful cybersecurity professional is a continuous learning process, and from pen testing to threat intelligence, cybersecurity offers many paths.
Learning from experienced professionals, joining online communities, mentorship programs, and attending events are some tips for staying up to date and in touch with people in the field. Building a strong network will open doors like job opportunities, knowledge sharing, and it will accelerate your growth.
Embrace the challenges, stay curious, and never stop growing. The field needs bright minds like yours to build a more secure digital future for everyone.
Anas Hasan
February 14, 2024
2 months ago
