{"id":23609,"date":"2022-06-03T10:57:38","date_gmt":"2022-06-03T14:57:38","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=485341"},"modified":"2022-06-06T10:50:06","modified_gmt":"2022-06-06T14:50:06","slug":"talking-privacy-with-harvey-jang-ciscos-chief-privacy-officer","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/talking-privacy-with-harvey-jang-ciscos-chief-privacy-officer\/","title":{"rendered":"Talking privacy with Harvey Jang, Cisco\u2019s chief privacy officer"},"content":{"rendered":"<p>The biggest mistake IT leaders make in trying to secure sensitive data is not understanding where their data is and how it flows, says Cisco Systems\u2019 vice-president and chief privacy officer.<\/p>\n<figure id=\"attachment_487057\" aria-describedby=\"caption-attachment-487057\" style=\"width: 200px\" class=\"wp-caption alignright\"><img decoding=\"async\" class=\"size-full wp-image-487057\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2022\/06\/harvey-jang.jpg\" alt=\"\" width=\"200\" height=\"200\" srcset=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2022\/06\/harvey-jang.jpg 200w, https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2022\/06\/harvey-jang-150x150.jpg 150w\" sizes=\"(max-width: 200px) 100vw, 200px\"><figcaption id=\"caption-attachment-487057\" class=\"wp-caption-text\">Harvey Jang, VP and Chief Privacy Officer, Cisco<\/figcaption><\/figure>\n<p>\u201cSome of the challenges where there are slip-ups is when organizations don\u2019t fully understand or know their data flow architecture,\u201d Harvey Jang, the company\u2019s vice-president, chief privacy officer and legal head for privacy and security, said in a wide-ranging interview.<\/p>\n<p>\u201cYou really have to understand your data. You have to understand what you\u2019re collecting, what you\u2019re processing and who you\u2019re sharing it with. I think that\u2019s a critical piece \u2026<\/p>\n<p>\u201cUnderstand when it [data] is going from one [data] processor to another \u2026 and that has to be documented \u2026 from the point of collection to the processing, to sharing to archival storage and deletion. You have to spend some time in information governance and understanding the data life cycle and each step of vulnerability along the way and address it. \u2026<\/p>\n<p>\u201cThere\u2019s got to be due diligence in vendor management, vigorous security reviews \u2014 which includes privacy assessments \u2014 to really understand the risks of the dataset you\u2019re asking the third party to processing data for you.\u201d<\/p>\n<p>\u201cYou may secure one environment,\u201d he added, \u201cbut when you use a third party, or third party cloud or an API, they may not be as secure or under scrutiny as your own environment.<\/p>\n<p>\u201cWe have a whole security division and consulting services where I see a lot of things escalating because of the third party. So if you have a zero trust organization, you have very strict standards and control your environment. That\u2019s when vendor selection becomes critical. Can your vendor live up to your privacy and security requirements and standards your organization has set up? So as you go from one vendor to the next and to to next and further downstream, that\u2019s where I think the danger or the risk [to data] increases. Third party risk and insider risk are probably the two biggest areas I\u2019m seeing.\u201d<\/p>\n<p>A lawyer and a member of the research advisory board of the International Association of Privacy Professionals (IAPP), Jang leads a team responsible for developing and orchestrating Cisco\u2019s global data protection policies, compliance capabilities, privacy engineering methodologies, certifications, and accountability frameworks.<\/p>\n<p>Before joining Cisco he was senior director of legal affairs at McAfee, lead counsel for privacy, security, marketing, consumer protection, and antitrust at Intel, and the director of privacy and information management as well as chief privacy and security counsel for HP.<\/p>\n<p>Two years ago he moved out of the legal side of Cisco to its operational side to focus on privacy. This month he moved back to legal to help transform the department\u2019s approach to privacy and other issues.<\/p>\n<p>He talks about \u201cdoing right by our customers and stakeholders, including our employees, and go beyond compliance.\u201d<\/p>\n<p>\u201cIf you are approaching privacy or data ethics or environmental for compliance\u2019s sake, you\u2019ve probably already failed. That\u2019s not the direction the law wants you to go, it\u2019s not the direction that we need go as a company.\u201d<\/p>\n<p>It helps that privacy is top of mind for Cisco\u2019s customers, he said. A recent survey of customers in 28 countries this year showed over 90 per cent of respondents believe privacy is mission-critical. \u201cIt is our customers that are driving [Cisco] quite a bit in terms of privacy and security,\u201d he said. \u201cAnd they often go far and above what the law requires \u2026 and they really push the envelope to constrain what we at Cisco do with [their] data. First they want to make sure it\u2019s secure. So for Webex, we tell them that it is secure. But we went a step further and achieved some of these industry standards, certification though the security and privacy standards that are ISO. We achieved the EU Cloud Code of Conduct making sure that our Webex cloud meets European standard for privacy. The customers push it above and beyond what the law requires.\u201d<\/p>\n<p>Smaller companies that don\u2019t have robust privacy programs \u201care just grateful that we have enterprise customers and governments that have pushed this all the way through \u2026 they get all the high standards [in our products] that our European government customers get.\u201d<\/p>\n<p>However, he admitted, \u201chackers are very sophisticated. Unfortunately what we\u2019ve seen in breaches is it\u2019s not so much brute force attacks any more. What we see more is social engineering,\u201d with hackers either guessing passwords or installing keyloggers. \u201cHackers aren\u2019t busting firewalls,\u201d he said. \u201cThey\u2019re finding ways to get login credentials through phishing attacks or other ways and entering through that.\u201d<\/p>\n<p>Asked if organizations are pushed to collect too much data, Jang said there\u2019s an inherent tension between big data and data scientists and privacy requirements.<\/p>\n<p>\u201cPrivacy pushes this notion of data minimization \u2014 only [collect] what you need to service the explicit, articulated purpose that you set forth. The data and data scientists [say] \u2018Give me all the data that is possibly out there, we\u2019ll run some algorithms, and patterns will emerge, and then we\u2019ll tell you the meaning behind it.\u2019 So there\u2019s a bit of tension. But the interesting thing where you can manage that tension is [asking], \u2018are the patterns that you\u2019re looking for, do you need to have them individual identifiable?\u2019 Every time that\u2019s come up at Cisco the answer is \u2018No \u2026 we want to look at macro-level patterns\u2019. That\u2019s where artificial intelligence and machine learning come into play. So we give privacy-enhancing techniques for removing or masking the actual identifiers and replacing it with a [generic] string. So when you do things like using those privacy enhancing techniques you can play a bit more with the data.\u201d<\/p>\n<p>The CPO should ask the CEO what the outcome the organization is trying to achieve with all the data it collects, he said. \u201cMore often than not they don\u2019t need the individual, or linking to a specific person, or looking at micro-level patterns of behaviour,\u201d Jang said.<\/p>\n<p>Asked why organizations don\u2019t put a priority on data-protecting technologies like encryption and network segregation, Jang said he\u2019s not sure they don\u2019t. \u201cYou want to make sure data is encrypted in storage and in transit,\u201d he said. But he also noted that \u201cwe\u2019ve seen slip ups where employees leave open Amazon S3 buckets that are unencrypted, and that causes a lot of problems. Encryption and [secure storage] \u2026 are some of the basic aspects of security. There\u2019s more guidance out there than ever before, so it\u2019s harder to play ignorant.\u201d That guidance includes the U.S. Department of Commerce\u2019s <a href=\"https:\/\/www.nist.gov\/cyberframework\" rel=\"noopener\">National Institute of Standards and Technology (NIST) framework<\/a>, as well as other cybersecurity frameworks.<\/p>\n<p>No one can say they\u2019re too small for security, he added: They just need to prioritize.<\/p>\n<p>\u201cPeople are less able to make excuses any more for sloppy or poor security.\u201d<\/p>\n<p>On that, he added, implementing multifactor authentication to protect logins is vital.<\/p>\n<p>Privacy \u201ccan be super-complicated. You can get overwhelmed with the laws, the rules, the standards, all of that stuff.\u201d But, he insisted, \u201ceverything all boils down to three core principles: Transparency, fairness and accountability. If I try to distill all the laws, what are they getting at? Even a hundred pages of GDPR [Europe\u2019s General Data Protection Regulation] comes down to, you\u2019ve got to be transparent, you\u2019ve got to be fair and you\u2019ve got to have accountability and controls to live up to the promises you make. I think the more transparent you are, the more opportunity you have for others to test your fairness. And that you\u2019re willing straight-faced to say, \u2018I believe in what we\u2019re doing, I believe what we\u2019re doing is responsible so I\u2019m going to tell people about that.\u2019 That piece is critical.\u201d<\/p>\n<p>Asked whether every organization needs a chief privacy officer, Jang was equivocal. \u201cWhether you need one, you should have someone with the responsibility over personal data \u2026 Does it have to be a full time job with an enormous team? It depends on the risks and the data set that your organization is handling.<\/p>\n<p>\u201cWhere should the CPO report? There is no single answer. Because it [privacy] is multidisciplinary, no matter where that individual reports they will draw on the expertise from multiple teams. If you\u2019re selling product that handles personal data, you need to have a connect point into the engineering team. Whether that\u2019s a dotted line or a community of practice or some executive or leader designed with that responsibility, it varies from organization to organization. I don\u2019t think there is one way to do it. You have to look at the privacy risk of the organization, and where would that person fit who is responsible for properly handling personal data. Wherever that person needs to be, authority to drive behaviour is what matters.\u201d<\/p>\n<p>The post <a href=\"https:\/\/www.itworldcanada.com\/article\/talking-privacy-with-harvey-jang-ciscos-chief-privacy-officer\/485341\">Talking privacy with Harvey Jang, Cisco\u2019s chief privacy officer<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The biggest mistake IT leaders make in trying to secure sensitive data is not understanding where their data is and how it flows, says Cisco Systems\u2019 vice-president and chief privacy officer. \u201cSome of the challenges where there are slip-ups is when organizations don\u2019t fully understand or know their data flow architecture,\u201d Harvey Jang, the company\u2019s [\u2026]<\/p>\n<p>The post <a href=\"https:\/\/www.itworldcanada.com\/article\/talking-privacy-with-harvey-jang-ciscos-chief-privacy-officer\/485341\">Talking privacy with Harvey Jang, Cisco\u2019s chief privacy officer<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"author":17,"featured_media":20692,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[361,16],"tags":[520,255,443,391],"class_list":["post-23609","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-privacy","category-security","tag-canadiancio","tag-cisco","tag-cyber-security","tag-di"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/23609","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=23609"}],"version-history":[{"count":4,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/23609\/revisions"}],"predecessor-version":[{"id":23673,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/23609\/revisions\/23673"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media\/20692"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=23609"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=23609"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=23609"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}