IT Leaders Share their Insights on Data Privacy and Digital Transformation

According to Gartner, 75 percent of the global population will have their personal data covered under different data privacy regulations. Last week, we celebrated Data Privacy Day, a global cybersecurity event that is focused on the safety, security, and privacy of enterprise and consumer data. The theme for this year is “Take Control of Your Data.” Led by the National Cyber Security Alliance (NCSA), Data Privacy Day represents a global initiative targeted at raising awareness about the changing dynamics in Marketing, Advertising, and IT data management, as applied to the realm of enterprise and customer data privacy frameworks. As IT leaders strive to redefine new guidelines for privacy and security, they could shift budgets and strategies toward AI-led identity management and privacy-first campaigns. We spoke to the top IT leaders from data-driven organizations to understand how this year’s Data Privacy Day is a roadmap for building a reliable consumer data protection strategy in 2024.

Our panel of speakers include:

1. Jamie Hesketh, VP of Product of Picnic
2. Suzanna Chaplin, CEO of esbconnect
3. Peter Wallace, General Manager for EMEA at GumGum
4. Sean Adams, CMO, Brand Metrics
5. Carl D’Halluin, CTO, Datadobi
6. Don Boxley, CEO and Co-Founder, DH2i
7. Steve Santamaria, CEO, Folio Photonics
8. Carla Roncato, Vice President of Identity, WatchGuard Technologies
9. Allon Mureinik, Senior Manager, Software Engineering, Synopsys Software Integrity Group
10. Tom Ammirati, CRO of PlainID
11. Richard Bird, Chief Security Officer, Traceable AI
12. Dave Hoekstra, Product Evangelist, Calabrio
13. Cris Grossmann, CEO and founder of Beekeeper
14. Steve Moore, Vice President & Chief Security Strategist, Exabeam
15.  Or Shoshani, Co-Founder and CEO of Stream.Security
16. Connie Stack, CEO, Next DLP
17. Kayla Underkoffler, Lead Security Technologist, HackerOne
18.  Omri Weinberg, Co-Founder and CRO at DoControl
19.  Gopi Ramamoorthy, Head of Security & Governance, Risk and Compliance Engineering at Symmetry Systems
20. Eric Scwake, Director of CyberSecurity Strategy, Salt Security
21. Patrick Harr, CEO of SlashNext
22.  Philip George, Executive Technical Strategist, Merlin Cyber
23. Nick Edwards, VP of Product Management, Menlo Security
24. Krishna Vishnubhotla, VP of Product Strategy – Zimperium
25. Manu Singh VP of Risk Engineering, Cowbell
26.  Darren Guccione, CEO and Co-Founder, Keeper Security
27. John A. Smith, Conversant Founder and CSO
28. Ratan Tipirneni, President & CEO of Tigera
29.  Rick Hanson, President at Delinea 
30. Michael Brown, Vice President of Technology at Auvik
31. Dan Benjamin, CEO and Co-Founder of Dig Security (Acquired by Palo Alto Networks)

Understanding Consumer Trust in a Cookieless Future

Jamie Hesketh, VP of Product at Picnic

“Data privacy is undergoing a transformative shift, largely driven by the inevitability of a cookieless future.
Advertisers are compelled to pivot towards user-friendly, privacy-first targeting methods, be it through a deeper emphasis on contextual targeting or the exploration of cutting-edge technologies like machine learning attribution or Google’s Privacy Sandbox.

This shift necessitates extensive collaboration across the industry and rigorous testing during the adoption and transition phase. Those who fail to act and adapt risk falling behind, facing challenges in targeting accuracy as well as consumer trust in the evolving landscape of consumer data protection.”

Recommended: How Security Culture Will Define Success in the Era of AI

Sandbox, IDs, Contextual Targeting, and Cookies in the Data Privacy Era

Peter Wallace, General Manager for EMEA at GumGum

“It’s important that all organizations today acknowledge the importance of Data Privacy Day and join the global effort to respect people’s privacy and safeguard personal data. For the digital advertising industry, this is even more poignant in 2024 because of the deprecation of third-party cookies on Chrome, and the end of behavioral ads as the dominant method for targeting users online. Google could still adapt its timeframe for Chrome, of course, but the direction of travel won’t change. Advertisers are already exploring the viability of alternative strategies.

The problem is, that not all of the alternative solutions in the pipeline are inspiring the level of confidence they should. There are significant concerns around Privacy Sandbox, Google’s own replacement for third-party cookies, over whether it will be ready in time. Ongoing anti-competition investigations by the DoJ in the US and CMA in the UK will only add to that uncertainty. ID solutions, another audience targeting method being mooted, also face challenges that could mean they won’t fully scale for some time.

That’s why we’re seeing a major uptick of interest from advertisers in cookieless solutions, especially Mindset technologies like contextual targeting. Unlike Sandbox and IDs, contextual advertising requires absolutely no personal data, meaning it fully respects the privacy of consumers and will never be threatened by evolving privacy regulations. And, when it is deployed in combination with engaging, high-impact creatives and attention-based measurement and optimization, contextual becomes the blueprint for advertising in a post-cookie, privacy-first age; far more effective at reaching relevant consumers with the right mindset than behavioral advertising ever was.”

How do They Know So Much About Me? — Let the Data Speak!

Effective Data Management Enables You To Optimize Your Business Intelligence

Carl D’Halluin, CTO, Datadobi

“On January 28, we celebrated Data Privacy Day. Initiated in the United States and Canada in 2008 by the National Cyber Security Alliance, its aim is to raise awareness and promote privacy and data protection best practices.

The number one data privacy best practice is pretty simple: make sure you can get the right data to the right place at the right time. Wherever the data is in its lifecycle, it should be protected and only accessible as needed. Of course, this tends to be easier said than done. But, there is perhaps nothing more critical and imperative than implementing the right strategies and technologies to do so.

After all, while data is an organization’s most valuable asset (in addition to its people), it also represents its greatest potential risk.

Balancing these two aspects is key. In other words, effective data management enables you to optimize your business intelligence, make faster and smarter decisions, and gain a competitive edge, as well as better meet business requirements such as internal governance and legal mandates, external regulations, and financial obligations and goals.”

Top CIO Influence News: DataGuard Appoints Christine Walch as VP Marketing

Data Privacy is A Matter Of Corporate Survival

Don Boxley, CEO and Co-Founder, DH2i

“Data privacy isn’t just important for businesses – it is a matter of corporate survival. A company can make just one small mistake, and neglect one small security checkbox, and the consequences can be catastrophic. One small mistake could lead to a data breach that causes legal and regulatory fines, as well as irreparable damage to the company’s reputation — a nightmare from which recovery is near-impossible.

A software-defined perimeter (SDP) solution could be the answer!

Many SDP solutions are engineered to provide secure network connectivity across on-prem, cloud, and hybrid environments. SDP enables its users to transform their traditional network-based perimeter security with a more sophisticated one that creates micro-perimeters around data. SDP enables secure connections between data centers and across private and public cloud platforms without needing a VPN or direct connection, thereby significantly reducing security vulnerabilities even further.

In addition, for those focused on data protection and privacy, SDP enables the ability to create secure tunnels for specific applications, as opposed to entire network access. Ideally, such a solution would be streamlined and straightforward to manage, equipped with an intuitive interface that eases the configuration, and ongoing management of secure connections. This combination — increased security, ease-of-use, and adaptability – makes SDP the ideal choice for protecting data and ensuring data privacy.”

Data Protection Strategies Bound to Evolve in 2024

Steve Santamaria, CEO, Folio Photonics

“On Data Privacy Day, we are reminded of the business-critical importance of safeguarding sensitive information – both professional and personal – at a time when data breaches and cyber threats have become all too common. For data protection professionals, this should not be viewed as a gentle nudge but rather a polite – yet strong shove toward reviewing and fortifying the technology and policies underpinning your data protection strategy.

How can anyone not admire those responsible for their organization’s data protection?

As we in the business know – it’s no walk in the park! The good news is of course, that smarter and more powerful technology solutions continuously enter the marketplace, ready to take their place in the data protection professional’s arsenal. Active archives built on an optical storage foundation can offer an ideal data protection solution for several compelling reasons.

Firstly, they provide a high level of security as data stored on optical discs is read-only, rendering it resistant to cyber threats like ransomware. Optical storage is also highly durable — able to withstand physical damage from factors like magnetic fields, moisture, and temperature fluctuations, ensuring the safety of critical data.

What’s more, optical storage media boasts a long lifespan, making it ideal for data archival and compliance requirements while also being cost-effective in the long term. And, last but certainly not least, it can be easily air-gapped – adding a virtually impenetrable defense against a cyber-attack.

Retrieving data from optical storage is quick and reliable due to fast read speeds, making archived data readily accessible. And, if that isn’t enough — it is environmentally friendly, consuming less energy and having a lower carbon footprint compared to alternative storage options.”

AI and Machine Learning Technologies to Benefit Information Security Community

Carla Roncato, Vice President of Identity, WatchGuard Technologies

“Advances in artificial intelligence (AI) and machine learning (ML) technologies were top of mind this Data Privacy Day, both for the potential benefits and troubling dangers these tools could unleash. Considering the widespread proliferation of AI tools in just this past year, we in the information security community must seize this opportunity to raise awareness and deepen our understanding of the emerging risk of AI for our data. As AI becomes a more integral – and infringing – presence in our everyday lives it will have real implications for our data rights.

Remember, if a service you use is “free,” it’s likely that you and your data are the product. This also applies to AI tools, so act accordingly. Many early AI services and tools, including ChatGPT, employ a usage model that’s similar to social media services like Facebook and TikTok. While you don’t pay money to use those platforms, you are compensating them through the sharing of your private data, which these companies leverage and monetize through ad targeting.

Similarly, a free AI service can collect data from your devices and store your prompts, then use that data to train its own model. While this may not seem malicious, it’s precisely why it’s so crucial to analyze the privacy implications of processing scraped data to train generative AI algorithms. Say one of these companies gets breached; threat actors could obtain access to your data, and – just like that – have the power to weaponize it against you. 

Of course, AI has potential upsides. Many AI tools are quite powerful and can be used securely with proper precautions.

The risks your business faces depend on your specific organization’s missions, needs, and the data you use. In security, everything starts with policy, meaning that ultimately you must craft an AI policy that’s tailored to your organization’s unique use case.

Once you have your policy nailed down, the next step is to communicate it, as well as the risks associated with AI tools, to your workforce. But, it’s important to continue to revise or amend this policy as needed to ensure compliance amid changing regulations – and be sure to reiterate it with your workforce regularly.”

Data Privacy: Is Sharing Caring?

Allon Mureinik, Senior Manager, Software Engineering, Synopsys Software Integrity Group

“In today’s world of social media and open-source development, sharing seems to be the social norm. After all, we were all taught that sharing is caring. This is true not only for individuals but for companies too – whether intentionally on their social media accounts and company websites or unintentionally by the actions of their employees, companies might share more than they ought to.

In a world where information is the hottest commodity and any small sliver of data could be used by a competitor or even an unlawful attacker, companies would be well advised to prioritize the protection of their and their employees’ data.

The first step in any such effort is defining a set of policies about what can be shared, how it can be shared, and by whom. These policies should cover both the actions of the company’s employees (e.g., defining what work-related aspects can be shared on social media) and the technical measures taken to support these policies (e.g. blocking social media sites on work-issued laptops). While it may be compelling to create a “share nothing, hide everything” policy, this often isn’t advisable, or even possible. Any such policy should assess the risk any data exposure would create and weigh it against the potential benefit.

Second, having such a policy in place is all but useless if it isn’t shared with the employees, and training isn’t offered so they understand their role in protecting the company’s (and their own!) private data.

The important part of this training isn’t just memorizing rules and regulations, but having the employees truly understand the intent behind them, and what they are supposed to achieve.”

The Future of Smart Security Solutions in the Data Privacy Era

Tom Ammirati, CRO, PlainID  

“This year’s theme is ‘take control of your data,’ and the key to that is an organization protecting its data and the applications from cyberattacks. If a bad actor, which can include an employee, has gained access credentials, ensure that they don’t have automatic access to any or all data.

We know now that smart security solutions must be “identity-aware,” but they also call for a smart, dynamic authorization solution. One of the most significant benefits of zero trust is the process of granting an authenticated entity access to resources. Authentication helps ensure that the user accessing a system is who they claim to be; authorization determines what that user has permission to do. Arming your IT team with smart security solutions can be the key difference between a full-blown security incident and a security alert.”

The Problem of Oversharing Data With Companies

Richard Bird, Chief Security Officer, Traceable AI 

“Data privacy faces significant challenges at both consumer and federal levels. Many companies overlook the risks associated with seemingly harmless data, focusing instead on its value for user services and revenue growth. However, the data that is valuable to companies is also valuable to malicious actors, and failing to acknowledge this can lead to devastating lapses in data security.

In addition, companies today have no incentive to honor data privacy. Fines and lawsuit settlements clearly aren’t changing their behaviors or forcing these organizations to be good stewards of their customers’ trust.

Consumers must also exercise caution in oversharing data with companies, approaching privacy settings with a worst-case scenario mindset, as historical patterns reveal companies often neglect user privacy and safety concerns.

In addition, the recent executive order on artificial intelligence by the Biden administration enumerates a laundry list of digital privacy rights that the US government has already shown its inability to protect. This can be seen in incidents like the OPM hack, PPP loan fraud, and IRS refund processing, which raises doubts about the effectiveness of these guidelines and standards.

As we observe Data Privacy Day, let’s turn awareness into action.

Advocate for stronger data protection measures, demand transparency from companies, and stay informed about your digital rights. It’s a collective effort to safeguard our privacy in an increasingly interconnected world.”

Protecting Data in Hyper-sensitive Landscape

Dave Hoekstra, Product Evangelist, Calabrio  

“Data Privacy Week reminds us of the critical need to protect sensitive information. Dave Hoekstra, Product Evangelist at Calabrio, emphasizes that now more than ever, securing customer-related information—a company’s most valuable asset—is a key strategic initiative.

In the realm of contact centers, where copious amounts of customer information and inquiries are processed, Calabrio places immense care in protecting this data. The commitment extends beyond our operations, as they actively encourage privacy consciousness among their partners. This dedication becomes even more vital in a landscape witnessing a surge in AI integrations.

As we navigate a world increasingly shaped by artificial intelligence, our proactive approach to data privacy meets industry standards and sets a benchmark for fostering trust. By prioritizing privacy consciousness, they can help secure information and contribute to building a foundation of trust in an evolving technological landscape.”

Data Privacy and Becoming GDPR-Compliant

Cris Grossmann, CEO and founder, Beekeeper

“When we celebrate ‘Data Privacy Day,’ we can’t overlook our frontline workforce who don’t traditionally sit behind a computer, yet still need their personal information and sensitive data protected. Frontline industries can tend to depend on outdated processes of communications, ranging from pen and paper to personal text chains that leave workers vulnerable to data leaks. Companies need to prioritize leveraging technology that allows for secure messaging and takes their workers’ privacy into account.

As AI continues to find its way into the workforce, companies need to be mindful of using these tools to empower their workers, not exploit them. A first step employers can take is to make sure their tech is GDPR-compliant.

Supplying your frontline workers with an updated and secure frontline success system is a crucial step in fostering a culture of trust and security within the organization.

By embracing modern technologies that prioritize data privacy, companies not only safeguard sensitive information but also empower frontline workers to perform their roles confidently, knowing that their data is handled with the utmost care.”

Data Privacy Isn’t Just A One-day Ordeal

Steve Moore, Vice President & Chief Security Strategist, Exabeam  

“Data Privacy Day presents an opportunity to reflect on the question “Who is in charge of data privacy, the individuals sharing their data or the organizations in charge of protecting it?”

An individual’s digital identity — their username and password — will always be stolen, traded, sold, and reused. One of the easiest ways for threat actors to conduct these attacks is credential stuffing — where adversaries leverage account information from prior breaches. Both organizations and individuals must understand what these attacks are, and just how prevalent they can.

So, who takes the blame when cyberattackers abuse reused customer passwords but companies don’t push for better hygiene?  

While an unsatisfying answer, the liability in these scenarios is often shared across both parties.

A key takeaway here is that companies could, and should, exert more of their own power and security tools to protect customers against increasingly aggressive adversaries. And, individuals can make these attempts more difficult just by following best practices like implementing multi-factor authentication (MFA) and not recycling the same passwords.

In the end, high-profile data breaches are only getting more frequent. 

Data privacy isn’t just a one-day ordeal; it’s a year-round endeavor that requires the participation of both companies and their customers to combat cyber adversaries.”

The Rise Of AI-driven Social Engineering

Or Shoshani, Co-Founder and CEO, Stream.Security 

“Considering the rise of AI-driven social engineering, Data Privacy Day reminds us of the urgency of maintaining our security structure to protect our data both on-prem and in the cloud.

72% of organizations are defaulting to cloud-based services when upgrading their tech. So, it’s not surprising that recent surveys show cloud security incidents on the rise with 27% of organizations having experienced a public cloud security incident, up 10% from 2022.

Effectively managing your cloud security processes is the most crucial step in protecting your data. You can successfully prevent threat activity by fine-tuning and enhancing the steps associated with securing your cloud environment. Promote security awareness, follow compliance procedures, and educate yourself and your team to maintain the security of your data with the latest versions of your cloud security tools.

Protecting your data in the cloud starts with education and ends with action.”

Data Security And Privacy Are Paramount in 2024

Connie Stack, CEO, Next DLP  

“Data privacy has taken on increased importance in the last few years.

According to Gartner, by the end of this year, 75% of the world’s population will have its data covered under modern privacy regulations, meaning organizations have a duty – and quickly – to instill compliant procedures, technologies, and culture.

Customers will be far more vigilant of how their data is being protected when choosing vendors in the coming years (if they aren’t already). What a vendor does to ensure a potential customer’s sensitive data is appropriately protected will become a key selling point.

For these vendors, this means enacting compliant privacy solutions that protect customer data and provide businesses with behavior separate from the users.

What’s more, we’re also seeing intensifying pressure on CISOs to streamline their cybersecurity tools. The adoption of consolidated solutions from major tech companies stems from two primary challenges – the scarcity of skilled cybersecurity professionals and the internal drive for cost efficiency. While this move towards consolidation is becoming a norm, it’s vital to remember that depending on a single solution provider for all security requirements can be risky.

While cost reduction will always be top of mind for executive teams (especially CFOs), organizations should be looking to implement robust Data Loss Prevention (DLP) and Insider Threat Management (IRM) controls, which become essential when consolidating.

No organization runs solely on the likes of Microsoft applications, Microsoft file types, and nothing else, for example.

In an era where data security and privacy are paramount, DLP and IRM solutions safeguard data regardless of location.

By keeping a vigilant eye on data movements and access patterns, these solutions ensure that while the organization benefits from the efficiencies of a streamlined security infrastructure, data privacy requirements are not compromised.”

What are the Non-negotiable Components In Safeguarding Organizational Data?

Kayla Underkoffler, Lead Security Technologist, HackerOne 

“Data Privacy Day serves as a reminder that it’s the collective responsibility of businesses, governments, and individuals to protect sensitive data. As cyber threats continue to become more sophisticated and pervasive, we all must stay vigilant and proactive.

This is particularly crucial amidst the whirlwind of excitement around advancements like generative artificial intelligence (AI). As AI simplifies tasks that were previously highly technical, humans must remain at the center of shaping and monitoring this automation. Without oversight, overreliance on these tools can exacerbate data security and privacy challenges with flawed code and outputs. Basic security hygiene and human-in-the-loop processes help us remain proactive about reducing this risk in new eras of innovation. Basic tenets such as robust patch management, stringent password policies, and meticulous access control are non-negotiable components in safeguarding organizational data.

As we celebrate Data Privacy Day, organizations must remember to follow the fundamentals of security to ensure the protection of data, our resilience against evolving threats, and a safer internet for everyone.”

Risks Of Data Sharing

Omri Weinberg, Co-Founder and CRO at DoControl

“An often overlooked aspect of data security, especially in SaaS environments, is the insider threat posed by employees. Collaboration through these platforms, while boosting productivity, can inadvertently lead to the exposure of sensitive information. Organizations must educate their teams on the risks of data sharing and implement robust controls to mitigate accidental breaches.

Ensuring data privacy is a collective effort, where every employee’s awareness and vigilance are key.”

The Core Principle Of Privacy By Design Is Based On Least Privilege And Need-to-know Basis

Gopi Ramamoorthy, Head of Security & Governance, Risk and Compliance Engineering at Symmetry Systems

“For individuals, data privacy should start with Zero trust. It is highly recommended not to share personally identifiable data (PII) with any organization or any website unless required. If you are providing PI to a required site, always use caution to ensure the website that you are on is correct, legitimate, and secure.

Many fake sites collect personal data. Additionally, posting on social media and reacting to social media posts should be done with no sharing of personal information including sensitive information like home address, travel, family plans, and related information.

For organizations, GDPR articles 4,5, and 6 can be referred to for guidance in making decisions on what personal data to collect and why. These three articles define the means and purpose of collection data and processing principles. Other privacy regulations have similar articles that guide based on PII data collection. Once data collection and purpose are decided, adequate data security needs to be carefully planned. Securing PII starts with Privacy By Design (PbD).

The core principle of Privacy By Design is based on least privilege and need-to-know basis.

Organizations should have clearly defined and strict access controls around PII data based on regulations, policies, and procedures. Also, organizations should implement adequate logging and monitoring controls. For many tasks such as data discovery, data classification, data access controls, etc., the latest technologies can be used for effective security, automation, and scaling.”

Encryption is Everything in Data Privacy

Eric Scwake, Director of CyberSecurity Strategy, Salt Security

“Data Privacy Weeks allows organizations of all sizes to reflect on their critical data and assess ways to ensure its safety and security. Customers and internal stakeholders trust organizations with their data, but the digital transformation has exposed it to more significant threats. As APIs are now touching this data more than ever, it’s essential to understand how they utilize it and promptly identify any potential risks.

When considering data privacy, it’s crucial to consider the people, processes, and policies involved.

1. Understand your APIs: Have processes in place to understand APIs used in your environment, including what data they access. Knowing this will allow you to apply policy governance rules to API’s across your organization.
2. Embrace Access Control: Implement strong authentication and authorization protocols to ensure only authorized applications and users can access data. Use multi-factor authentication, API keys, and granular access controls.
3. Encryption is Everything: Encrypt data at rest and in transit, rendering it useless to any unauthorized eyes that might intercept it.
4. Vulnerability Vigilance: Regularly scan your APIs for vulnerabilities and patch them promptly. Proactive monitoring is vital to staying ahead of evolving threats.
5. Transparency Matters: Open communication is vital. Clearly, document your API usage policies and data privacy practices. Let users know what data you collect, why, and how they can control its use.

These steps allow organizations to build a robust data privacy ecosystem where APIs become guardians, not vulnerabilities. Commit to securing these digital gateways and ensuring data travels safely in the online world this Data Privacy Week.”

GenAI in Rewriting Data Privacy Rules for Organizations

Patrick Harr, CEO of SlashNext

“One of the biggest gaps in security postures today is how personal and corporate data is protected in the age of the hybrid and remote workforce. These blind spots are becoming more readily apparent as organizations and individuals adopt new channels for personal messaging, communications, and collaboration. Targeted phishing attacks in collaboration tools are becoming more common because the likelihood of success is higher than email phishing attacks. Users are not expecting phishing attacks in Teams or Sharepoint, and these attacks are often too sophisticated for a user to determine the communication is malicious. It’s also far less common for organizations to have security protections in place around these types of tools compared to email security solutions.

And, when a phishing attack succeeds, the cybercriminals capture private data, personal information, and company data, or they may even install malware directly onto the device to facilitate ongoing attacks.

In 2023 especially, the introduction of Generative AI technologies like ChatGPT has been a game changer for cybercriminals, particularly with cyberattacks launched through common messaging apps including email and SMS text messaging. These new AI tools have helped attackers to deliver fast-moving cyber threats, and have ultimately rendered email security that relies on threat feeds, URL rewriting, and block lists ineffective, putting organizations’ private data at high risk.

In fact, SlashNext’s latest State of Phishing report revealed a 1,265% increase in phishing emails since the launch of ChatGPT in November 2022.

The best defense for an organization to protect against phishing and ensure the safety of both its corporate data as well as employees’ personal data is to always be one step ahead of the attackers. Cyber security protection must leverage AI to successfully battle cyber threats that use AI technology. You have to fight AI with AI.”

Security Leaders And Data-owners Should Follow Nist’s Guidance

Philip George, Executive Technical Strategist, Merlin Cyber

“Year after year, Data Privacy Week invokes calls for better data protection practices, regulations, and standards, and encourages individuals to be more conscious of how they share and protect their own personal data online. These are all important parts of the data privacy conversation, but this year a much stronger emphasis needs to be placed on post-quantum cryptography (PQC) and what organizations must be doing now in order to ensure data remains protected in the post-quantum future. Today’s data encryption standards will be ineffective against advanced decryption techniques fueled by cryptographically relevant quantum computers. Although commercial quantum computers exist today, they have yet to achieve the projected computational scale necessary for cryptographically relevancy. However, this reality may change quickly, considering the continued investment by nation-states and private sector alike. Coupled with the growing application of ML/AI in the areas of research and development, the potential for more breakthrough developments in quantum computing remains high. Which means, the chances for any of the aforementioned entities reaching quantum cryptographic relevancy are improving day by day.

NIST is expected to publish its first set of PQC standards this year, which will serve as an important step toward providing organizations with quantum-resistant cryptography solutions.

Security leaders and data-owners should follow NIST’s guidance and begin their internal preparations today. Primarily, this should entail establishing an integrated quantum planning and implementation team and mapping out cryptographic dependencies by conducting a full system cryptographic inventory. After conducting this inventory, security teams can then implement a risk-driven modernization plan that starts with business-critical and protected data (by law) systems.

These activities must happen in 2024, because threat actors are, in fact, already targeting encrypted data, by taking a “steal and store now to decrypt later” approach. Quantum computing-based attacks will become a reality shortly, and we cannot wait until cryptographic relevancy is achieved to begin what may become the largest cryptographic migration in modern history/the history of computing.”

Preventing Copy-Paste Actions Using AI Can Secure Enterprise Data

Nick Edwards, VP of Product Management, Menlo Security

“The explosion of Generative AI use following the launch of ChatGPT in November 2022 has opened a world of new risks and data privacy concerns. Companies must be aware of how these tools can potentially compromise or expose sensitive data. By nature, they pose a significant security risk, especially when employees inadvertently input corporate data into the platforms. When data is entered within these models, that data is used to further train the model to be more accurate. In May 2023, a group of Samsung engineers input proprietary source code into ChatGPT to see if the code for a new capability could be made more efficient. Because of the model’s self-training ability, the Samsung source code could now be used to formulate a response request from other users outside of Samsung. In response, Samsung banned ChatGPT.

Our team of researchers at Menlo Security found more than 10,000 incidents of file uploads into generative AI platforms including ChatGPT, Microsoft Bing, and Google Bard, and 3,400 instances of blocked “copy and paste” attempts by employees due to company policies around the circulation of sensitive information.

To prevent data leakage similar to the one described previously, employees should be trained in how to use these platforms securely. Organizations need to prioritize data security tools that prevent information from being shared with Generative AI platforms in the first place. While data loss protection (DLP) tools are useful, organizations need a layered approach that could include, for example, limiting what can be pasted into input fields, restricting character counts or blocking known code.

Another data privacy concern was uncovered last month, when OpenAI launched the GPT store, which allows OpenAI subscribers to create their custom versions of ChatGPT. As exciting as this is for developers and the general public, this introduces new third-party risks since these distinct “GPTs” don’t have the same levels of security and data privacy that ChatGPT does.

As generative AI capabilities expand into third-party territory, users are facing muddy waters on where their data is going. Securing access to generative AI tools is just one of the topics covered in Menlo’s State of Browser Security Report, launched this week, which talks to the wider landscape of evasive threats targeting users in the browser.”

Data Privacy Policies Should Protect Devices against Phishing and Scams

Krishna Vishnubhotla, VP of Product Strategy – Zimperium

“The biggest risk to our private data lies in the mobile devices we use every day and the applications that are on them. In fact, the Zimperium 2023 Global Mobile Threat Report showed that 80% of phishing sites now either specifically target mobile devices or are built to function on both mobile devices and desktops and that the average user is 6-10 times more likely to fall for an SMS phishing attack than an email-based one.

As we know in today’s workplace, particularly following COVID, many of us are working from home (or working from anywhere).

We have seen employees working on personal mobile devices that are accessing all the same data that they were previously accessing via corporate devices. The organization has to protect the data that’s being accessed at all times, while at the same time ensuring privacy for the user on the personal device. Organizations must ensure that the device accessing its data is safe; the network it’s connecting from is safe and trusted; and the applications on the device are not hostile.”

The Importance of Good Cyber Hygiene

Manu Singh VP of Risk Engineering, Cowbell

“In today’s threat landscape, we are seeing the continued evolution and sophistication of cyberattack techniques and tactics, including bad actors circumventing multi-factor authentication (MFA) and accessing offline backup systems. What the industry previously considered ironclad defenses simply aren’t anymore. This Data Privacy Day, organizations should prioritize staying ahead of threats through:

• Conducting a risk assessment to identify the vulnerabilities within the organization, and actioning on the findings. A risk assessment shows organizations what their architecture looks like, their vulnerabilities, and more. Addressing issues identified in a risk assessment puts an organization in a better position to deal with cyber incidents. If you work with a cyber insurance provider, ask them for your organization’s risk assessment report and how they can help you improve your cyber hygiene.
• Upholding good cyber hygiene. While cybersecurity measures should be tailored to an organization based on its risk assessment, it’s important to follow basic best practices: adopt MFA, deploy an Endpoint Detection and Response (EDR) solution, keep up with patching, maintain good password hygiene by adopting a password manager, and have offline and tested backups/copies of all data.”

Attacks Are Changing, Protecting Yourself Isn’t

Darren Guccione, CEO and Co-Founder of Keeper Security

“This Data Privacy Day, industry experts may warn about the new and novel ways attackers are violating your privacy and breaching your data. From the threats that come with generative AI to the rise of attacks targeting genealogy companies like 23andMe that hold highly sensitive personal information, it’s certainly clear the tools in a cybercriminal’s arsenal are growing more sophisticated. However, the fundamental rules of protecting oneself in the digital landscape remain as relevant as ever. 

Basic cybersecurity measures, such as creating strong and unique passwords, enabling multi-factor authentication, and keeping software up to date, are frequently overlooked. A recent study by Keeper found a quarter of IT leaders confessed that they even use their pet’s name as a password!

Take the following steps to proactively protect yourself in the evolving digital world:

1. Use strong, unique passwords for every account

2. Enable multi-factor authentication

3. Regularly update software

4. Employ strict privacy settings on apps and browsers

5. Avoid oversharing on social media

6. Back up your important data

Before finding yourself overwhelmed by all the ways cybercriminals can attack you, sit down and consider these basic cybersecurity measures and whether you are following them. Number one is critical but difficult to achieve using just your memory, so consider using a password manager to safely and securely store and manage passwords. By taking these proactive steps, you can significantly strengthen your data privacy and reduce the risk of falling victim to both current and evolving cyber threats.”

Data Privacy Is Not Just A Technical Concern

John A. Smith, Conversant Founder and CSO

Cyberattacks are the top global business risk of 2024.

Data Privacy Week provides organizations an opportunity to raise awareness about data privacy issues and associated security risks, educate individuals about protecting their personal information, and promote more secure organizational data practices.

Organizations should consider the following to increase data privacy and security within their company:

• Adhere to regulations and compliance requirements:

• Understand that compliance isn’t enough

• Measure your secure controls against current threat actor behaviors:

• Know your limitations

• Change your paradigms

• Most breaches follow the same high-level pattern

Data privacy is not just a technical concern, but a crucial tenet of ethical business practices, regulatory compliance, and maintaining the trust of individuals who interact with your business. It has become an integral part of building a secure and resilient digital economy.”

Effective Posture Management for Micro-segmentation

Ratan Tipirneni, President & CEO of Tigera

“To manage data privacy in 2024, enterprises and small businesses alike should prioritize holistic cybersecurity. While Kubernetes adoption has taken off, most Kubernetes teams haven’t implemented adequate posture management controls. They continue to implement the minimal level of security mandated by compliance requirements. This bubble is about to burst. This will manifest as stolen data (data exfiltration) or ransomware. However, this can be easily prevented through effective posture management to ensure that the right egress controls and micro-segmentation are in place.”

The Growing Concern Related to AI Deepfakes

Rick Hanson, President at Delinea 

“The end of privacy as we know it might be closer than you think. The world is increasingly relying on the expanding AI and machine learning technologies. This reliance could result in privacy becoming less and less of an option for individuals, as AI’s capabilities in surveillance and data processing become more sophisticated.

2023 marked a significant leap in the authenticity of deepfakes, blurring the lines between reality and digital fabrication, and that is not slowing down any time soon. Our digital identities, extending to digital versions of our DNA, can be replicated to create digital versions of ourselves, which can lead to questioning who owns the rights to our online personas.

Unfortunately, advancements in AI technologies are evolving more swiftly than current regulations can keep pace with. In 2024, we can expect stricter data protection requirements across more countries and regions. But until these regulations evolve and can keep pace, it is important to reduce our risk and protect our privacy however possible.

One of the best ways to do this is to continuously check each application including what data is being collected and processed, and how it is being secured.

Use a password manager or password vault to securely store credentials, and leverage multi-factor authentication (MFA) to ensure credentials don’t get exploited by forcing whoever the user is to prove its identity beyond just a username and password.

If a data privacy breach does occur, it is also important to have a cyber insurance policy in place to ensure you’ll have the means to continue to operate and recover.”

Actions that May Violate Other Employee’s Privacy

Michael Brown, Vice President of Technology at Auvik

“The evident tension between employee monitoring and personal privacy makes it imperative for companies to find and maintain an appropriate balance that upholds critical visibility while respecting boundaries and adhering to data privacy laws.

With the continued expansion of remote and hybrid work, there is a heightened necessity for employers to keep a close eye on the way that employees are utilizing devices and applications in their daily routines. In addition to providing valuable information about the types of and ways in which technology is being used, employee monitoring ensures that installed applications are up-to-date, protects against known security vulnerabilities, and identifies potential productivity improvements.

However, maintaining data privacy during this process is critical; when boundaries are overstepped and certain kinds of information are collected, this can feel invasive to employees and result in reduced morale as well as the potential violation of data privacy laws.

On one end of the spectrum, monitoring an employee’s every action provides deep visibility and potentially useful insights, but may violate an employee’s privacy.

On the other hand, while a lack of monitoring protects the privacy of employee data, this choice could pose significant security and productivity risks for an organization. In most cases, neither extreme is the appropriate solution, and companies must identify an effective compromise that takes both visibility and privacy into account, allowing organizations to monitor their environments while ensuring that the privacy of certain personal employee data is respected.”

The Problems with Cloud Migrations and the Role of Data Storage Platforms

Dan Benjamin, CEO and Co-Founder of Dig Security (Acquired by Palo Alto Networks) 

“As organizations embrace Cloud migrations, their infrastructure becomes increasingly fragmented. With multi-cloud and containerization becoming de-facto standards, this trend has intensified. Data storage and processing is dispersed, constantly changing, and handled by multiple vendors and dozens of tools.

To secure data, businesses found themselves investing in a broad range of tooling – including DLP for legacy systems; CSP-native solutions; compliance tools; and more. In many cases, two separate tools with similar functionality are required due to incompatibility with a specific CSP or data store.

This trend is now reversing.

Economic pressures and a growing consensus that licensing and management overhead have become untenable are leading organizations toward renewed consolidation. Businesses are now looking for a single pane of glass to provide unified policy and risk management across multi-cloud, hybrid, and on-premises environments. Security solutions are evolving accordingly – moving from point solutions that protect a specific data store toward more comprehensive platforms that protect the data itself, wherever it’s stored and in transit.”

Conclusion

Generative AI governance and cookie deprecation have already emerged as megatrends in data privacy. Most companies, In the last two years, have changed their data privacy and security management policies for AI and cookies. In 2024, large organizations could invest more in their data storage and management infrastructure for AI foundation models that feed into marketing and advertising technologies (Mar-AdTech). According to Gartner, the annual privacy budget could exceed $2.5 million this year, with a major focus on adapting to data localization, privacy-enhancing computation technologies, and AI tools for governance. As newer Mar-AdTech and IT security technologies emerge for data storage and analytics, leading business teams would seek AI talent and leadership to stay on top of two things– the competition and the regulations.

So, what’s your data privacy management roadmap for 2024?

[To share your insights with us as part of the editorial and sponsored content packages, please write to sghosh@martechseries.com]