Podcast Intro: From privacy to identity to work-life flow — CTO and Head of Strategy, Andrzej Kawalec and GM and Global Vice President of Digital Identity and Data Management, Julie Talbot-Hubbard break down all things privacy, data and identity in Part 1 of Privacy Across the Pond. Listen to our podcast for the full interview between Andrzej and Julie.
Andrzej: It's so lovely to speak to you and I hope that you can hear me all the way across there on the other side of the Atlantic. It's a wonderful opportunity to chat, and Julie, so lovely to hear your voice as well. I was really hoping that you could help us with some questions in some conversations we've been having, certainly on this side of the Atlantic. And the place that we seem to start most often is around the whole concept of identity and privacy being to two sides of the same coin. And every time I have this conversation I'm sort of asked or reminded that people don't seem to think that privacy is a real thing anymore. Certainly, when you look at new entrance in the marketplace, you look at millennials particularly, that privacy may be dead. I'm not sure people do care about privacy. They're willing to give it up at a click just for a few percent discount or an additional level of service. Is this something you're seeing in the U S as well? I mean, is privacy dead, I guess is the is the main question.
Julie: Yes, thank you, Andrzej. Is was very excited to be talking with you today about this. Something I've seen, and I think you did mention it, more around the millennials, and I do see, I think as social media, as consumerization of IT, as all that increases, I do feel that individuals are willing to give up data on themselves, and some of them might not be well educated either. But I do feel that we're seeing a trend where individuals are willing to give up, whether it be their shopping patterns or anything that they do online. It could be for an extra discount, it could be more to look at from a Fitbit. If you look at individuals are giving up all of their health data, all their data around their exercise, what they eat, and they could be getting wellness points at work to help reduce their insurance costs.
I do see individuals trending in that direction. But I would question, do individuals understand what's happening with that data and how that data's being used? And I really do not feel today that we've educated individuals enough to understand how companies are using that data about them and around them.
Andrzej: That's really interesting. You hit on something there, which is people are using their data to get greater benefit from digital services, which is absolutely right. And if you're not buying a product but benefiting from a service, then your data is what you're paying. And I'm not sure people have really internalized the fact that if they're receiving a free service via social media platform or communications platform, if they're not paying for that, then their data is the currency from which they are getting that service for free. And I think that there's a really interesting trade off there. Do you think there were any sacred lines that, things that people just won't show anymore?
Julie: From a sacred standpoint, I haven't seen it yet, but I think we will get there, more from a healthcare perspective. I do feel once individuals start seeing how that data's being used and tracked around them, it could be around, how they exercise, what they eat, even their hereditary, all those components. I do feel there's going to be maybe some more discussion around that in the coming year or years just on what's the outcome of that data, how that data is being used.
I think for health care we're going to see something on there, because I think that tips the scale more for privacy. I've always looked at this as, when it's individuals and things that people really care about and if it's really personal to them, I feel that's where they get more engaged in that. So I see that there. I think from a financial services standpoint and from a fraud perspective, I do think that we could see some lines blurring there officially as well, just more on from a shopping patterns, behaviors, I think that that could also lead from a fraud perspective on that route. I could see individuals becoming more concerned around some of their shopping and financial habits as well.
Andrzej: Fascinating. I think those are things you tell your doctor, you really want only your doctor to know. Things you'd tell your accountant are things you really only want your accountant to know. Things you tell your lawyer are things that only you'd like your lawyer to know. Otherwise, I guess everybody has a different level of what they'd say to somebody they just met in a pub. People can get into some quite deep conversations about their lives, and I guess that's playing out on social media and digital services. But they come back to those sort of those lines, legal, health and finance. I think they are. And remain lines in the sand that I think people are unhappy if they're crossed. And I guess that, but we're seeing a blur.
I mean, we're seeing a blur between private lives and professional lives as our work patterns change. And I think where those working patterns become much more project based and people move between jobs, between tasks, between different groups of people that they collaborate with. Do you think that people are blurring their personal professional lives or actually are you increasingly seeing people separating their personal professional lives?
Julie: So I can approach this, I guess, two different ways. I do feel that people are... we hear about not work life balance anymore, but work life flow. And that's a big catchy phrase here on how are we really able to... being digitally connected to your job and work. It's expected that you're on all the time. Then how do you have that balance between your work and their life? And because of that, I see some people stepping in and really blurring those lines more. But I would say I still see more individuals really trying to separate that as much as possible. Even down to their mobile device on what they do. If you look at social media, who people are connected with on social media, what information they're sharing. I'd say more people are still separating that.
We talk about, if we go back to the previous question more around privacy data being collected. We talk about what's sacred, from a private standpoint, there's a lot of data being collected on individuals today. And I'd say more the younger generation might not yet understand that impact, but when you're going to your doctor, you're sharing that information. Again, you go back to any medical devices collecting information, and then you go from a lawyer, you go to how you drive, your driving patterns. I mean there's companies, right, that track your driving patterns on the dashboard that fit in your car. So we start quoting that data. I do feel that private data is being collected and can impact your professional life as well. I do see that blur happening, and that's why one reason I see individuals really trying to keep that separated. But I think it's becoming increasingly more difficult, given, one, back to that work life flow and the expectations that people are always connected to their work, and they need to be always on. Individuals are, they're prioritizing, how can I really have that work life flow and do what I want to do in my life, but also advance in my career and be there. And so, they are giving up their privacy I think as well to really meet the obligation as well.
Andrzej: I love that phrase work life flow. It's certainly not a phrase that is used a lot over here. And if I think about a European context even, sort of a regional level, I think we are holding on to the difference between people's professional and personal lives. I don't know if you saw any... clearly Germany, those two things are very separate and very, you know, kept very clearly delineated between. The French government recently I think last year passed some legislation that people had protection of law that they didn't have to answer emails from work after a certain time in the evening. So, I think there's a recognition that those lines are becoming overly blurred. And then as so often happens, as we've seen with GDPR as well, I think European governments and society is stepping in to help provide some balance and to arrest that flow a little bit.
And I think, I'm not sure which is the right model, but certainly I think there's people are being drawn inexorably into that blurred work life flow conversation. And as you say, there is danger. It is clearly an expectation that things you do in your private life will have, and could have, an impact on your professional life. And maybe that's not fair. I guess we have to put our thinking caps on and think about how we do to separate those things. But I guess that people, based on that, people have, we all have many identities, don't we? We behave one way with our parents, another way with our children, another way with our friends, and yet another way with our colleagues. And then within the work environment, on some projects we may be leading, on others we may be supporting.
When you think about this is that there's a very binary analog way of viewing identity. And it's often, it's your employee ID number and your email. And I'm just not sure that that binary analog way of thinking about people's identity relates to the tasks and the projects they were involved in. Are organizations really starting to realize that? That maybe it's not a work life flow, but maybe it's a work identity flow that you morph between different roles and different identities and different personas within a week or a month. Are organizations recognizing that, or are they still just treating a person as an employee with an employee ID and a set of attributes?
Julie: What I've seen, I think it's a mix. I've seen some organizations still really focused on... and it's more from a governance perspective, where they're looking at trying to map that employee, that individual to one identity. And then those set of, whether it be attributes, all tie back to that one individual, one email address, all that. And that's more from, I think from a governance from a, I hate to say it, from a monitoring perspective, when they're looking at that user behavior analytics, they're looking at one user. Now, I do see some organizations looking at it from a persona standpoint as well. And I think that's more of just from if you look at that user experience, they realize that an individual might change multiple roles within an organization.
Like you said, more going from project to project. I have seen some organizations go that path that I see more today still looking at, one individual, one employee, one identity, one email, really trying to put as much governance around that. And part of that too is when you look at access controls and you look at sensitive information, if an individual has multiple identities, multiple logins, it's difficult if you want to look to see, okay, can an individual, if you look at access controls in a segregation of duties or some of those types of things, if you've got individuals with multiple identities, sometimes it's hard to really bring that analytics together to look to see what does that individual have access to and what type of malicious activity could the individual actually be performing?
I see it both ways I guess. But I do see some organizations moving more to the persona based. From an identity perspective, that's something you think about. I read an article recently where the average consumer has 15 identities. And even that probably is, if you can think about identities in different systems and stores, and like you said, you've got a different identity depending on if you're a parent, if you're an employee. And that becomes very complex.
I've also seen organizations really struggle with, and one that I used to work in a different environment more from a public institution, a large university. And we had individuals that had an identity in our system that were students, they were also employees. When we were managing their access and their identity when they were no longer an employee, it was difficult for me to terminate or change their access in the system, based because that individual really had two identities and we were treating them as one. And so, I do feel that this is going to be a growing concern, just as more systems, more IOT devices, more things come, and our changing digital economy.
Andrzej: Absolutely. And perhaps we'll save the machine identity and human identity conversation for a later podcast, it's a really... I remember doing some work with universities as well and I remember saying that, talking to the head of security who said, I've got 60,000 students all trying to break every single thing I do. And I've got 200 CEOs, essentially all of the professors or the heads of departments, who believe that their IP is the most valuable in the world at the same time as they're trying to collaborate with people in different universities around the world. And I've got a campus in the US and a campus in China. I was like, that is a very, very complicated set of identities and data flows to try and manage. All the while, there's tens of thousands of students just ignoring every policy and process you put in place.
But I guess when you leave that environment, when you leave university or college and you go for a job, I mean, is it fair that an employer will look at your social media profile as well as your LinkedIn platform? Because I mean, LinkedIn's about your brand and how you build that brand and give access to that view of you online. But your social media profile, that's something a little bit more private. Nobody needs to know if somebody's hosting or holidays or dating history. Is it okay that an employer looks at that, do you think?
Julie: I'll go back to one of your earlier, I think, responses that you shared as well, Andrzej. And it was more around, social media sites when individuals aren't paying. So also we're just participate or to really post and take advantage of the social media technology. Is it fair? I guess I'm a big believer that whatever I put out there on social media, I'm putting out there willingly and knowing also that data can be viewed, can be collected, can be used more from if I'm going for position, a job or any of that piece.
So, do I personally feel it's fair? I may not, but at the same time I also realize that by me actually posting out there, signing up for an account, it's social media, and I'm consenting basically to share that information with others. And I do feel and know, I mean, that's probably my biggest concern right now with millennials and individuals that are in college or in those different age groups, is that many of them are taking advantage of social media, they're posting pictures or posting data about themselves and might not yet fully understand what some of the repercussions or how that data can be used.
Andrzej: So, I mean, I guess there is that balance about what you put out on social media, and whilst, as you say, it's not always fair but it's probably practical to assume that people have seen that. And I remember talking to somebody and saying that whatever you were going to post on Facebook, imagine you've taped that post to the side of a bus to drive that through central London. And that's essentially how you should think about what you post. But once you're an employee, I guess that a certain amount of those things go away. I expect, and I think employees expect enhanced protection. They expect greater privacy in their work and their work environment. They certainly, I think, benefit from better security controls and [inaudible 00:18:03] security teams.
But I guess for those security teams, for them to be at their most effective, there's a level of monitoring that has to happen of networks, of devices. And increasingly we're seeing user behavior monitoring to spot for patterns for malicious insiders. Julie, do you think that is, I mean, both an important and useful tool in the security team's arsenal? But are there levels to which that behavioral monitoring and analysis should go, or other again lines that an organization shouldn't cross? Again, reminded that in certain countries, take Germany for example, those lines are very clear and they're very thick.
Julie: Yes. I think on this question and how I look at it, again, I kind of break it down into two components. When I look at monitoring employee's behavior and looking at their actions and what they're doing on a company network with company data, working with customer data and even with interacting with customers, given the risk and given the increased insider threat, that is something that I do feel is a valuable risk mitigation technique for organizations to actually start looking at getting a feel. Also, what's normal behavior in terms of what systems does an individual access and start correlating that with other data on the employee. And again, this is just more from a look at anomalies and look at that type of behavior perspective. So that is something I do feel is very important.
Again, as we see insider threats increase, we also see the amount of data, just a growth of data that many organizations are pulling in on consumers and their customers. So, if we look at its privacy from that point of view, I do see, it's kind of an interesting angle because you think, well, are you violating privacy and violating that of your employees by monitoring them, while you're trying to protect the privacy of your customers and consumers? So that's where I think that's where it gets a little blurred for me. But I will also say, from an external view and an employee's behavior externally, and this is where personally I guess the line kind of crosses for me. And I've seen some organizations, I know depending on an investigation or depending on what we're working on from a security incident, sometimes that leads on to somebody's personal lives and looking at their spending habits, their credit card, all those components to really put that investigation together.
So, I have seen that line cross and I think that if there's a specific need or a pressing incident, I could support that need. But that's something where I typically, I kind of break it down more from a, I guess, an internal employee's usage and on their network and their company's data, is one thing that I do support monitoring. But more from that kind of that blurring of their personal life as is where I typically, I guess, my lines usually cross and I typically don't support that.
Andrzej: I think that's amazing from your experience. Just because you can doesn't always mean you should. And I'm reminded from one of my children came home from school with a phrase that they were taught at the age of four, to help them make a decision in difficult circumstances, stop, think, and do the right thing. And I think if we apply that stop, think do the right thing, I guess more often than not, we will respect people's privacy but also understand that we have obligations to protect and enable the organization. So that was so, so cool. Julie, thank you for talking and helping me with a whole bunch of questions that I know I've been struggling with and people here in Europe have really been thinking hard about over the last little while. That was one of the best bits of the week.
Julie: I really appreciate talking with you as well today, Andrzej. You'll just, it's fascinating to me how we're approaching privacy and really from an employee data protection perspective, both from MIA, across the Atlantic and here in the United States. I think there are differences, but we do have global organizations today that we are working with to really help them understand their privacy requirements and how best to meet those requirements while also protecting and securing their customer and their employee data. So, I've also really enjoyed this conversation and looking forward to additional ones with you as well.
Andrzej: Yeah, that'd be great. Something you said there, we have global customers. Optiv is a global organization, and no matter where you are based, you will have consumers, people buying and experiencing your products and services all around the world. Understanding those cultural and legal nuances I think is going to be critical to success, I guess in the coming years. So, let's keep talking and I'm sure we'll be able to advise and help people through it.