Skip to main content
Cybersecurity Podcast

Cybersecurity Podcast

Privacy Across the Pond, Part 2

From privacy to identity to work-life flow — CTO and Head of Strategy, Andrzej Kawalec and GM and Global Vice President of Digital Identity and Data Management, Julie Talbot-Hubbard break down all things privacy, data and identity in Part 2 of Privacy Across the Pond.





Julie Talbot-Hubbard

Julie Talbot-Hubbard

Global Vice President and General Manager, Digital Identity and Data Services

Julie Talbot-Hubbard is an experienced cybersecurity practitioner, technology executive and former Chief Information Security Officer (CISO). As the Global Vice President and General Manager of Digital Identity and Data Services, she is responsible for delivering solutions that balance risk, business realities and operational impacts for Identity and Data Management. Prior to Optiv Julie held executive positions at global finance, education, health care and technology companies. She was nominated for and attended the FBI Executive CISO Academy and is a board member at the Identity Defined Security Alliance.

Andrzej Kawalec

Andrzej Kawalec

CTO and Head of Strategy, EMEA

Optiv’s CTO and Head of Strategy, EMEA, Andrzej Kawalec brings experience from some of the world’s largest companies. Most recently, as chief technology officer and head of strategy and innovation at Vodafone, he led the company’s enterprise vision of cybersecurity preparedness for more than 462 million users. Kawalec previously served as CTO and director of security research at Hewlett Packard.






Transcription

Podcast Intro: From consumerization to IoT devices to a tax on chardonnay — CTO and Head of Strategy, Andrzej Kawalec and GM and Global Vice President of Digital Identity and Data Management, Julie Talbot-Hubbard break down all things privacy, data and identity in Part 2 of Privacy Across the Pond. Listen to our podcast for the full interview between Andrzej and Julie.

Julie: I'm going to start talking more about the increase of consumerization, more of the IOT devices and consumer data. You know, something I've seen in the last two, three, five years is really just the amount of data being tracked on an individual exponentially growing, but really the consumer really seeing the benefit that they're receiving from really giving their data, whether it be on additional discounts. Whether it be from a healthcare perspective, their health benefits components there, even down to ... I'll go back to the car, the driving behaviors, patterns, even being able to ... I've seen adults put these goggles on their car to really start monitoring their children's driving patterns. But more from a safety perspective.

With all this increasing consumerization, I would say just digital in general, do you think the value being delivered by a connected world is greater than individuals' data privacy? Just interested to hear more about what you're seeing over across the Atlantic.

Andrzej: Thank you, Julie. Wow, start with a big complex problem or question. I think it's so fascinating. If we believe that much trotted out phrase that data is the new oil, that it's hard to get, it's even more difficult to transport. Once you've refined it, it becomes, and it powers whole industries. I guess in that context, then the data is key. But for organizations, you only create value when that data meets a user or an employee. When an employee can access and use that data, that's when you create the value. Like you say, in a consumer context, if my insurance company is monitoring my driving habits and based on the fact that I am one of the world's most careful drivers. I drive everywhere several miles an hour under the speed limit. I never break the rules. If based on that I get a lower premium and I'm rewarded. That's great.

If by the fact that I go running every day, I never ever go to the pub or do anything I shouldn't do. I look after, I treat my body like a temple, which we all know I'm not entirely clean in that regard. That I get tailored medical advice, that my insurance premiums go down. That people can perform predictive medical interventions. If I happen to get too stressed at work, for example. I think that there is really value being created by those customized tailored services. I think there is less value being created when that data is used for the organization to deliver more targeted advertising, for example, to drive a better profit.

Your question was, I think, was at what cost privacy. My fear is that huge value can be created for an individual by sharing their personal information, their buying habits, their behaviors. I think the danger is that even more value is created for the enterprises that use and exploit that data. That increasingly it will become almost impossible to opt out. I think at that point if we look forward three, five years that by opting out of the use of your personalized healthcare provision or your driving insurance or tailored learning plans. I think that if you opt out of that you may be penalized and charged a much higher rate because the whole industry is now based knowing exactly on what each of their consumers are doing.

That for me, that's the real fear. There is huge value being delivered in that connected world. I think it comes at the expense of privacy to some extent. I think it would be very hard to arrest that growing avalanche of data collection and data use and data refinement.

Julie: Now, I share that concern with you. I also feel that organizations, the more that you can de identify some of that ... if you look at how this data is actually being used, I think some of it is being used to deliver personalized care, personalized recommendations. It could be whether from healthcare, could be from a car insurance from a premium like you share. It could be down from a shopping, helping individuals restock their pantry. It could be down to that. But I do think there are ways organizations that look to see how we could de-identify some of that individual user from that, which would help a bit. But again, if we are looking at the mass, the large amounts of data out there today, I think it's going to become increasingly just difficult to do. I do, I share that concern with you. I think that individuals are just going to be unable to opt out or will be penalized for that.

Andrzej: There is a huge fear there. If I celebrate a birthday with some friends and drink a little bit too much wine, then suddenly, my healthcare insurance provider might slap an extra charge on me. The chardonnay tax could become a real thing. (laughs). Sorry, it's an example, but I think it's possible that we will start to mitigate our behavior and step away from that monitoring regime to preserve our good records. At that point, people will always find a way of working around the system about taking their watch off around, you know, falsifying records. I'd hate that to happen. I think we need to be very careful in how we use, in how we adopt those personalize services.

Julie: I would agree with you. When we talk a little about, IOT devices, with the number of devices increasing. If you look at how many devices an individual uses a day, that's just continually growing, in terms of, I got my watch on, I got my phone on, I got my earbuds. I got all of these things that are all ... they triangulate all that data around you.

One way your phone is tracking your location, tracking everything else. As the number of devices increase, so are everyone’s identities and their passwords. I'm interested in what you are seeing really across the pond, across the Atlantic on how are companies working to simply and secure the digital experience for both their customers and employees? That's just ... like I said, I'm looking at because the world is becoming much more connected, also the complexity is growing. Interested in what you are seeing. How companies are tackling that?

Andrzej: There is a really dawning realization that employees are a strategic asset for an organization. Enabling and protecting those employees to do their absolute best for their organization is a critical, strategic process. The next step in that is, okay, how do we make, how do we use an employee, and their identity to allow them to access the services they need and locations they need to work from wherever they are.

I'm sensing a huge sea change in how users, employees and identities are viewed within enterprises. I think that goes back to higher level of ... this isn't just about managing identities, but it's about an identity and data management framework and using those things as strategic assets. Alongside that, you can see the same thing wherever you go, if you work within large global organizations, that you can literally go to any office, on any day, any city in the world, and you can access what you need to access. You can work online or offline. You can print. You can get into the buildings. The convergence of all the physical and digital services around an individual to free them up to do that. I think is really starting to take shape and take form.

What I am not sure is keeping up to pace with that, goes back to the old method of logging on, accessing and authenticating yourself. More often than not, we are still using a username, and a character string, a password that somebody has to remember. In certain circumstances, we are using one, two multifactor authentications. We are starting to see that extend out to the use of some limited biometric, on smartphones for example. I think the biggest area that needs to evolve is that frictionless access and authentication. No longer just at the entry and exit of the process but throughout the life of your ... as you are accessing different systems, different applications, different data sources, collaborating with different people. What I don't think we are now actually keeping up with how people are working and collaborating and the use of the omni factor, omnipresent authentication, and access control around the person's identity, and the roles they take.

At the moment, all we do, very obscure, very Victorian, we write down somebody's name and address as they enter the building, and then we ticket as they walk out again. What they do while they are in the building, who they collaborate with, who they work with, how they access systems, is essentially an imaginary black box for most organizations. I think companies aren't really doing enough to think about what happens in the life of during the working day.

Julie: I think that if you look at insider threat, having that, being able to triangulate some of that data. Understanding what systems somebody is accessing, what buildings they are going into. I recently was talking to an organization more around retail, and around when they look at how they are mitigating their risk and threats when they are hiring a large number of seasonal employees. Part of that too, they look at their increased fraud they have. It is really triangulating a user's behavior, I'll go back to saying it from that perspective, on looking at when they are logging into different systems, when they are accessing different inventory rooms. How are we able to triangulate that?

You shared something that though I thought was really, something that I wanted to just talk about as well. I look at more of that digital experience. You look at the frictionless of access from a password, all of that, moving that more into ... where it is more digital. I do see organizations moving to that. That is just more from a consumer and employee are now expecting that. I think on the consumer side, we've been working towards that because the consumer, customer experience has always been king. We really want to make sure that seamless digital experience to our consumer and customer where we've seen many organizations for an employee standpoint. They don't typically share that objective, but I see more organizations moving to that. I think that is just because people are expecting that today.

This also ties back into that blurred line between I think somebody's professional and personal life. I think their expectations are becoming blurred as well.

Andrzej: Absolutely. Sometimes if you can identify the bits ... on that digital experience, if you can identify where that experience is not great. You can fix that, that grit becomes a pearl in the oyster. People will love the fact that there's been a change. You can't create a pearl without the initial grit. I was just thinking as you describe that change ... retail establishments, physical shops, stores used to think about where they placed a store based on footfall. How many people walked past, in and out of the shop. Now using all of those senses, IOT devices, monitors, display cabinets, integrated systems, we look at heat maps, footfall within the store. We look at dwell time on certain shelves. We look at what would distract a greater different experience within a physical retail store.

And that really is about understanding people's behavior and motivational triggers. How they make a purchasing decision or not. That level of retail experience shouldn't be advance from an employee's experience and digital experience within an organization. But I don't think we are approaching the two things in the same way, I think there is a lot we can learn and a lot of tools, techniques and processes we can put in place to allow that digital experience to be as fruitful and valuable as it would if you go around one of those retail stores.

Julie: No, I agree with you. Given that we are talking about more from a retail store, we know that retail organizations, they've been collecting data on individuals for years on their shopping behaviors, shopping patterns. That's where you look at some targeted marketing that you get ... I could be shopping for a dress and then you know, 10 minutes later on my phone, I'm getting other pictures from that same store, targeted marketing ads on my Facebook account. We know they are clocking that data and working it today. I'm interested more in your thoughts on companies using big data related to consumers to really drive and improve products, some of the targeted marketing, ultimately monitoring consumers, customers all their behavior.

What are your thoughts on that, and specifically, with you being across the pond, across the Atlantic, just different views from a privacy standpoint. Interested in your thoughts and how you are seeing this happen from retailers from the perspective over across the pond.

Andrzej: It's amazing. I think that anything we can do to halt the inextricable march of the evil marketing empire that will target us in that day, every waking minute. It's something we should do. But seriously, we're seeing that that level of customized targeting at an individual consumer basis, just rise, and rise, and rise. We're seeing just as you are, every new adoption, every new business model, every start-up is using that level of targeting and insight to drive their services.

I think it's, as you perfectly described, it is a tread and a method that is not going to go away. Big data, analytics is fueling a whole new service industries and sectors. We see in particular ... we've started to reach a tipping point whereby, consumer, customer service, robots, chat bots are starting to offer as good of service, or quicker service than real life call centers. Industries, the mechanics and the business models of industries are changing on the back of this data. The ability to understand where you are, what you are calling about, what your experience is been like.

Andrzej: We are also experiencing a bit of a counter, counter cultural push against this. As particularly, the European Union struggles to deliver freedom of movement of people, of goods, of services and data, across all the members of the European Union, while at the same time enshrining within the GDPR regulations, the ownership of personal and private data. We saw a huge shift, and we are on a journey, right so, almost just over a year on. We've seen organizations completely change how they deal with, track, and collect data on individuals.

Andrzej: I guess what we have not seen is just as interesting, or important. I don't think we've seen consumer behavior change, which is the most surprising. People are not taking this opportunity to realize that they own their data, and any service that they lend it to, should act as a responsible steward, or custodian, of that information or data that they hold on them. That they can revoke access, that they can pull that data back. That individuals can manage their own privacy and data exposure essentially their own identity. But they are not doing so. I think we've fallen into a very lazy way of working, which involves a ticking a box, clicking on the cookie acceptance, clicking on the privacy settings to just re opt-in to the situation that we've had before.

Andrzej: I think that is a shame. On the other hand, on what has happened because of the GDPR, we've seen organizations take much more seriously their obligations as a steward of that data. Now, I think all of that for, in the partum, we're seeing some interesting new regulations coming through in different states in the U.S., in California, in India as well. Some of the big, big countries and states around in a difference in how we treat information and data, national industries, for example.

Andrzej: All of that said, I think we are slowly developing quite different ethical approaches to data and analytics. Organizations cannot be guided by a single global standard, or even one or two regional privacy laws or regulations, or frameworks. To some extent, organizations need to decide on their own about the level of data analytics they are going to use whether that is for profit or that is for information. How targeted they are going to be around individuals, and ultimately, the level to which, you know, data will play a significant, strategic role in the development of new products and services. I think it is a journey we are on. I'm seeing some real reticence on the behalf of European organizations to fully embrace all the value and opportunity that data brings because of some real concerns around the ethical privacy implications of doing that.

Andrzej: I'm not sure whether North American and U.S. companies are doing the same, but I guess with recent Congressional hearings and the news stories that I think that those elements are starting to come to the floor a little bit as well in North America.

Julie: I would say they are. I'm interested in ... you made different reference of different privacy laws growing independently, I see independently, right by ... whether by nation, by country, by individual state. Again, making this problem that's already complex, just adding a ton of complexity on to it. Do you foresee, I guess, nations, countries coming together, or even in the U.S. side, if we could just get one global privacy standard regulation law. I think that would be beneficial. But what do you foresee in terms of from a privacy law prospective? You foresee us coming into one global standard? Or how do you see organizations really going to be able to meet these different laws and regulations?

Andrzej: It's the big question. I think what is likely to happen, is we will have and develop a low-level and core set of privacy or digital human rights. Much like, the Geneva Convention or the world trade laws that govern between countries and trading blocs. I do think, however, that if you were to take, let's just say, take the North America population plus or minus 300 million, European Union with a population of 500 million, India with a population of just shy of a billion, and China with a billion, a billion plus. A huge number of people, big trading blocs, each with arguably a very different approach to privacy, fundamentally.

Andrzej: You know the European Union is not going to ... it's not going to turn around and face the opposite direction and start to open and liberalize data collection and privacy. It's going to continue to think about the rights of the individual and consumer first. In the same way that it is doing around, copyright laws in IP on internet-facing services. I would suspect that the North American and U.S. is going to continue to be much more liberal about its approach and place an emphasis on fairness and modernization of services and individual choice and rights. I am not quite sure, which way India is going to go. Now, they seem to be taking quite a middle of a road approach. Certainly, I think we can all recognize and understand the route that China is taking.

Andrzej: I do not believe that we are going to see standardization around privacy and digital rights. I don't think we are going to see these massively powerful large groups, trading blocs, align even at a very core fundamental level. Over and above what is needed to work together. What I think we will see is a huge mapping exercise. Some critical elements that people will standardize on but will continue to see divergence in the basic regulations and legal frameworks. It's a bold statement, but I can't see how it will develop any differently.

Julie: Andrzej, I really appreciated our time together today. Really just you sharing your insight around privacy, around this data collection in general. More about what you are seeing across the pond in the U.K. because I do think there is a lot of similarities to what we are seeing here in the United States, but also, I do think there is from a regulation ... and just you know ... the stances the organizations are taking. They are a bit different, but I've really enjoyed this conversation. I'm really looking forward to continuing the dialogues with you and the team as we continue to really grow our global presence. Really insuring that we are providing the services that we need to our global customers and clients. So thank you, Andrzej!

Andrzej: Thank you very much. It's been a pleasure.

Read More

Featured Insights

March 12, 2019

GigaSECURE Fireside Chat

Learn how you can ensure that your current security tools are performing at full capacity.

See Details

March 05, 2019

Evolution of Risk Webinar

Learn about solving cyber insecurity with a risk-centric business and IT integration.

See Details

February 14, 2019

IAM & PAM Myth Busters!

Webcast highlighting actual customer use cases, as well as dispelling perpetuated IAM and PAM myths vs. today’s realities.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.