Pratum Blog

Security and privacy seem interchangeable to most of us. Cover one, and you’ve checked both boxes, right? Not exactly. Think of them more like the Yin Yang symbol. When you talk about data security vs. data privacy, you’re talking about two interrelated, but distinctly separate concepts.

And knowing the difference grows more important each month as nearly every organization evolves into a repository for Personally Identifiable Information (PII). That means that if you’re not thinking about your specific data privacy policy, you’re leaving your organization vulnerable to fines and lawsuits.

Our society’s appetite for gathering personal information is hard to truly comprehend. The stats about how much data we create every day can make your eyes glaze as quickly as astronomers talking about interstellar distances. One popular estimate pegs the daily data stream at 2.5 quintillion bytes (that’s 18 zeroes). And the giant data suction hose only gapes wider each month as the Internet of Things (IoT) and 5G’s rollout turn anything with power into a new surveillance node. Various experts predict the number of IoT devices in use by 2027 will reach up to 41 billion. You don’t need a tinfoil hat to see the implications.

But our concern here isn’t who’s tracking you. It’s how much of that personal data your organization is responsible for protecting. You probably have more customer data than you even realize thanks to everyday processes such as scanning business cards into your CRM, using cookies on your website, storing customer satisfaction surveys and more. And governments worldwide are increasingly committed to holding you legally liable for that data you’re stewarding. You may not have a Chief Privacy Officer on the payroll yet, but it’s time for someone on the team to start thinking like one.

The Cost of a Privacy Violation

Every leader should get familiar with the legal concept of a “data fiduciary.” The New York Privacy Act currently working its way through that state’s legislature includes the phrase, and it’s likely to show up in a lot of laws. It requires companies to think about customers’ data the way a lawyer or physician does. Clients divulge their private affairs to you for just one reason: so you can serve them better. Leveraging that data for your own benefit, or even acting recklessly with it, violates your responsibility.

New York’s proposed law is the latest in a string of major new regulations that determine how entities handle information. You should see two key data privacy takeaways:

  • New data privacy legislation is in the works in multiple states and nations including Brazil and India. In November, for example, Californians will vote on whether to create an agency to enforce its data privacy law. Pratum’s analysts anticipate this being a wakeup call for hundreds of companies that hold data for California customers.
  • Agencies are growing teeth when it comes to fines for data privacy violations.

During the first year of the European Union’s privacy regulations, the EU went light on fines, tempting some companies to risk paying a token penalty rather than invest in compliance.

Then the hammer fell. In 2019, the EU leveled its first big penalty with a $230 million fine of British Airways for violating the law’s requirements. Here in the U.S., Facebook absorbed one of the federal government’s largest penalties ever: $5 billion for violating consumer privacy, which is roughly 7% of Facebook’s annual revenue. You can do the math on how such a fine would impact your bottom line.

Right now, governments are mainly going after big companies. But the Federal Trade Commission’s long list of privacy enforcement actions proves they’re also pursuing plenty of firms that aren’t household names.

Note that some of the root problems that earned fines weren’t nefarious activity so much as crimes of omission with basic security hygiene. When the Equifax data breach earned the company a $575 million fine, its key problem was failing to patch its network in response to a known vulnerability, leading to the compromise of 147 million records.

So What Is Data Privacy?

Now that you’re listening, let’s clarify the frequent confusion. An IT adage says that you can have security without privacy, but you can’t have privacy without security. In other words, don’t get cocky about your privacy posture just because you’ve never had a breach.

Security ensures that no one gets unauthorized access to data. But a privacy issue arises when you knowingly give personal data to entities you shouldn’t share it with. Our friends at Facebook or Google provide a familiar example. Even if they have rock-solid security, they’re still selling details about you to advertisers, market researchers and others. That’s a privacy concern. If they DO get breached, they can have both security and privacy incidents.

Thorough privacy policies also address who within your organization has access to data and how clearly you tell customers what you’re collecting and what you’re doing with it.

Data Privacy Laws

Anyone in the healthcare or financial industries probably has a working knowledge of privacy regulations, thanks to standards like HIPAA and PCI. But the last two years have brought new privacy regulations to the broader market. Two big ones have set the course for many similar laws coming online:

  • What is GDPR? – The EU’s General Data Protection Regulation took effect in May 2018. You probably noticed its arrival when every website started asking you to confirm use of cookies. Under the law, EU, UK and EEA (European Economic Area) residents now have access to and can correct, delete, and export personal information. The law, designed to provide a unified standard across national borders, applies to anyone who collects data of EU citizens.
  • What is CCPA? – California led the U.S. consumer privacy charge with the California Consumer Privacy Act, which became effective on Jan. 1, 2020. Its influence stems not only from being the nation’s first such law, but from the fact that it applies to any company with customers or computers in California. That ropes in a lot of organizations. Smaller companies are exempted from the law, as it applies only to companies that have more than $25 million in annual revenue, collect data on 50,000 consumers or more or derive 50% or more of their revenue from selling personal information. (Click here for a full analysis of CCPA’s impact.)

Several states have passed their own privacy legislation, with a wide spectrum of requirements and definitions about controls, categories of covered data, etc. Several lawmakers have been working on concepts for a national framework similar to GDPR to make it easier for companies currently trying to comply with varying state standards.

How to Improve Your Data Privacy Policy

In this rapidly evolving privacy landscape, you’ll need a well-informed team to clarify your responsibilities. Along with a knowledgeable attorney, you should confer with a cybersecurity company such as Pratum on:

  • How evolving privacy laws apply to you.
  • Developing policies that adequately cover both security and privacy. With multiple standards emerging nationwide, it typically takes an experienced professional to write an across-the-board privacy policy you can count on.
  • Understanding what data you’re collecting and how long you retain it, both of which can impact your liability.
  • Training employees throughout your organization on their responsibilities. Your marketing department, for example, plays a key role in your privacy position. And your HR processes should address privacy from an employee’s first day through steps such as granting role-based access, which limits employees to only the data they need to do their job.

If you’re ready to have a conversation about your organization’s privacy responsibilities, contact a Pratum consultant.

Experts talking about how to hire a Chief Information Security Officer can make it sound like recruiting a unicorn. And HR training and fantasy literature make two things clear about unicorns: they come with a steep price tag and get a lot of calls from recruiters.

So if you’re considering a search for a legendary (or even just competent) CISO, plan on a hunt that will probably take months, cost more than you think and leave you constantly watching over your shoulder for unicorn poachers.

Instead of chasing that mythical beast (and potentially doing it again in a year or two when your prize gets a better offer), consider options other than hiring a single person. The best solution for your organization may be a Virtual Chief Information Security Officer (vCISO) service. That’s proving especially true in 2020, when new security threats and uncertain budgets make adding a full-time CISO tougher than ever.

What a vCISO Does

For a quick recap, let’s sum up typical CISO duties:

  • Understand the ever-changing threat landscape.
  • Continually monitor system activity and quickly respond to critical threats as escalated by the security analyst team.
  • Regularly assess the organization’s security posture and coordinate third-party certifications such as SOC 2 or HIPAA.
  • Evaluate the security implications of organizational changes (such as a switch to remote work or an acquisition) and implement appropriate adjustments.
  • Create and carry out information security training for all employees.
  • Oversee and ensure software and devices are properly configured and patched at all times.
  • Plan for information security as part of the organization’s overall strategy.
  • Communicate to top leadership about the organization’s security position and outlook.

Despite that long list, many organizations still tend to think the IT director or chief information officer (CIO) can manage all this along with their day job. But that’s usually a recipe for leaving yourself open to security problems. Even if your IT director or CIO has the full security skillset, few people have the bandwidth for this kind of double duty.

How a vCISO Can Help

So you almost certainly need someone focused solely on your organization’s information security. Here are six factors that might make a vCISO the right choice:

1. Cost savings –Plan on a solid vCISO earning about $185,000 annually. Pratum’s vCISO service, on the other hand, ranges from $24,000 to $120,000 per year. Because each organization can customize its vCISO plan, you pay only for time you use, not extraneous meetings, hallway chats, etc. These vCISO cost savings are especially attractive for growing organizations deciding whether they’re even ready a full-time CISO.

2.Easier/faster hiring and no retention worries –Most managers dread the time suck of the hiring process. Depending on your company’s location and brand recognition, recruiting can take even longer than industry averages. And once you’ve hired the right person, you face industry averages showing that the average tenure of a CISO is only 24-48 months.

3. Time to clarify your needs –The CISO revolving door isn’t all about employees seeking bigger paychecks. Many leave because companies with newly created CISO positions frustrate good hires with a marginal security commitment, unclear metrics and other growing pains. Using a vCISO service lets your team understand its approach before investing in a full-time employee.

4. Instant scalability –When a big project, security event or new business line comes along, you can ramp up your vCISO’s capacity overnight.

5. A team full of experts –A great CISO is a Renaissance person, with deep knowledge of compliance, vendors, policies, continuity plans, government standards, business management and more. That’s a lot of expertise to find in a single person. With a vCISO approach, you get a lead consultant with an entire advisory team sitting around them. Along with the technical expertise, you’ll benefit from the checks and balances of several opinions rather than a single person’s perspective.

6. An honest third-party perspective –Executives all say they value honesty—but employees know there’s a limit there. Inevitably, some CISOs sense that certain battles present a choice between protecting company security and protecting their career. A vCISO service obviously wants to retain you as a client, but you won’t be their only client, giving them more freedom to tell it like it is. Plus, an in-house CISO may factor office politics into decisions about whether to push departments getting tired of the CISO’s demands. A vCISO, on the other hand, doesn’t worry about who snubs them in the break room.

How vCISO Works

If you decide to start evaluating how to choose a vCISO, here’s what you need to know:

Pratum scopes each vCISO agreement as an exact fit for your organization. Our team sets up a monthly service plan, but whenever you determine you need more or less service, we can adjust the plan accordingly.

Because we work with companies on these plans every day, we can get your vCISO up and running as quickly as a couple of weeks after your initial call.

As you consider vCISO services, don’t assume it’s a temporary fix. The flexibility and affordability convince many companies to make it their permanent approach, especially in small- and medium-size businesses. Growing businesses also find advantages in how a vCISO lets them regularly redefine the role as their company changes. That provides insurance against hiring a leader who may find themselves out of their league as the organization grows bigger and more complex.

If you’re ready to learn more about your vCISO options, reach out to our vCISO team today!

If your company works anywhere within a Department of Defense supply chain (or hopes to), the new CMMC cybersecurity standard will soon be part of your life. And that brings along all the alphabet soup and uncertainty you’d expect from a government process. Here’s what you need to know.

What IS this new standard?

It began in 2010, when the federal government defined Controlled Unclassified Information (CUI). This provided a unified standard for labeling and handling sensitive government information such as health documents, engineering plans or legal documents. Since 2018, the DoD has required its contractors to comply with NIST 800-171 as a control for properly handling CUI. (NIST 800-171 was published as a Defense Federal Acquisition Regulation Supplement, or DFARS.)

The government allowed organizations to self-certify their compliance with NIST 800-171, leaving some obvious gaps. The remedy is the Cybersecurity Maturity Model Certification (CMMC) program, which is scheduled to start appearing in DoD Requests for Proposal (RFPs) this fall. The Pentagon has stated that all DoD contracts will contain CMMC requirements by 2026.

How many certification levels does CMMC have, and which one do I have to meet?

The standard has five levels, all of which include standards for both digital and physical security. All DoD contractors will be required to achieve at least Level 1. This “basic cyber hygiene” level includes familiar steps such as installing and regularly updating antivirus software.

Any contractors with access to CUI will be required to achieve at least Level 3, which is a big step up from Level 2’s 17 controls to Level 3’s 100+ controls.

All DoD RFPs and Requests for Information (RFIs) will specify the required CMMC level. A company’s CMMC certification will last for three years.

Do all of a company’s physical locations require certification?

Any site that handles sensitive information must be certified. A third-party consultant can help you determine whether various sites in your organization require accreditation.

Do my subcontractors need to be certified?

In general, yes. At a press conference announcing CMMC, Ellen M. Lord, Under Secretary of Defense for Acquisition and Sustainment, specifically said that, from a hacker’s perspective, "Attacking a sub-tier supplier is far more appealing than a prime [supplier]." Lord did clarify, however, that the required level may be different for a prime contractor and its subs.

The exception is a vendor who sells you raw materials such as steel or wire. Because those vendors have no access to sensitive information such as engineering plans, they do not need certification.

Who actually performs the accreditation?

Companies could perform self-certification under NIST 800-171, but CMMC won’t allow that. The CMMC Accreditation Body will be accrediting Certified Third-Party Assessment Organizations (known as C3PAOs). So far, CMMC-AB has published no details about the process for becoming a C3PAO or what guidelines C3PAOs will use when performing assessments.

How much time do I have to comply with this standard?

You can bid on a new contract before receiving your certification, but you must be accredited by the time the contract is awarded. Based on Pratum’s experience with previous government standard rollouts, we expect the DoD may provide a “waterfall” approach that gives vendors a series of required milestones for some lower risk contracts. The DoD will be motivated to work with current vendors to help them achieve this standard and continue with existing relationships.

How should my company approach this process?

The most effective approach is to get help preparing for the accreditation process to ensure you pass. Depending on your current cybersecurity program maturity, plan on a minimum of six months to evaluate your current posture, prepare for the audit and complete the audit. Here’s a suggested roadmap:

1. Hire a third-party security firm to help evaluate your organization’s current posture compared to the level you need to achieve. Look for a firm with experience in complying with past government standards. Note that one vendor cannot serve as both your consultant in preparing for the audit and the auditing organization.

2. Use the assessment to address any shortcomings before your audit.

3. Retain a C3PAO to perform the audit.

4. Correct any weaknesses revealed during accreditation. You may be required to create a Plan of Action and Milestones (POAM) to track and report on remediation of problem areas in order to keep a contract.

Where can I learn more?

You can read the DoD’s official CMMC page here.

For help in understanding the new standard and preparing for an audit, contact Pratum’s experienced team of compliance experts!

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.