I recently sat down with my friend and colleague Michelle Dennedy, Vice President and Chief Privacy Officer for McAfee, to discuss the perilous path to a new privacy.
A leading privacy champion in the corporate world, Dennedy is uniquely qualified to speak to the challenges and opportunities before us. Prior to McAfee, she serves as Vice President for Security and Privacy Solutions for Oracle, and before that as Chief Privacy Officer for Sun Microsystems. In this interview, we explore four big picture questions that all security and privacy professionals should be grappling with from at least one angle or another.
Richard Power: Here is your chance to refute those who say, "Privacy is dead." After all, I am one of them. I may have even been the first. Someone asked me some years ago (in the aught decade) what the top five privacy stories of the year were? I gasped at the naivety. I said, well, it doesn't matter--because privacy is a lost cause.
Why do I say this?
a) Corporations have unprecedented amounts of very detailed information on us all, much of its sensitive, and in the aggregate quite dangerous, and in case you haven't noticed government regulation is being undone at a rapid pace and odds are won't be coming back any time soon, since corporate lobbyists are writing the new laws,
b) And speaking of the government, "the right of the people to be secure in their persons, houses, papers, and effects" has been severely undermined, if not in all but name repealed,
c) Thanks to the weakness of operating system, network and application software security design, and the band-aid nature of most security solutions, our privacy is a like a big fat carp in a barrel for organized cyber criminals. In the 20th century there was an expectation of privacy, privacy was something to be defended, protected, but in the 21st century privacy is something to be created by will and cunning and with ongoing personal effort. (Yes, you will get the last word.)
Michelle Dennedy: If the definition of privacy we are going to choose is an absolute, yes or no--is it or it is not possible for every system to be compromised, for every fact to be learned, for inferences to be gleaned--then I would sadly concede.
But my various roles have informed my perspective. I am an enterprise officer, that's the world I operate in now, and I have worked in engineering departments, and as a legal representative, a public policy representative and a governance officer. The analogy I choose (and it is just an analogy, so it has its weakness) is from the realm of healthcare.
If you think of the definition of life as binary, e.g.,
- Is it possible for me to die? Yes.
- Is it possible for someone to shoot me? Yes.
- Gas me? Stab me? Yes, yes, yes.
If you look at it purely through that dualistic lens, and ask are we going to die, the answer is yes. But then we choose. And this is where we are with privacy.
Do we choose to fill our bodies with nutritious things, and move it around frequently enough, and hydrate it, and put it in circumstances that brings the life that we have into something that we want, something that we have chosen, as a culture, as a planet, as a couple of shared beings? Is it fun? And then do you choose to only eat the most nutritious, or the most privacy-restrictive, and not take a risk, not interact, not do a deal, not do "Cloud"? Or do you decided to go to a beautiful restaurant in a beautiful place, and maybe there's rats in the kitchen, or maybe not, but the meal you are having is delightful.
I view privacy as a respectful treatment of information. The respect control-switch needs to be defined, and we can still fight for the control over it. The fact that any person, private actor or government actor, can violate our privacy, either by legal decree or by some sneaky way through the backdoor, doesn't mean they should. It doesn't mean they won't go to jail for it, or excoriated or hurried out of office for doing it. There are people, processes and technologies that make the fight for privacy an absolutely worthy and healthy thing to pursue. I do not think it is hopeless.
Just as you shouldn't 'just get over it' and eat Big Macs for the rest of your life, you shouldn't just get over it, and not have good identity management, and not have good policies, and not consistently train, and try to comprehend data flows for new technologies. It is a never-ending struggle, and like life, it is going to continue until the end of interaction. So privacy is alive, and we are going to keep it alive. Whether we decide to have a healthy, robust, respectful discussion on data, or whether we decide to just let the hackers of the world have at it, and let the politicians and powerbrokers of the world steal it, that's ours to choose or lose.
Power: What are the essential elements of a corporate privacy program? What are the two or three or four elements that would indicate to you that this corporation was taking privacy seriously?
More from Richard Power
Dennedy: One of the things I do look for, and it's a bit self-serving as a Chief Privacy Officer myself, is a group of people, or a person, within the organization, that is knowledgeable about global issues and empowered to execute upon real-time decisions related to that knowledge.
So let's unpack that a little bit. It comes down to people.
Who is the person in your organization who understands not just the privacy risks, but the where the privacy value is for your organization? Having someone who knows what those issues are, that's the first thing. And then the second level is truly having someone empowered to act upon that knowledge. That is trickier. I am a lawyer by training, but that doesn't necessarily mean that privacy officers and privacy management and controls should be in the legal department. You need the perspective of asset management as much as you have risk.
Unfortunately, some legal departments--not all--are so focused on what are today's risks in regard to the laws that exist at this moment, that they lose the greater picture: Shouldn't they be out there advocating for something different, and educating staffers and legislative people who can make better laws; and also going to businesses and saying, "I have done my job by telling you not to share this information related to children without parental permission, but I haven't gone out and said, Hey, you still have this data, and you can combine that data with educators, healthcare professionals and cyber security experts to actually provide added-value for these children, based on what you already know about them.'" Leveraging the data.
So that's what I look for. Really advanced programs understand that the CPO is like a CPA for data. We have dual-book accounting of risk and reward.
Another area I would look at relates to questions like, Do you have identity management controls? Do you have data life cycle control? Is your data encrypted?
If I get a definitive yes on any of that stuff, I am really suspicious.
It's a very textured answer, and there's never one answer at any given time. Technology is moving to quickly for there to be pat answers.
And the last piece I would look at is the culture issues. What is the culture of your business? Is it a do-not-share culture, everything is locked down, there is no bringing your laptop to work, but everybody understands the value, or is your culture something different, where you view data like chaff, or a side-effect of your business, rather than the key asset. How willing are people to follow the rules within the organization? Are there rules within the organization? Is this an organization that self-polices and has enough transparency at the top so that people who see things are going wrong are empowered to speak up?
Power: What are the greatest challenges facing the Chief Privacy Officer (CPO) in major corporations? What are the biggest obstacles? What are the areas of fiercest resistance? Where should a CPO report within the organization optimally? Where do most CPOs report?
Dennedy: The Chief Privacy Officer role, like the rest of the economy, took a major hit. You started to see positions opening lower and lower in the organization, as the economy continued to worsen. Also, either organizations eliminating the privacy officer, and going in and telling the security person that they will somehow magically have this entire base of knowledge, and they're in charge of privacy now, or just eliminating the position all together.
The best situation, of course, is where the CPO actually reports to the CEO, it's very rare, I can count on one hand the organizations that I can think of that have done that, and not surprisingly, they are very data-saturated organizations. The other trend you see more and more (and it is based more on resources than actual efficacy) is the privacy people being in the legal team. Either the CPO reporting to the General Counsel or is herself the General Counsel. The sooner you can get it taken out of legal the better, because if you are inside of legal, you are going to be perceived as a compliance organization, rather than as a business governance function.
As soon as you get out of legal, you are able to partner with the engineering team, e.g., much earlier in the process. They often don't feel ready to talk to legal yet, so they will wait until the finishing touches on the product launch, while you need to talk to them when they are conceiving what they product should do.
That's my fear with this trend to either smush it together with the CSO or squish it together with the GC, it's not broad enough to get the coverage that you really need to get it done.
Power: Tell us about child ID theft. You and I worked together on the report (Child ID Theft: New Evidence Indicate Identity Thieves are Targeting Children for Unused Social Security Numbers) [PDF link] that I wrote for Debix. From your perspective, what was the response to the report? Where is this problem today? How big a problem is it now? What is the future of this problem? What should parents do? Have you seen any governmental or business movement to deal with this issue?
Dennedy: Unfortunately, I have seen almost no response from an enterprise or organizational level, which shocks and saddens me.
What happens is every time I talk to people about this issue, individual parents are willing to take action, and are beginning to take action, but what is amazing to me, and there are some exceptions (Gerry Smith of the Huffington Post, e.g., put out a six part series on this issue, and did a terrific job), but mainstream media at large just wants to talk about scary things. They don't want to talk about kids unless they have been beat up or abducted, they don't want to focus on it, and it shows where we are as a culture. Your child might be barred from a choice position, or unfairly arrested because they have a false criminal record attached to them, or given the wrong medicine because their healthcare information has been stolen and misused by someone who has a different condition, or they might simply be unable to get credit or financing for school. People aren't getting the gravity of the issue.
And there is an even bigger issue beyond and behind the threat to our children's IDs. We all want instant gratification for credit, and for services, for all sorts of things, and we are simply not willing to take a really hard look at how do we tell who is who, how do we do authentication in a way that does good and not harm? We are willing to sell our children's futures to have four credit cards and buy a cheap pair of pants. That's what we are saying by not addressing this issue.