Recapping RSAC 2023
What is the RSA Conference?
The RSA conference is an annual gathering of CISOs, CIOs, and other cybersecurity professionals at the Moscone Center in San Francisco, CA. From April 24 – 27, 11 of our team members joined the 40,000+ attendees to network with industry peers and learn from 33 keynote presentations and over 650 speakers. For those unable to attend, I’m excited to share the DataGrail team’s recap.
RSAC Privacy Session Highlights
The intersection of privacy and cybersecurity is and has been a hot topic over the past few months. The DataGrail team was pleased to see this reflected by a wide selection of topics in the privacy track at RSAC.
How to Design and Execute Superior Employee Privacy Practices
Forrester’s Enza Iannopollo energized the room with a presentation looking at the specificities of employee-focused privacy practices.
- Regulators — and as a result, companies — are seriously prioritizing employee privacy.
- While similar to consumer rights, employee privacy rights have their own nuances and best practices. For example, prioritizing unstructured data (like performance reviews or cover letters) will be uniquely challenging for employee privacy.
- Undermining employees will ultimately degrade trust. Empathy is key to building a trusting relationship with employees concerning their personal data.
Kindred Chaos – Security vs Privacy Incident Response
We loved hearing about incident responses and the relationship between security and privacy from Google’s Sri Pravallika M. and Ashley Tolbert from Netflix.
- Most privacy incidents are security incidents, so when do these things become intertwined?
- Failure of security controls can lead to security misconfigurations, third-party breaches, insider threats, malware/ransomware attacks, and more.
- All of these incidents can have an adverse impact on sensitive data and carry serious privacy implications.
A Taste of Privacy Threat Modeling
Kim Wuyts from Distrinet Research Unit @KU Leuven led this presentation and took on some common misconceptions about the relationship between threat modeling and privacy.
- Privacy is different than security, but privacy doesn’t — and shouldn’t — conflict with security.
- Privacy and security should be tackled together, as long as teams have the appropriate mindset when thinking about an individual’s privacy versus a company’s security program.
IAPP: Privacy Fundamentals for Information Security Professionals
IAPP’s Katharina Koerner and Uber’s Nishant Bhajaria dove into the details of kicking off privacy engineering within a security team and the fast-growing privacy engineering field.
- Privacy engineering is a new discipline and the definition changes based on who you ask.
- At a high level, privacy engineering involves converting privacy requirements into designs and technical controls promoting risk management.
- Security and privacy need to coexist for privacy engineering to be successful.
- Building design and technical controls around privacy requirements can be a grey area. It’s up to privacy engineers to implement these privacy requirements, which can come from the law, company privacy promises, and user concerns.
Data Privacy and De-Identification
Noopur Davis and Doina Iepuras from Comcast led a fantastic data privacy and de-identification session.
- Applying a comprehensive process to data de-identification unlocks opportunities for businesses.
- It can help push product innovation, share and leverage data with hosted solutions, and protect consumers’ rights – all while maintaining regulatory compliance.
4 Ways IoT Devices Are Creating Privacy Implications for Organizations
Internet of Things (IoT) devices have privacy implications, and Mohammad Waqas from Armis explored them in his RSAC session.
- While IoT devices have a number of benefits, they also present some level of privacy and security risks.
- IOT device security limitations are well known, but the privacy implications aren’t as widely recognized.
- In order to reduce privacy risk surrounding the IoT, take steps to integrate privacy and security controls in your processes for better visibility.
If you were at RSAC, I hope you stopped by our booth to grab a coffee and chat about your favorite session. If you weren’t able to attend, I hope this quick recap looking at some of our favorite privacy-focused sessions was useful.
This is just the beginning for the relationship between security and privacy, and DataGrail is excited to see how this synergy will grow. While the two are separate, privacy and security go hand-in-hand when it comes to creating and managing an effective data privacy and protection program.
If you’re interested in learning more about DataGrail, get in touch with our team here to request a 1:1 demo, or start exploring our product pages to learn more about how we can help your organization make privacy a business advantage.