Understanding data risk is one of the best ways to mitigate it. Companies need to constantly stay ahead to stay safe.
Quartz Network Executive Correspondent Britt Erler sat down with Vaughn Alliton, SMD and Head of Technology, Risk and Compliance at TIAA to discuss the convergence of cybersecurity, data management and privacy, and why all of this matters for people and for companies.
Vaughn shares insight into:
- Why privacy is more than just meeting regulatory requirements
- Three important data management questions to consider
- Understanding and mitigating risk
Quartz Network: Can you share a little bit more about your background and your current role with TIAA?
Vaughn Alliton: I’ve been involved with technology for way too long and witnessed a lot of change and evolution. As a head of technology, risk, and compliance, I’m part of what’s called a second line function. I report up to the head of legal, risk, and compliance.
We often say that in risk and compliance, we don’t necessarily do, we oversee. We ensure that what the first line is covering all the risks and making sure that we’ve covered all the regulatory responsibilities. I also picked up responsibility for risk for data governance and privacy.
In having the risk for cyber data governance and privacy, it really made me take a step back and look at what we are talking about. Why is this becoming so important? Realizing that it’s not only important to companies. Regulators are focusing a lot more on it.
So our customers could be kind of a chicken and egg thing. Was it the regulator’s being focused on it that made the customers aware? Was it the customers being aware that made the regulator’s aware? It kind of all comes together.
It’s been driven by a lot of different things. On the regulatory front via GDPR, out of Europe, that was really driving a lot of focus, and a lot of conversation and articles about data and data privacy, CCPA, CPRA.
A number of states have started to move forward on ensuring privacy for companies where their reputation is really important to them. Privacy is more than just meeting the regulatory requirements. It’s being where the customers expect you to be as it relates to their data. So that’s a little bit of how I ended up being here and being comfortable talking about this topic.
Quartz Network: What does data management mean to you?
Vaughn Alliton: When I talk about what data management is, I’m asking, what data are we talking about? Where is it? Do we really know all of the data that an organization has?
When I say, “Where is it?”, I don’t just mean the databases and the applications. You really need to know where it’s at because the risks that you have with data management is that you’re not actually managing the data, and not managing something just kind of lets it happen. However, it’s going to happen organically. And you could really run into a lot of risk of over retaining data and running into a lot of extra costs that you don’t need.
What people have talked a lot about historically related to cyber is how are we protecting that data? So it’s very different. How are we managing the data? How are we protecting the data? Who has access to it? How are we making sure that those who shouldn’t have access to the data don’t?
And we’re protecting that data. You’re bringing in kind of this third pillar, the privacy risk. Who can see it, how can you use it, etc. When you start really looking at the way you put in controls, to remediate each of those risks, you’ll see a significant overlap.
For privacy, one of the biggest control areas that you have is access management. People usually think of access management around cybersecurity. Making sure that only those who have a need to see that data have it. But where it becomes even more important with privacy is deciding if everybody needs to see all of the data.
Sometimes you’ll hear people talk about it if you have those celebrity clients. And even though you may have people in operations, or in a contact center, who are working with people or celebrity customers, you don’t necessarily want to have everybody able to see that data.
So that’s where you would add some privacy step up to that access management and say, “No, only this small group within, say, your contact center, your phone center, or your operations center, they’re the only ones that can see that data.”
That’s what I’m talking about where privacy comes together with cyber. And you may have to step up what you traditionally think of as a cyber control to cover the privacy risk as well. Data management also really helps when you’re talking about cyber, because the more data that you know exactly where it is, and you get rid of data when you know you don’t need it anymore, the easier it is to protect it.
When you have less data to protect, you have less to worry about someone trying to steal. So those are just a couple of examples where they kind of play off each other. And it becomes very important to understand all of this where you have to be clear what your risk is, so that you make sure you have all of the remediation possible. But when you have overlap, you don’t want to have a lot of redundancy, because what you really want to do is make sure that you have them as full and complete as possible.
Quartz Network: Based on your experiences, what are some of the positives and negatives for the company with data management?
Vaughn Alliton: Understanding your risk and understanding your controls will really help you make sure that you understand where things are at. An important part of what I think my role is, is making sure that when senior management is making a decision, it’s fully informed. They really do know where they may have less than sufficient controls, gaps in controls, etc.
There are easily millions of controls out there. You can’t do everything. There’s always going to be a cost benefit that you have. So, what are the ones that we really need to focus on by really understanding your inherent risk, and then looking at what controls would help remediate that?
And then understanding what your risk appetite is. That is where this really helps you make good business decisions around the entire thing. What you’re really talking about is the risk. What is something that could be a negative outcome. What actually happens is you end up with incidents where something happens. So, your key controls are really about those controls that I just mentioned, that really remediate the risk that we have, and you look at them from two different perspectives.
You’ll have some that are going to be price controls. These are things that you do that no matter what part of the business you’re in, they’re your controls. A lot of your cybersecurity controls are enterprise controls. DLP. How we make sure that we’re not accidentally sending emails out that have unnecessary or sensitive data that shouldn’t be leaving the firm.
Then there’s local controls. These are controls that really need to be implemented by the individual business. And I talked about it before. I’ll go back to access management. How well we actually define our roles. And in access to that data is a local control. Now, the way you structure it in the tools that you provide could be an enterprise control. But how you do it is local. And the whole idea is that the controls are there to reduce the probability of an incident or reduce the impact if an incident actually happens.
And then, kind of a wrapper around this is metrics, key risk indicators, key control indicators, metrics around your incidents, and they’re most effective if you’re informing how to change behaviors, and how to actually improve your management postures and processes around all of this.
Quartz Network: What are some roadblocks leaders should prepare for?
Vaughn Alliton: A really important roadblock to this is always going to be cost. And not only cost in just pure dollars. You don’t have an unlimited technology team, right? It would be nice if you could just keep hiring and hiring and hiring and do everything. But no company can do that.
So, where this helps is actually in prioritization, because you may have some very specific things that need to be done. It’s not necessarily going to help you with new functionality, or a new business product that you want to do tomorrow. But if you really want to protect the reputation, and the ability for you to deliver on the products that you already have, you may need to prioritize.
End of life, software, hardware, etc. is always going to be a challenge, right? Because no matter what technology marches on, and companies when they sell software to you, they need you to go to the next version. They need to continue to put new functionality capabilities out there. But you know what, if you are constantly just putting in the new functionality, you can fall behind and keep this old software and hardware that becomes more expensive to maintain, has greater vulnerabilities, etc.
If the business really can understand that, if they make sure they’re asking questions about where are these remediations that can keep me from having operations fail, operations becoming more expensive, etc. It comes down to a priority discussion and a priority decision. Because you may have to do some of those things to keep the wheels on the car, rather than putting the new paint job on it. They are doing the new things that you want to do. And that’s what really comes down to those risk prioritization decisions.
Quartz Network: What is an effective way to implement a new system and train everyone?
Vaughn Alliton: The first step you need to do, as I talked about, is really understand your risk and therefore the controls that you need to have in place to mitigate that. Understand where their local controls versus where their enterprise controls. Where there is enterprise controls, you need to focus on those groups that own them, that are actually responsible for getting them put in place. Have them truly understand what it means to be effective in those. Then where you have those individual teams, you need to make sure they understand the standards and the ways you need to do this.
And there’s many ways that you could do this. You could do training. You can do conversations. You can literally just put articles on your intranet, etc. Whatever works to get the affected group where you need to have them involved.
But the real important part is, we’re all adults. We all want to do the best thing. You need to give them the big picture. Because if people only see the small piece of their world, they may not understand why it makes sense. And let them understand privacy and cyber data management are all responsibilities across the entire firm. They may come out of these centralized teams, but they really are about how the entire business operates. How they protect, how they manage, how they really are delivering what the customer needs.
So it’s a little bit of all, because you need to understand the big picture to know how you’re able to give value. But you also need to know how your piece fits into this. And the training of those people that are delivering on that is critical.
Quartz Network: What does the future of the world look like as privacy, data management and cybersecurity are coming together now to prevent the same threats?
Vaughn Alliton: What you’re going to end up with is a more informed workforce and leadership. It is getting people to think about managing our data from a privacy perspective. You print it, you don’t need it anymore, you shred it, you get rid of it digitally. There’s also a big responsibility of how long do I have to retain this? And if you know what the retention period is, why are you keeping it any longer?
The more data you retain, the more surface areas cyber has to protect. And the more the likelihood that private information could get lost or stolen. And that is not what your customer So where I hope that it goes to is that the entire workforce becomes more aware of what they need to do. Because as I brought up ransomware, just a little bit ago, there’s a big industry that is building out of ransomware. They’re making money. Companies are going to have to constantly do whatever they can to stay ahead, to stay safe to treat the customers the way they want to be treated. And that really is being mindful about how you’re implementing those controls, whether it’s the individuals in the line of business doing it or an enterprise group that’s doing it. They must be very mindful that what works today may not be enough tomorrow.
For more industry best practices and insights from leading IT executives like Vaughn, join Quartz Network.