By Daniel Barber, CEO, DataGrail
Throughout 2023, data privacy has been front and center in conversations about cybersecurity. Consumers everywhere are increasingly vigilant about how their data is being gathered and used, especially with new technologies like AI creating fresh risks.
CISOs are leading the data privacy charge for their organizations. In a constantly changing environment, security leaders are always on the lookout for IT solutions that will shore up customer confidence and ensure regulatory compliance. And CISOs know best of all that failure to do so can have disastrous consequences.
In 2024, CISOs will need to adapt to a wave of new risks. Chief among these will be the challenges associated with AI, regulation and enforcement, and the very role of the CISO itself.
- AI development and use will demand solutions.
AI poses new challenges for cybersecurity and regulators are taking notice. Just last week, EU lawmakers agreed on the core elements to regulate AI. It will require foundational AI models to comply with transparency obligations, and will ban several uses of AI, including the bulk scraping of facial images. It will also require businesses using “high-risk” AI to assess their systemic risks and report on them. The California Privacy Protection Agency (CPPA), the state’s enforcement agency, also recently released its draft regulatory framework around “automated decision-making technology” (its description of AI), giving Californians the right to opt-out of their data being used in AI models.
No business can afford to simply ignore AI. Across sectors, the technology will be key to long-term innovation. How, then, can CISOs ward off the privacy risks that come with AI use internally and by vendors and other partners?
A first and necessary step is to recognize present limitations. Third-parties are likely to oversell solutions based on the promise of controlling AI, but we’re not there yet. Before CISOs even think about control, they’ve got to get a handle on where AI is– and will be– used in their business. Discovering these points, and monitoring them, have to come before control because no one really knows how generative AI will evolve. For that reason, CISOs should be wary of any third-party solutions that claim to be able to harness this technology and its potential consequences.
Rather than buying into an illusion of control, CISOs should tap into their existing toolbox to further efforts at discovery and monitoring. Traditional tools still have value, even in the generative AI world. For instance, they can leverage ubiquitous network inspection to find calls to AI vendors unauthorized by the company’s policies.Data mapping and detection can help cybersecurity teams know precisely where AI is being used in their organization and prevent shadow IT.
- Data privacy regulation (and enforcement) will evolve.
When it comes to the data privacy market more generally, CISOs can expect one thing: change.
This is particularly true when it comes to regulation. While some agencies have kept pace with technological development, enforcement has been another issue entirely. As data privacy expert Anna Westfelt recently underlined, regulators around the globe currently face crippling personnel shortages and enormous backlogs.
While this was the case in 2023, other indicators give a better idea of what to expect in the months and years to come. In particular, data subject access requests (DSARs) continue to increase year over year. This reflects consumers’ increasing concern with how their personal data is being handled; however, it also suggests that stricter DSAR enforcement is just around the corner.
For CISOs, this means that in addition to solutions for data mapping and AI discovery and monitoring, they need to begin thinking seriously about how they can efficiently respond to consumer demands for data transparency, be it through automated processes or other means. Doing so won’t just protect their organizations from fines stemming from regulatory violations—it will also increase consumer trust and buttress their brand.
- CISOs will face greater scrutiny.
In 2023, CISOs faced considerable risks and challenges. Those tasked with this role often bear the brunt of data breaches and cyberattacks, a reality that often results in burnout, dismissal, and even legal consequences. As such, change is coming.
With so much weight on the CISOs shoulders, it stands to reason that CISOs of value will demand– and receive– higher compensation. They will also necessarily receive better indemnification guarantees, as well as an elevated profile within their organizations to break through the logjams created by corporate culture. Without a ‘safe’ space in which to perform their job, look for the truly qualified to take their talents elsewhere. Afterall, why should they remain in a position that holds them personally, legally responsible for outcomes in which other team members had a hand?
CISOs will solidify themselves as the torchbearers of risk in 2024 and beyond– but only if given the right mix of protection, compensation, and power.
About the Author
Daniel Barber is the Co-founder & CEO of DataGrail, the Privacy Control Center for modern brands to reduce risk and build trust. Prior to DataGrail, Daniel led revenue teams at DocuSign, Datanyze (acquired by ZoomInfo), ToutApp (acquired by Marketo) and Responsys (acquired by Oracle).
Spending much of his career working with data products and third-party apps, Daniel grew increasingly disturbed by the volume of personal information collected and how that data was used by the brands entrusted to keep it safe. He built DataGrail in response, believing that privacy is a human right.
Daniel has become a leading voice on data privacy, with his perspective regularly featured in outlets like TechCrunch, VentureBeat, USA Today, Fast Company, Fortune, and CNBC.
His insights in the field have also been distributed in security and privacy publications such as IAPP, CPO Magazine, Consumer Affairs, CIO Dive, and Dark Reading.
Daniel can be reached online at @gaijindan, https://www.linkedin.com/in/daniel-barber/ and at the company website: https://www.datagrail.io
Source: www.cyberdefensemagazine.com