Security and Privacy, Yin and Yang

Security and Privacy, Yin and Yang

It’s 2019 Data Privacy Week, and what better time to spur a discussion on the convergence of rapidly changing technology and what the next decade is going to look like as the 4th Industrial Revolution begins to crystallize.  As stated by the World Economic Forum: Globalization and technology are intimately intertwined. The movement of people, goods, and ideas is accelerated and broadened by new forms of transport and communication. And technological development is, in turn, enhanced by the diversity of ideas and the increased scale that comes from global reach.[i] The Fourth Industrial Revolution can be described as the advent of “cyber-physical systems” involving entirely new capabilities for people and machines. While these capabilities are reliant on the technologies and infrastructure of the Third Industrial Revolution, the Fourth Industrial Revolution represents entirely new ways in which technology becomes embedded within societies and even our human bodies. Examples include genome editing, new forms of machine intelligence, breakthrough materials and approaches to governance that rely on cryptographic methods such as the blockchain.[ii]

Just as the globalization of the previous industrial revolutions leapfrogged different regions, so too is the 4th going to mature unequally.  That does not mean that all aspects of the 4IR will affect all regions, but the technologies with the biggest benefits economically, socially, and popularly will be adopted as cultures and people can afford.  There are many benefits we expect to see with the 4IR, as technologies converge, embedding 3IR technology into new economies. AI, robotics, quantum, gigabit, autonomous, and xIOT are expected to become ambient and ubiquitous.  Two of the biggest technologies expected to mature with the 4IR will be augmented reality and 5G mobile. Until 5G reaches full 3GPP standardization and adoption, technology like AR isn’t viable outside Wi-Fi (home and office) spaces.  But when real mobile connectivity, enabled by edge compute and URLLC (ultra-reliable low latency communication) becomes commercially available, AR will be one of the true realizations.

As consumer behaviors evolve and personal devices enable experiences like AR, how and what consumers do is going to become big business.  The 3IR is likely to be described by economists and sociologists as the expansion of data creation and economization beyond just the digital revolution it is known as today.  The last half decade has exposed a very real and serious need for consumers, providers, and technologies to adopt a posture of data protection. We have seen lawmakers and regulators step up and acknowledge that data is a commodity as well as an opportunity for use and abuse.  In the EU, regulators have introduced and passed the GDPR law, which is likely to be a blueprint for many nations in some form. In the U.S., the state of California has followed a similar path with the CCPA (California Consumer Privacy Act) with all remaining 49 states waiting and watching.   U.S. regulators, at the state or federal level all, are aware of the need for recognizing and ultimately protecting the data being created, which thus far has been limited to ownership and monetization. But consumer and enterprise protections are just the first step in balancing the economics of data creation.  The debate that started in 2018 with the GDPR and CCPA is about data privacy, and what user rights exist around use and retention of data. Considering the long-winded definition of 4IR from the WEO above and the continued attention from world conferences like Davos Economic Forum, there is much to be cognizant and concerned about.  4IR means for nearly every action or experience, data is being collected, and the deepest concerns of exposure, exploitation, and abuse are eminently relevant.

Those companies that anticipated the opportunity and complexity and gravity-well associated with data usage began hiring or enhancing current skill sets around a new role as CDO (Chief Data Officer).  Whether as autonomous hire or as additional responsibilities for the CISO or CIO, the CDO is becoming a very critical hire. At a recent data privacy conference in the Valley on the topic of data privacy, both consumer and corporate was jointly hosted by SPB and SPJ[iii].  In attendance was a key group of concerned and engaged technologists, regulators, and executives gathered to peel back the onion.   

With recent high visible data exposures at Facebook, Target, Marriott, and many others, it has become clear that no company is immune, and no single or advanced technology can prevent a determined attack.  As a result, consumer awareness and apprehension are likely the highest they have ever been. In researching the support for the CCPA, privacy advocates have learned citizens are starting to pay attention to the uses and applications of their data.  They realize companies are gathering massive amounts of information, and the research shows, they not only want this information to be held confidential, but they want the opportunity to “opt-out” and not have it shared at all. This is opt-out clause is at the core of the GDPR, whereas the EU’s approach to privacy has been about applying principles to standards, while in the U.S. the practice has been about how to adapt and move forward.  It is an EU law, but very much a reality for U.S. companies to implement. Attendees at the conference agreed data privacy needs to be recognized and treated the same way data security was ten years ago.

With the GDPR in the forefront of every CPO in the Valley and across the country, the panel turned their attention to the importance of nuance and understanding.  With everyone in agreement on the significance of implementing some form of privacy protection for consumers, the discussions evolved to how best to accomplish the task – How do businesses approach privacy in a way that is good business for everyone while balancing regulation and impact without killing the little guy? The right to be forgotten requests could bring companies and business to a halt with penalties and legal action.  We need to optimize, code and build awareness and deletion technologies into all the systems businesses are running or upgrade those systems.

The next few years are going to be a challenge as the regulation pendulum looks to swing away from business-only interests as consumers navigate the convenience versus rights paradigm.  Corporate adherence, which under current data protection regulations often tended to be a pay for compliance, now needs to implement a global data privacy solution that is both broad and agile to meet all the varied regulation expected to be enacted.  Interpretation of the laws is going to be an ongoing burden. At the end of the day, there were three main conclusions:

• Data privacy must be addressed and can’t be ignored.  The people want it!
• Data privacy will not happen on its own without the mobilization of business and government leaders that are committed to putting privacy first yet doing it in a way that won’t crush business.
• Companies need to adopt a posture of urgency that repeats the shared magnitude data security experienced a decade ago.  We need to put the resources, tools, and talent in place in our own companies – and then help other organizations do the same.

Meeting this new 4IR world is going be a learning curve, one that can be cumbersome for those companies that cannot afford a full-time CDO or even a CPO (privacy).  Data stewardship is not going away and hiring privacy engineers is just the beginning of compliance. Whether as a full-time job or as a service, the CDO is going to be asked to take on an even larger and critical new role, one that can be very expensive around non-compliance.  The CIO/CDO is likely to be seen as the new service broker for all such needs going forward.

A distinct advantage that new startups or existing companies might have in the area of AppSec and privacy engineering is connecting with a firm with the bench strength to handle the questions, answers, and solutions occuring on a daily basis.   SPJ, a sponsor of the privacy conference, is well connected with the most relevant legal firm in the industry, and also the hottest up and coming security and privacy startups in the Valley. Their security and privacy practice is top shelf, and ready to engage at any level.

---

[i] https://www.weforum.org/agenda/2018/11/the-fourth-industrial-revolution-is-driving-a-new-phase-of-globalization/

[ii] https://www.weforum.org/agenda/2016/01/what-is-the-fourth-industrial-revolution/

[iii] https://medium.com/@spj_gtm/data-privacy-takes-center-stage-as-we-look-to-the-future-e7b5b5fddd16

The Executive Gigger Model

Boston Globe - Brandon Ambrosino - 2016

For those who have spent time in a senior position, with an executive or C-suite level of responsibility and corresponding title, looking for their next opportunity might be a challenge.  Five years ago, the mantra was generally understood by execs looking that “it takes time to find your next position.” This historical baseline expectation shared by many now feels outdated in the instant economy.  It’s now 2018; technology and tools have reduced the time of searching and finding, working our network, and even soliciting a network referral is now down to seconds, and yet velocity of outcomes isn’t any “different.” The reality is that it still takes time. Hiring companies have also changed; the talent pool they pull from, the demographics they focus on, and other proprietary practices all reflect this. In the conflation of looking for a new role and the evolution of the changing employment dynamics, the cognitive dissonance that change is afoot means seekers need to adapt. The modern exec is left with an eroding list of choices: fight the gig economy or join it. This existential and purposeful awakening is real and here – and so is a new type of career.

No longer a mainstay of the contractor mindset, the freelance worker, the private contractor with a valid driver’s license, the remote python programmer, the database architect, blockchain expert, or bitcoin miner all now share common traits with each other; and it seems more and more with unemployed corporate executives.  In a recent survey, according to research firm Mavenlink, nearly 50% of business leaders today are seeking to retain on-demand workers specifically in management, senior executive and even C-suite.  This trend matches that of the modern exec who is seeking balance to contribute to learning, to mentoring, and to maintaining a comfortable standard of living. The impact of the gig economy is that a new wave of executive giggers are answering the call as a team of leaders. A tribe consisting of trusted peers they have worked with before, allying with investors and organically with startups to enter the evolution sooner and broader than before. If we look at the ride share as an allegory of the modern work force, these contemporary bands are offering their experience to solve the tech culture archetype of going fast, often at the expense of skipping steps. 

Since the explosion of the tech startup in the late 90’s, technical innovators and founders have endeavored to increase the chances of success, while assuring their investors (PE, VC, etc.) that they are making wise decisions. It is human nature to want to go faster than before, lean further over our skis, take risks. But every shortcut we take, every step we skip, comes with debt.  Entrepreneurs tell themselves that they will catch the kicked can, but debt comes with two consequences - it has to be repaid, and critical lessons are postponed.

In the last 20 years backers have learned the value of counter balancing founder’s risk-taking by installing hand-picked officers or advisors, often at the resistance of the founders. Both sides have seen the need to evolve the model.  More recently, investment firms have been adopting a different approach—employing mentors as house-call incubators.  These mentors, former executives, leaders, technologists, SME, and impresarios bring provenance and bona fides that are too impractical for a startup to onboard in early days.  There is a simple elegance to the fractional executive firm enhancing a portfolio with decades of knowledge, experience, wisdom, depth and breadth. Such a fractional firm of giggers, backstopped with personal resource networks that are supportive and effulgent, interested in knowledge and each other, unequivocally is the real unicorn. These are not returnship opportunities, they are relationship and a la carte. They allow startups, sophomores and rut-ridden companies a solution to debt and resilience at a salary cost that isn’t all bottom line. These experts know when to accelerate, when to scale and where the common pitfalls are, because they have seen and made mistakes that drive wisdom. 

The shared executive model is made possible through portfolio mentoring, with flat retainers of hours and not specific people or skills. What you need to crawl is different than to walk and run. Investors are rewarded with a knowledge that trusted experience is filling gaps and creating a safety net, while founders aren’t diluting key leadership positions, and they do not need to take on a CTO or CMO or CIO too soon. Equity isn’t in jeopardy, and companies can wean themselves off when the lessons and steps are achieved. The executive portfolio team may or may not place an employee at the company as part of the agreement, but as a transactional win-win, the possibilities are exciting.  Executive giggers are the force multipliers the industry has been cultivating, and now as free agents are ready to increase the chances of investment exit.