What Large Orgs Can Learn from Domo’s Security Experts
…
When it comes to software security and privacy concerns, Niall Browne and Ryan Taylor are two of the most plugged-in professionals you will find. Niall is the Chief Information Security Officer at Domo. Ryan is the company’s Chief Privacy & Data Protection Officer.
As the adoption of digital technologies becomes more widespread, and talk of more regulatory oversight in the U.S. grows louder, I got their thoughts on a number of issues surrounding this increasingly important topic for all businesses, but especially large global organizations.
Q: What are the greatest data management challenges facing large organizations conducting business across the world?
RYAN: Large global organizations are still very challenged by trying to understand what data is actually relevant to their organization, where that data resides, how to scrub it so that it is reliable, and how to bring it together to create an accurate view of the organization that the right people can use at the right time to make good business decisions.
They are also challenged by keeping up with the constantly changing face of privacy law. In the U.S., organizations are trying to understand the implications of the California Consumer Privacy Act (CCPA), which goes into effect January 1. In Europe, organizations are still refining their compliance with the General Data Protection Regulation (GDPR). And in certain parts of Asia-Pacific, companies are working to digest recent updates to privacy and security laws.
Then there’s a third challenge: How to maximize the value derived from large volumes of data while also protecting the rights of individuals with respect to their personal data. Every organization is different, it takes a lot of balancing get this right, and it’s definitely a work in progress for most—if not all—large global organizations.
Q: Sixteen months in from the GDPR rollout in Europe, what are the biggest changes you’ve seen in the way large organizations are governing their data? Have they been positive?
NIALL: Prior to GDPR, many companies implemented a checkbox approach to data privacy. While they may have been able to check the box for a specific data privacy control, they were unsure of how the control was actually implemented. This resulted in a swiss-cheese data privacy model with lots of control gaps and internal teams unsure of what they were supposed to do. GDPR and the associated fines have resulted in companies now making data privacy a priority, rather than a future promise.
RYAN: Since the GDPR went into effect, companies have spent considerable time and effort reviewing their data collection and data management practices, and working to better reflect in their policies and practices the interests of individuals with respect to their personal data. That improvement comes in the form of greater transparency and communication, allowing for individual choice, and more thoughtful data management practices generally.
Q: Even large global organizations face inherent issues of IT and data governance. Do you think this is a common trend across enterprise organizations that have legacy systems in place? What could they do to be better?
NIALL: For data privacy to be effective, it needs to move from abstract statements in unread polices to being part of the company’s ecosystem. The issue is that legacy tools often times don’t support the data privacy access controls needed to protect users’ data in this new GDPR world. Retrofitting these legacy, on-premise tools has proven to be very resource-intensive at best. Organizations need their data on platforms that have been designed with data privacy in mind. Otherwise, they will be left behind and subject to substantial fines.
Q: When it comes to keeping customer data safe, how can organizations ensure no database is exposed, beyond security systems being up to date?
NIALL: Organizations need to embed security and privacy into their business functions. At a practical level, this means that Privacy Impact Assessments (PIA) need to be completed for a significant change, such as for the deployment of a new tool, platform or data process.
RYAN: The single biggest issue that leads to incidents involving exposure or misuse of confidential customer data is human error. All organizations need to make sure their policies and procedures related to proper data usage and sharing are up to date and reflect the latest legal requirements. Once the organization has the right policies in place, they need to spread the word by conducting regular privacy and security training of their employees, their vendors, and their partners.
Q: A lack of data governance can lead to shadow analytics, where employees take matters into their own hands and download data outside of approved systems to analyze it. This creates multiple threats, from a cybersecurity standpoint to multiple siloed and out-of-date datasets. What types of technologies can help organizations manage this?
RYAN: This is a very real issue. All employees need information to be successful in their roles, but so many have difficulty locating and accessing the relevant data. This is often driven by fear. Without clear policies and procedures to follow and without reliable technologies to facilitate, the people responsible for that data fear making judgment calls about who can access it and how to give it to them, so they just lock it down. This leaves employees who need the data scrambling to get the information some other way. Technologies that provide the ability to share data based on clearly defined policies can go a long way toward resolving those fears and empowering people with needed information.
Q: How does Domo’s self-service offering help minimize cybersecurity threats and risks to sensitive client data?
NIALL: Domo allows customer data to be moved from unsecure spreadsheets and one-off databases to a central, auditable data platform that has been designed to meet GDPR requirements. Customers now have a central location from where to self-manage their data lifecycle and access requirements in full compliance with their global data privacy requirements, including GDPR.
RYAN: The organization’s data within the Domo platform is protected according to rigorous security standards. Domo completes numerous security audits, assessments and compliance requirements, including independent third-party network and system penetration tests. Domo has also achieved certification for ISO/IEC 27001 and ISO/IEC 27018. In addition, Domo provides security self-service functionality that customers can use to layer on security features such as single sign-on, multi-factor authentication and customer-managed encryption keys. Every additional layer of protection employed by Domo customers is another step toward mitigating the threat of unauthorized third-party access.
Q: New data regulations (such as GDPR) and changing laws on user cookies have presented challenges and opportunities in the data privacy sector. With compliance increasingly important, how has Domo leveraged its platform to keep its customers safe and compliant?
NIALL: Domo is a data platform designed to enable customers to meet their global data privacy requirements. Domo customers include 40% of the Fortune 50 companies. This rich tapestry of diverse customer requirements has enabled Domo to simplify data privacy. We do this by providing customers with the self-service capabilities within the platform so they can safely manage the lifecycle of their data.
RYAN: Once the data is in the platform, data stewards can implement technology-driven access policies through personalized data permissions consistent with their organization’s own policies and procedures. In other words, they can use the Domo platform to enforce the organization’s rules governing that data, even if those rules vary from region to region. The Domo platform allows data stewards to manage access and use of the organization’s data while mitigating the risks associated with such access and use in a way that isn’t possible when dealing with disparate, separate data repositories and technologies. The Domo platform allows data management at scale, from global policies down to specific access by the individual.
Q: What are the biggest trends in big data and privacy at the moment? How will they evolve over the next 3-5 years?
NIALL: The conundrum is that data privacy requirements will get stricter, more data will be created, and more people will need access to this data in the future. A solution can’t be achieved if the data remains in spreadsheets, emails and legacy tools. The solution is to centralize the storage and management of this data, so as to allow real-time access while ensuring that strict data privacy requirements can be met. Those that don’t learn this lesson quickly will face a rocky data transformation road ahead.
RYAN: A really interesting current trend in big data and privacy is the use of data in artificial intelligence and machine learning. With AI and ML, data—often in the form of personal data—is analyzed to generate unique insights and to influence machine decision-making. One of the key considerations with AI is just how much the use of personal data to create the insights or decision-making by the system conflicts with an individual’s right to control his or her personal information. At the moment, there are more questions than answers. Over the next 3-5 years, we will of course continue to see advancements in the use of AI. At the same time, I expect to see governments and regulators establish more defined boundaries around AI data ethics and privacy. Hopefully, the coming regulations and laws will be consistent worldwide.
Q: Do you think technology in general will develop quickly enough to handle new volumes of data and to meet privacy regulations? Or will platforms and organizations alike need to work harder to manage them?
NIALL: This is not a technology problem. Many of the central data platforms required to meet these strict data privacy requirements already exist. Organizations must now make the necessary business decisions to keep their customers’ data safe and protect their reputation.
RYAN: I think technology and privacy regulations will likely always follow a little behind the data being generated. It is easy to create data. It is hard to figure out all that is possible to do with data once we have it. And it is even harder to figure out the right thing to do with data once we have it. Organizations will always be working to keep up with the new volumes of data at their disposal.