Combatting Anxiety with Action at Forrester’s Privacy and Security Forum

3 Reasons Why You Should Attend Next Year

Forrester PS 2018 Collage (1)

Last week, I joined a group of security, risk and privacy professionals at Forrester’s Privacy and Security Forum in Washington, D.C. After taking some time to digest the experience, I’m convinced that the conference is an important one. Here are three reasons why I believe you should attend next year:

They’ll tackle the tough topics

The complex topic of governmental regulation was a recurring theme and particularly appropriate for the D.C. setting. The majority opinion is that we should head towards federal regulation for data protection in the U.S., although exactly what that regulation should look like is less clear-cut. California’s Data Privacy Protection Act will give us a chance to dip our toes in the water to see how to (or perhaps how not to) create a balanced national policy that protects consumers but doesn’t result in what Amazon’s Andrew DeVore calls “unintended consequences.”

There’s a major (and overdue) push towards transparency and accountability on the part of companies who manage consumers’ personally identifiable information (PII). But Dr. Allan Friedman, Dept. of Commerce, made an important point that there’s an unavoidable tradeoff between transparency and accountability when it comes to this type of regulation. Companies are not eager to be transparent if they fear punishment for mistakes. An audience member asked Dr. Friendman frankly if he thinks cybersecurity should be regulated the way that the FAA regulates aviation (i.e. if there’s a plane crash, the NTSB launches an investigation). While he couldn’t provide a straightforward yes or no answer, he pointed out that the NTSB has a powerful weapon for gathering best practices while sidestepping the issue of transparency vs. accountability: the investigation of “near misses.” Give companies a chance to share how they stopped a cyber attack and learn lessons from there. An approach to think about.

They’ll call a spade a spade

There’s so much gray area in this space, so I appreciate that Forrester is willing to take a stance and share a unified opinion when they can. Forrester’s Stephanie Balaouras and Dr. Alissa Johnson, Xerox CISO and former White House Deputy CIO, had a main-stage discussion about diversity in the fields of privacy and security, with a specific focus on how this plays into the industry’s widely-touted staffing shortage. Stephanie takes a blunt position on behalf of herself and Forrester with a sobering warning: “Don’t complain about a staffing problem when you’re not recruiting from half the population.” Be open to recruiting not just based on technical skillset but aptitude, attitude, and potential.

Half of the presenters at the forum were women. Way to walk the walk, Forrester.

They’ll give you actionable advice

In this space, it’s easy to get wrapped up in fear mongering. This year’s forum theme was Conquer Fear, so we were offered two days of information and discussion to move past “we have a problem” and towards “here’s what we do next.” Did they deliver? Yes, I believe they did.

While there was a long list of really excellent, actionable advice, here are a few recommendations that caught my attention:

  • Make security a pillar of the customer experience. Companies make the mistake of only communicating with customers about security when something has gone wrong. Forrester’s Heidi Shey recommends talking about security proactively and often.
  • Think about security from the start. Security accountability among DevOps was raised in the “hackers vs. executives” panel, and problems like serverless environments attacks are putting a focus on DevOps in the cloud. We’re scrambling to leverage the cloud to solve our big data problems, but “security is the biggest ‘big data’ problem we have,” warned Shannon Lietz, a DevSecOps champion who runs a 45-person-strong red team at Intuit. Security should be a pillar of innovation, not an afterthought.
  • Put an AI expert on your security team. Forrester’s Chase Cunningham and Joseph Blankenship put on a lively show depicting “good” vs. “evil” AI, recommending that in the current AI arms race against cybercriminals, it would do every company well to seek out AI expertise, whether that is an in-house hire, contractor, or vendor partner.
  • Want to see change? Be a part of it. The Department of Commerce is seeking input from the public on a proposed approach to consumer data privacy designed to not only protect consumers but also create a new data plane on which companies can innovate.

Forrester’s Privacy & Security Forum gave me a chance to be a part of a larger conversation. My own piece of advice: set aside time to join next year.