March 24, 2021
The APAC privacy focus stream early this morning saw much debate about the complex picture of privacy rules in that part of the world.
“There’s a lot of fragmentation across the APAC region,” said Brendan Pat, Associate General Counsel, Privacy – Asia Pacific at McKinsey & Company. Regarding the prospects for an overarching privacy law in the region, he added that a “one-size fits all approach” would be difficult to be made to work.
Nitin Dhavate, Country Head for Data Privacy for India, South Asia and Sub-Saharan Africa, echoed this saying that 13 countries have come up with their own privacy regulations in the past 10 years.
The panel discussed data localisation in China and India and the importance of Asia’s role in the global supply chain.
Francis Acero, Deputy Data Privacy Officer at MERALCO, said it would be interesting to see which privacy law across APAC will “crack the whip”.
However he said it will be good to see “How deep connections are between privacy authorities and whether they start talking to each other” as new laws become enforced”.
Pat said: “there are definitely green shoots of collaboration taking shape across the region”.
Many of today’s sessions focused on challenges to privacy and security thrown up or intensified by shifts in behaviour caused by the Covid-19 pandemic.
In a session on essential encryption in the “new normal” Leirrand, Ochotorena, Director, Data Protection/IT Security Office, at Western Mindanao State University, said: “There needs to be a continuous engagement with employees on how they can be empowered to use these technologies at their fingertips for them to securely manage data” Leirrand Ochotorena.
Goher Mohammad, Head of InfoSec at L&Q, said: “You can have all the encryption in the world but if your access control is not fit for purpose… if someone has a weak password… all of a sudden, you might as well not bother encrypting that data because it will be open to bad people”.
Fahim Afghan, Senior Product Marketing Manager at Egress Software Technologies, questioned whether customers are even using encryption technology properly.
In another session, a panel debated privacy issues from remote working and how these will play out post-pandemic,
“Most organisations, especially financial services are trying to work out how they will implement [remote working] going forward…Employers who aren’t flexible going forward will struggle in the recruitment market”.
Victoria Stubbs, Chief Risk Officer, at Cambridge Building Society.
Panellists talked about the challenges of employees using their own devices.
Neil Sinclair, Neil Sinclair, National Cyber Lead, at the Police Digital Security Centre said:” “Mandating anything to do with personal Wi-Fi use is going to a tough one, if you haven’t got everyone using deployed and managed assets, it will be very difficult to do that”.
“The younger generation is so tech-capable that they don’t always consider the risk” says Neil Sinclair.
Panellist also raised concerns about the potential privacy pitfalls from surveillance of employees.
Claudia Nathanson, chair of the new UK Cyber Security Council called for caution over the temptation to launch into cloud migration of data.
She said: “Most people move to cloud before they have the strategy. The strategy should be what are we moving to the cloud. Do not try and start big, start simple: have control and security policy about how you want to handle your data. Don’t do anything unless you have a strategy”.
The very first session of the day had the provocative title “CISOs, the villains or the unsung superheroes?” and was the first of two debates focused on the role of Chief Information Security Officers (CISOs)
Chris Moffatt, Founder and Chief Executive Officer at Dathena, said the perception of CISO is that they “will say no to the cloud and no to new tools and no to innovation” but there is a “lack of value perception” around how people understand the CISO role, Moffatt added.
Moffatt also pointed to a report by Goldsmiths, University of London last year showing 82% of executives in a CISOs role feel burned out.
In later debate, Chris Green, Communications Workstream Lead for the UK Cyber Security Council Formation Project, said there is a “need for bringing in a variety of soft skills from outside out the industry”.
Green made a case for certification for the CISO role. He said: “It comes down to incentivizing with money, absolutely, but justify that with the validated skillset that that person is going to bring to the role.”
Recent months have seen several high-profile class action cases as well as reports of an upsurge in smaller data breach compensation claims.
Panellists at PrivSec Global debated what this all means for data privacy compliance teams.
Simon Walsh, Special Counsel, Cadwalader, at Wickersham & Taft LLP said: “There’s a convergence going on, a realization by data subjects that they have these rights, there’s increased press coverage after Cambridge Analytica and Facebook scandals.
“They are seeing that these have real-life effects, which is quite frightening.”
Stewart Room Partner, Global Head of Data Protection & Cyber Security at DWF, said that GDPR has led to crises become “operational challenges and legal challenges”.
He said: “Unless there is governmental intervention in this topic, it is only going to grow… there is an inevitability about this”.
For Room, litigation is likely to focus on the gap in quality inside data and the use of technology,
“If you’re a DPO watching this…and you do not understand the logic and physical connections then you will be missing the mark” Room said.
Attention turned to the diversity, or lack of, in the cyber security sector as a panel debated the best ways to increase inclusivity.
Ian Brown, Group Cyber Security Director, at Spectrism said we need a bottom-up approach. “Position the company in way that people actually want to work there”, was his advice, saying that job rules and descriptions should match the true intention behind the orle.
Sandy Silk, Director, Information Security Education & Consulting at Harvard University stressed the importance of word choices and language when recruiting.
Jessica Figueras, Vice-Chair of the soon-to-be-launched UK Cyber Security Council spoke at length about the importance of working harder and putting time into the process if you want a truly diverse slate.
She says: “[External] recruiters can be the worst here; you might want to consider not using a recruiter if you want a genuinely diverse candidate”.
Jessica also advised “always state the salary,” as “women are much less likely to negotiate a salary” which she says lends itself to why women earn less than men in tech.
Ian Brown says employees should be offered training on how to respect those in the company who may be neurodivergent.
Anthony Scaramucci was the eye-catching speaker for a fireside chat at PrivSec Global this afternoon.
The Wall Street financier who was very briefly Donald Trump’s communications director talked extensively about bitcoin and how it is scaling and how bankers, the US treasury and the Federal Reserve do not like bitcoin and want it banned. But he said this was unlikely.
He talked about the need for cyber security to prevent bitcoin theft.
“Holding the coins and not having them fished out of your account through rogue emails or stealing your password… those disaster stories are plentiful” he said.
“If they want to own bitcoin and are concerned about cyber security like I am, it should be in cold storage, unplugged from the internet, protected from invasion, security around the facility and backup around the facility”.
In terms of tackling these cyber criminals, Scaramucci talked about the power of networks.
“You have to connect yourself with other networks in your community” for knowledge sharing and “creating alliances against this type of criminality”.
“Bitcoin is a monetary network, Facebook is a social network, Google is an advertising and marketing network…network effects are incredibly powerful.”
As for his views on Donald Trump?
“The president is a narcissistic sociopath,” he said.