After turbocharged digital transformation and a rapid data shift to the cloud in recent years, sensitive data is all around us and is more available than ever. While this is good news for data-driven organizations’ analytics initiatives, it also brings increased risk. As enterprises leverage and share more sensitive data, the threat of breaches and leaks also grows. In 2022 alone we saw tech giants like Apple, Meta, Twitter, and Samsung all disclose data breaches of sensitive user information, and these threats only continue to escalate.
As we head into 2023, the challenge of effectively balancing data security, privacy, and access is at an all-time high. Organizations must take the right steps to protect their sensitive data without completely locking it down, so they can continue to successfully leverage that information to innovate and remain competitive. Today, we’ll be joined by Mo Plassing, chief product officer at Immuta, a data security leader that enables organizations to unlock value from their cloud data by protecting it and providing secure access. The Immuta Data Security Platform provides sensitive data discovery, security and access control, data activity monitoring, and has deep integrations with the leading cloud data platforms. As a former co-founder of Codeship, a software-as-a-service (SaaS) CI/CD product that he later sold to CloudBees, and as an angel investor in data & developer tools, Mo has deep expertise in the data challenges facing developers, engineers, and businesses alike.
Gary Drenik: While much uncertainty remains ahead when it comes to data security, privacy, and access, there are some key trends that will shape the landscape in the year to come. What are some of the top data security, privacy, and access challenges organizations face as they head into 2023?
Mo Plassing: The current SaaS data infrastructure landscape makes it easier than ever for IT teams to access and share data between companies, regions, and departments. In fact, research from Forrester found that 70% of global data and analytics decision makers are actively expanding their use of external data, and another 17% plan to do so within the coming months. However, data sharing has reached a breaking point. Traditional tools and approaches used by CISOs (chief information security officer) to secure and protect data in the cloud can no longer keep pace with the rapid growth in data sources, users, and policies that must be protected, governed, and managed. Because of this, many CISOs have become “bottlenecks” in the modern data stack.
From a privacy perspective, according to a recent Prosper Insights & Analytics survey, 62.3% of consumers don’t like it when social media sites, search engines, mobile apps, etc. take their personal, online and mobile location data and allow advertisers to use it to send them advertising.
As the same survey suggested that 64.5% would like to see legislation enacted that prevents these entities from selling their personal, online and mobile location data to advertisers and others, new laws and regulations are rapidly coming into place to address the concern. We’ve already seen Virginia’s industry-backed privacy law go into effect on January 1st, as well as the California Privacy Rights Act introducing changes to 2018’s California Consumer Privacy Act after a 2020 ballot initiative. While CISOs are often accountable for data policy enforcement, recent research shows that efforts are largely decentralized and often lack a clear chain of command. This means there’s a significant gap between security, privacy, and access that needs to be addressed.
Drenik: How are these data security and privacy bottlenecks impacting organizations’ data-driven initiatives?
Plassing: The need for organizations to be data-driven is more critical than ever in today’s business environment. However, in our recent State of Data Engineering Survey, which highlights the top data engineering challenges and blind spots as organizations strive to become more data-driven, organizations reported only using an average of 58% of their data in decision making. And 89% of organizations reported missing business opportunities because of data access bottlenecks. Data security, privacy, and access challenges are largely to blame, with most data professionals reporting a lack of visibility into data access controls and how they correlate with data security and privacy – 90% admit they could improve their understanding of the association between them.
Drenik: What can organizations and security leaders do to address these challenges?
Plassing: As data moves from on-premises to the cloud, this clear disconnect between data security and access not only hurts organizations’ data-driven initiatives and business outcomes, but also increases their risk of data leaks and breaches. To better support data teams when it comes to bridging these disconnects, CISOs need to step in and become more of an enabler of the modern data stack. This will require security and data leaders to work more closely with their teams to prioritize balancing security and access effectively.
Drenik: Can you elaborate more on how the role and mandate of the CISO will change this year given these challenges and disconnects?
Plassing: Because of evolving data localization and sovereignty laws today’s organizations are in the true “wild west” of data sharing. In the coming year, data security infrastructure will evolve to address the challenges around data sharing. CISOs will need to shift their approach by putting the necessary controls and processes in place to both meet the demands of the modern data stack and effectively balance data access with maintaining security posture and privacy compliance. This includes implementing anomaly detection capabilities and continuously monitoring data access and use. CISOs must also work to refine security policies with transparency and automation so they can confidently secure data, while still providing real-time access to data users across the enterprise. Without balancing access with security and privacy, organizations will either feel the debilitating effects of a data breach, or struggle to truly let data drive their business. One way to do this is to utilize digital data processing agreements (DPAs) that help put guidelines in place for how organizations can access, process, and report on data use. These agreements will ultimately change how CDOs (chief data officers) and organizations use data for business value moving forward.
Drenik: What’s on the horizon for addressing data security and privacy concerns when it comes to privacy enhancing technologies (PETs)?
Plassing: Today, 75% of all countries have implemented some form of data localization rules. As a result, data sharing and collaboration across borders is becoming increasingly complicated for global enterprises. In the coming year, more global organizations, or those engaged in inter-jurisdictional data sharing, will also implement privacy-enhancing technologies (PETs) to solve data minimization challenges and protect the confidentiality of commercially sensitive data. To facilitate this, leading economies such as the US and UK will promote the use of privacy tech. At the same time, PETs will gain the attention of regulators who will have to come up with frameworks to assess the wider impact of these technologies upon data access and competition. Data localization challenges will continue to evolve as requirements and the geopolitical climate change. However, it will remain imperative for organizations to enhance their tech stack to enable tracking of data movements across jurisdictions, ensure the confidentiality of the data moving from one jurisdiction to another, and suspend movements when high risks are flagged.
There’s immense change in store for data security, privacy, and access processes in 2023, and the space will only become more complicated as data volumes and sources continue to grow, and regulations become increasingly stringent. It will be critical for CDOs to stay ahead of these developments in order to remain compliant and competitive. Despite the uncertainty that 2023 brings, being aware of these few trends heading into the new year is a good place to start.
Drenik: Thank you, Mo, for taking the time to explore this with us and sharing your insights on data security, privacy, and access trends for 2023.