Set your standards, set your controls, set your guardrails and pass applications and data sets through the clearing house before placing it up in the cloud. As a result, you have confidence that you know what information you’re storing and the nature of the cloud environment you’re putting it in.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewingElizabeth Mann.
An experienced technology executive, Elizabeth leads the Life Sciences and Health sectors in Americas Cybersecurity. She helps executives and boards seek balance in an increasingly disruptive digital economy. Having worked in information security for more than 25 years, she established her leadership position early in the discipline’s development, looking at security from the identity, access and privilege management perspective. As an advocate for a risk-oriented, resiliency-based approach to cybersecurity, she loves understanding the why behind what we do. Elizabeth also leads our efforts for gender parity, actively promoting cybersecurity and risk management as engaging careers for women. She is the executive sponsor for several family and women initiatives at EY. She received a BA in Biological Basis of Behavior and Spanish and an MA in Romance Languages and Literature from the University of Pennsylvania.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in New York with my parents and a sister. I have always been actively involved in school life, my synagogue and my community in general. The tools that I gained from those experiences growing up have carried forward into my adult life as an executive, a wife and as a parent.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
Cybersecurity was never on my radar in high school, nor in my later academic career. Frankly, it was not really a “thing” back then. While technology was emerging and becoming a part of the business world, we still had no real understanding of the cyber threats that would come as the world became more advanced.
I double majored in Romance Languages and Literature, together with a specialized major called the Biological Basis of Behavior, known today as neurobiology. It was an interesting interdisciplinary science major that allowed for exploration of topics such as neurology, psychology and biology. While this is not a traditional path to a cybersecurity role, I learned so much that I can apply to my current career. I honed my public speaking skills as I delivered talks about literature in global markets in different languages. I also learned about pedagogy while teaching at the University of Pennsylvania during my graduate studies. I approached my introduction to the cybersecurity space as I would a new language. I leveraged my language skills, which helped me to deal with what was new for me at the time from an industry perspective.
In my role as the Health and Life Sciences Cyber Leader, I leverage my training as a scientist to engage in better, deeper conversations with clients about their purpose and priorities. I find what sets me apart as a cybersecurity executive is that I’m comfortable navigating conversations about scientific innovation, clinical trials and the like — all topics relevant to my pharmaceutical clients. Ultimately, my path shows that cybersecurity professionals can have nearly any type of background, even one that isn’t grounded in IT or technology. Today, I encourage young women and underrepresented minorities who do not typically enter cybersecurity, as well as those with non-traditional educational backgrounds, to consider this career path because it has tremendous benefits and is a fascinating field.
Can you share the most interesting story that happened to you since you began your career?
I was leading a cyber metrics and reporting engagement for a client when they were hit by a massive cyberattack. I watched it unfold from a conference room in New York City while on a video conference call with our team in India. People were yanking cables out of the walls, trying to save machines, while employees were posting images on social media of ransomware messages that they had received. This was my first opportunity to witness a cybersecurity breach first-hand. The attack was swift and the impact was dramatic. I called the Chief Information Security Officer, who encouraged me to head to the office and see how I could help. I spent several weeks in the trenches with the company, watching the devastation that this brought to a high performing, committed and mature team. We all understood that this would be an example to others of how even the mighty can be impacted. The CEO of the firm was walking the floor, offering encouragement to everyone. That made an impact too.
This experience stands out in my mind, despite the terrible circumstances, because it was an exceptional opportunity to be part of a team going through a crisis and witness resiliency in action. Everyone knew how important it was to get manufacturing operational again and we understood the importance of a well-prioritized recovery. I worked closely with the CISO to prepare for board meetings, which was the beginning of a long-standing friendship as well as a strategic client relationship.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I recall having a very interesting interaction with a Chief Information Security Officer at a client of ours when I was new to EY. I was deeply familiar with the cybersecurity field, as I had previously spent nearly two decades at a boutique consultancy prior to joining EY. Shortly after stepping into my new role, I had the opportunity to meet with this executive at a Fortune 50 company. I didn’t know this going into the call, but the client was not very excited to talk to me and someone had convinced him to take the meeting. We were discussing the challenges around identity management, which is sort of my “fastball” in cybersecurity — it’s an area where I have deep experience and expertise.
At the start of our conversation, the client had a negative tone, and about three or four minutes in, he stopped me and said “I need to be honest with you, I have no intention of retaining EY to do any of this work.” I thought, “Oh wow. That was harsh!” I don’t know exactly why I chose not to hang up at that point. Maybe I was naive, maybe determined, but I said, “Listen, thanks for the transparency, but we both have these next 30 minutes booked on our calendars. We’re here to chat, and I’d like to hear your reaction to what I have to say, and would be interested in learning about what you and your organization are planning to do, whether we work together on this or not.” He agrees and we continue the conversation. About 15 to 20 minutes later, I heard a very loud audible sigh coming from the other side of the phone. I asked if I had bored him and if he wanted to end the call, and he responded, “No. I made that noise because I realize now that you actually do know what you’re talking about.”
The story ends with him inviting us to compete for and eventually win a preferred provider agreement with his organization, which we served for the subsequent six years as their top provider in identity management and cybersecurity consulting. Through this engagement, numerous EY people tackled leadership projects and were promoted to partner. We had the opportunity to really experience what it feels like to be a team with a client and work together as one to improve the client’s cybersecurity controls, modernize their identity management program and serve as trusted colleagues and advisors. This relationship continues today and taught me the lesson of how improved relationships and true trust between client and advisor can lead to fulfilling and transformative work.
Are you working on any exciting new projects now? How do you think that will help people?
Right now, I’m thinking about what a post-pandemic workforce looks like, and how to respond to challenges of managing identity and access when our workforce is going to be reshaped yet again.
A year ago, when the pandemic hit, the way our networks operated shifted abruptly, as did the way people access resources on corporate networks. In the cybersecurity world, this virtual shift presented many potential issues for keeping systems safe. This is because we rely upon an understanding of what “normal” is on a corporate network, and what normal patterns of authentication, authorization and access look like when people who are on devices connect to corporate resources.
Suddenly those connections are coming from all different places at different times of day, and our ability to identify anomalous activity on that unit or set of communications to corporate resources became much more difficult in a moment’s notice. What I’m interested in now is looking at the tools and techniques that clients will need to use, and to again revisit the question of identity management and behavioral analytics in a hybrid workforce model. Going forward, I expect that the acceptance of remote work will continue at least on some percentage that is greater than it was before the pandemic. The migration that companies are making to the cloud to increase resources for remote work also exacerbates cyber risk. It’s an exciting opportunity, while at the same time is a challenge to cybersecurity controls. I think that we may need to look at identities through the lens of the way they gain access to resources from home or from the office, whether that involves modes of access and or levels of approvals.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
This pandemic era has shown how hard it is for so many people to take a break and step away from work. In the pre-pandemic world, I found that burnout is only avoided if you commit to taking breaks, and it’s easier to do that with clearer work-life balance and boundaries. So, it is a journey in creating your own work-life balance based on your unique situation, but it is extremely important to carve out that time.
There are so many great ways to decompress, but one of the things I have started doing is color-coding the appointments on my calendar, whether client facing or internal. I then set aside time for taking a break, which is coded in bright yellow. When I scan my calendar and don’t see enough yellow, I look to see if there’s anything I can move around to give myself that time.
A great process that I recently implemented was setting meeting times in 25- and 55-minute durations instead of 30 and 60. It gives that five-minute buffer between my next appointment so I can collect my thoughts and not feel so rushed.
Another practice that I have seen adopted at EY has been stopping all non-client facing meetings on Friday afternoons, so that we can finalize our work and wind down the week.
There are also fun activities that you and your team can take part in to decompress. I personally got tired of the constant virtual happy hours and started thinking of gatherings that focus on doing something specific. Most recently, our team did a cooking class, where I hired a chef to virtually teach us how to make a meal. We made gnocchi from scratch — it was messy! We laughed the whole time and it only took 45 minutes. Our team has also adopted fun games like virtual Pictionary and more.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
It is complicated. Each country has their own set of rules, different states within the United States have different rules, and institutions with national or global reach need to keep track of these policies and protect their data according to these various regulations.
From my perspective, policies should focus on protecting the most critical data under management. If a company does data assessment for purposes of classifying their data assets, and they discover that 80% of the data is at the most critical level of classification, or even 50% or 40%, it quickly becomes untenable. The strategy that we have in the cyber world is to always stratify the risk areas, be willing to identify what’s important to protect and defend those things first and then move down the line, with various layers of control and strength. This is important because it’s complicated, it’s expensive and it is important to apply resources to the things that matter most.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
Organizations should decide what are the most critical data elements that must be protected, and consider both the protection and the verification of the data. How do I verify that you are who you say you are? How do I know that you are providing valid credentials? From a technological perspective, it is important to look at capacity for specific tools, either for institutions to be able to validate data sources, perhaps by calling a source, or a distributed method where everyone has control over their own data. From a purely privacy regulation and rights standpoint, it has been several years now that we recognized that the regulatory pressures on organizations around data privacy are dense and complex, because the global rules are different. Organizations must assess their own data and determine the nature of the information they possess. Each state has their own data retention policies, each country, and so on. Therefore, along with ensuring that they comply with those laws, they also need to set rules that make sense for their institution.
In the face of this changing landscape, how has your data retention policy evolved over the years?
Data retention and cybersecurity capabilities have evolved significantly over the years as technology has rapidly changed. We can look no further than the abrupt nature of the pandemic, coupled with the exceptional development and release of the vaccine, followed by the race to vaccinate. What we ended up with was physical cards with vaccination credentials. We need to play catch up a bit and digitize these cards, doing so while leveraging existing principles. I think that there are plenty of existing programs that focus on secure credentials, say for blockchain. The real challenge is that institutions are all going to manage information a little bit differently. The good news is that there are open industry standards that are available today, and the more people who adopt those standards, the better, which allows for potential interoperability. There are smart health card frameworks available that allow people to leverage open source code and interoperate with other similar credentials, and that’s a good thing.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
Right now, we are focusing a lot on customer identity and access management.
Let’s consider corporation X. They may have had identity and access management practices in place for decades and have been automating the life cycle of employees and internal contractors and the cycle that they go through to gain and lose access to resources. Now, we need to manage identities that are at a greater distance from our HR processes, but we know less about those identities than we do about our employees. Can we apply the customer identity and access management policies to the question of consumer vaccine credentials or evidence? We have to seek a solution that would help us understand the identities that are attached to the data and how to manage those identities together with the data. These are practices that are well entrenched in the cybersecurity landscape today, but specific issues of data privacy and data retention, as it pertains to health data, are even more interesting and challenging for organizations, especially given the prevalence of vaccine conversations today.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
HIPAA, the Healthcare Health Insurance Portability and Accountability Act of 1996, is the prevailing standard for data privacy in the US and is one example of legislation that is top of mind in this area. It provides a national standard to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
We are already hearing about the controversy around vaccine passports and how to manage the creation of a passport in which the data can be protected, in accordance with HIPAA. I have participated in brainstorming sessions, both with federal government agencies and in commercial enterprises, to discuss where such credentials should come from and how they can be protected. Venues are seeking these forms of healthcare “proof” for access to events like a baseball game or music concerts. This move to greater health safety in a post-pandemic world will present a new set of data protection and data privacy challenges.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
Data retention practices are typically dictated by legal requirements, and various types of data may be retained differently. Knowing what you have, and its importance, is at the heart of successful compliance. The movement to the cloud has complicated the landscape of data under management, and cloud policies need to be considered in this context as well. There are requirements not only about retention but also about retrieval, particularly as it pertains to personal information, and those requirements are often tied to the physical location of the data being stored. Cloud attracts organizations for its elasticity and scale, but a move to cloud does not excuse data management responsibilities. I recommend a commitment to data classification and an alignment of that classification to legal requirements. The controls associated with the upkeep of these policies need to be automated to support adjustments and to support workflow requirements for notifications and reviews.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
It is critically important for every organization to ask itself a very difficult question: what do I have that others might want, and how confident am I that I’m doing the best that I can to protect it?
One of the biggest challenges for cybersecurity leaders today is to compel the business or institution that they represent to really understand the risks that are most severe to the organization. They must, determine what really matters most and whether or not the best and strongest protections have been applied, and then develop a strategy to move forward with additional precautions. To go even further, businesses need to assess their resilience. How prepared is your organization should the unthinkable happen? Cloud is not an excuse from cybersecurity program maturity or controls activation. It represents a more contemporary form of infrastructure, but it is not an escape from cyber risk.
Everyone experiences breaches. There is no connected environment that isn’t vulnerable to something. The question is, can we really understand the most important elements of a business or an organization that must be protected with the optimal rigor, apply the defenses and test our resiliency in case it still happens? How quickly can we come back up? Do we know the order in which we have to bring things up? Do we know who we need to contact, and at what level of severity is disclosure required, etc.?
It is essential to understand the most serious risks, applying the best possible controls, resources and thinking for protection, then testing and practicing resilience in the face of the unthinkable.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
1) Don’t ever think that you’re not on anyone’s radar.
2) Look at your broader ecosystem. Oftentimes, this makes more institutions vulnerable than before because ecosystems are spread out and attackers take the approach of casting a wide net to see what sticks.
3) Set your standards, set your controls, set your guardrails and pass applications and data sets through the clearing house before placing it up in the cloud. As a result, you have confidence that you know what information you’re storing and the nature of the cloud environment you’re putting it in.
4) There are guardrails that need to be set up in a cloud infrastructure, not unlike the boundaries that we set in a data center. The question of secure guardrails must be addressed early, and our perspective would be to set up a kind of a security clearing house, if you will.
5) What we’ve seen recently in some of the big breaches that have been announced publicly is that attackers are leveraging a supply chain approach to attacking institutions: they spray one bit of malware to multiple organizations, all at once. They are getting smart about attacking something that touches many other things.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
We work within a global economy that exposes us to organized and effective threat actors who seek to disrupt our efforts — commercially, nationally, organically. I would like to see the cybersecurity industry commit to an alignment of identity management to cyber threat management and recognize the position of identity at the center of the threat universe.
When we align multiple cyber disciplines together and consider the matrix of identity information, data protection and cyber threats, we can see a complex picture that requires unique skills and backgrounds to address. Our industry benefits from deep technical expertise, but it equally benefits from awareness of political science, history, biological sciences and other diverse educational backgrounds. Diversity of thought, together with diversity of heritage, industry and education, is fundamental to our collective success. I encourage us to lean into communities earlier — establish paths for young people to see themselves contributing to managing this threat in a fast growing, ever-evolving tech landscape. The threat won’t likely go away, and the advancement of technical innovation will most certainly continue, so let’s make space for diverse professionals to find their way into this field.
How can our readers further follow your work online?
I encourage readers to visit this link where I share upcoming thought leadership on cybersecurity and related topics.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!