Community//

“Protect it while processing it”, With Jason Remilard and Dave Burg

Protect it while processing it. Consider homomorphic encryption for your most sensitive personal data, such as financial data or healthcare related data. This type of encryption allows functions to be performed on the data while it is still encrypted. Consider this especially for data analytics processing that is managed by third party providers. As a […]

The Thrive Global Community welcomes voices from many spheres on our open platform. We publish pieces as written by outside contributors with a wide range of opinions, which don’t necessarily reflect our own. Community stories are not commissioned by our editorial team and must meet our guidelines prior to being published.

Protect it while processing it.

Consider homomorphic encryption for your most sensitive personal data, such as financial data or healthcare related data. This type of encryption allows functions to be performed on the data while it is still encrypted. Consider this especially for data analytics processing that is managed by third party providers.


As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewingDave Burg, EY Americas Cybersecurity Leader.

Dave serves as the EY Americas Cybersecurity Leader. In this role, he assists clients in reactive and proactive consulting capacities involving the deployment of information technology solutions and their use.

Dave has lectured at NYU’s Stern School of Business, Georgetown University and Penn State University. He regularly contributes to, and has been quoted in, a variety of business and industry journals. He is passionate about presenting on a wide range of topics at global corporations, law firms, industry events and government agencies.

Dave holds an MBA from the College of William and Mary and a BA from the University of Pennsylvania.


Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I had a lot of fun growing up in the Philadelphia suburbs with my five siblings and lots of pets running around the house — always something going on. I was lucky enough to spend a lot of time outside with my friends playing in the woods. We went to a lot of trouble to hunt down golf balls from a nearby golf course and sell them back to the golfers at the course.

Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.

A pivotal moment for me happened in 2007 when I was working on an ATM cash out attack that was undertaken by Eastern European cyber threat actors. The investigation and understanding of the hacking component became extremely important to the financial services sector and to bank regulators because it was one of the first monumental hacks in history to illustrate the potential magnitude of a cyber intrusion. We worked with the FBI, the Department of Justice, bank regulators as well as with the clients impacted. The banking ecosystem was highly alarmed by this intrusion because the only things that limited the magnitude of the attack were the number of human “mules” dispatched to take cash out of ATMs, and the number and amount of cash in ATMs around the world. This opened my eyes to just how significant the business challenges are when it comes to cyber and made it clear to me that cyber is an important space.

Can you share the most interesting story that happened to you since you began your career?

There have been a number of significant cyber intrusions that have shaped my career. While much of my work remains confidential, the most rewarding matters are the ones in which I’ve been able to make a big difference for a client and really prove the value of the work. For example, my team helped a financial services institution extract itself from a bad situation with a bank regulator, developing and deploying an extraordinary analytic approach. What made this interesting for me is that the work had a great deal of exposure with the CEO and Board, and it was gratifying when the CEO said the quality of the work we delivered was well worth the expense — which was substantial. This was an impactful experience because we always seek to demonstrate our value and it is nice to see the difference your work can make.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

There are a lot of people who have been incredibly influential in my career and there is one client in particular who I’ve worked with for 15 years on over 100 matters that really stands out. He is a lawyer, and our skills complement each other well and we really formed a great team that made a positive impact on the clients that we served. Over the years, we have been able to push our teams to achieve more than they thought was possible in order to help our clients avoid typical negative business outcomes. All of the success I achieved while working with him propelled me through promotions into many different leadership roles and so I attribute some noteworthy career growth to the strong relationship we share.

Are you working on any exciting new projects now? How do you think that will help people?

There are several exciting projects right now. In a number of sectors, we are working intently to use advanced technologies to understand and manage the consequences of cyber resilience. Additionally, we are doing work around the use of various automation technologies that can make businesses run better and safer. A third exciting project is in privacy and individual consumer information protection, which has been groundbreaking and important geopolitically. Last, we are working on a project around supply chain security that I think will be consequential to many industries.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

‘Burn out’ is a common issue and there are many ways to combat it. My advice is to take a more strategic career approach. I believe it is extremely important to steer your career by focusing on what you care about and are passionate about. It’s important to recognize that your career should never remain static — it should keep evolving as your interests, knowledge and skills evolve. The idea of being dynamic and constantly learning and changing your area of focus is a great way to avoid burnout.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?

I am not an attorney and therefore cannot render a legal opinion. However, if you look at the big picture, I do believe that every business is accountable for managing and protecting sensitive information. There are laws and regulations that determine the specific requirements for protecting sensitive information. Philosophically, ethically and even strategically businesses need to take these requirements seriously — not only to protect their customers — but it also provides visibility into the increasing connectivity across business supply chains and business ecosystems. In other words, a negative consequence in mishandling sensitive data could result in negative consequences across a business partnership landscape. The good news is we’re now seeing the deployment of many more types of technology to manage and protect information in ways that do not slow businesses down. In fact, we’re seeing more and more businesses using security solutions to help architect and develop new ways of managing business requirements and protecting information, while at the same time, enabling businesses to innovate and collaborate and move faster. While the requirements to protect information vary, the positive trend I see is towards being able to satisfy these requirements while achieving better business performance.

Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?

A key best practice is to develop a more granular understanding of individual data elements:, what they are, their importance, where they are located, where and how they travel and how they’re protected. Then, most importantly, businesses need to be able to use insights from those data points to make decisions about how to better run the business. In reality, most businesses have a difficult time handling these fundamental processes, but mastering them can position the business to not only satisfy data protection requirements but to also manage and run their business more efficiently — a win-win.

In the face of this changing landscape, how has your data retention policy evolved over the years?

I believe businesses have an enormous way to go to improve data and information retention practices. There is an issue where companies do a poor job of taking responsibility for storing a single copy of something that they need to keep for the appropriate period of time. Part of the reason this happens is that on-premise and off-premise storage capacity and cost continues to increase and decrease respectively. This creates significant ongoing potential risk and challenges. If an organization is unable to understand where information, whether it is sensitive or not, is stored and how many times it is stored, problems can occur. Information retention hygiene and data protection and security go hand-in-hand, and unfortunately this remains a significant challenge for most organizations.

Ok, thank you. So far we discussed a business’s responsibilities. Now let’s talk about how to put it into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)

  1. You can’t protect what you don’t know you have. Create a sustainable personal data inventory capability.

It is important for companies to create a sustainable personal data inventory capability. Many laid the foundation for this in response to the EU General Data Protection Regulation which became effective in 2018. However, it wasn’t always structured as a sustainable capability to support ongoing updates of the inventory. Also, in the past, personal data inventory exercises have often been led by the second line privacy or compliance team. These teams generally don’t have the resources to manage this as an ongoing activity. The capability is much better placed into the Data Management team, where data monitoring is a routine function.

Most personal data discovery exercises are biased towards searching for what we already believe is there based on our knowledge of the business and the types of personal data necessary to support operations. However, it’s important to consider “outlier” personal information — personal data that your company may be collecting or receiving from second and third parties — that may not be in sufficiently large volumes to put it on anyone’s radar. Consider customer surveys and social media activity as well as personal data that may be purchased from data aggregators for specific initiatives.

2. Protect it while processing it.

Consider homomorphic encryption for your most sensitive personal data, such as financial data or healthcare related data. This type of encryption allows functions to be performed on the data while it is still encrypted. Consider this especially for data analytics processing that is managed by third party providers.

3. If you don’t use it, consider getting rid of it.

Most companies do not adhere to their own records management standards on data deletion. It is seemingly an afterthought and with the reducing costs of data storage, it hasn’t necessitated management from a financial perspective. Anecdotally, we have found that most companies also don’t have a data and analytics capability to support discovery and implementation of data maximization — a disciplined approach to evaluating how certain data sets could be used to support new business intelligence or enhance the customer experience — secondary data use cases. If a business is keeping personal data beyond the time period for which it requires it pursuant to both privacy laws and its own records management policy, it is sitting with a potentially large liability. If the company deletes the data, it no longer needs to worry about how to protect it — wasted worry for assets no longer being used or perhaps no longer permitted to retain/use.

4. Manage your supply chain (don’t simply rely on contractual provisions to save you)

Our experience has been that most breaches of personal data involve a third-party supplier. When suppliers are vetted and onboarded to the organization, most companies have implemented some form of a security assessment as a precursor. However, in many respects, these forms have become ‘check the box’ exercises for all involved. The template language is inserted into the contract and the deal is closed…fingers crossed for the best going forward. We advise clients that they need to be able to identify which of their suppliers have their customers’ personal data — not only because privacy laws now require this — but because it’s simply foundational data governance. This exercise can be unwieldy based on a business’s supplier population and how much data it’s consistently maintaining as part of its contract management system -regardless, the business needs to know. Once that population is identified, they should be stratified by risk at minimum according to the volume of its customers’ personal data they have access to and the countries in which they are doing business. There should be proactive engagement with the business’s high-risk suppliers (based on their access to personal data) including site visits. If it’s a key supplier and the company is a sufficiently large client, the company may consider requesting a quarterly briefing with the CISO and CPO to better understand how the supplier is protecting customer data.

5. Invest in master data management and metadata management technology to inform better decisions.

Protecting customer data — actually actioning it — is premised on the notion that someone can find all of the information related to individuals and make intelligent decisions on how to safeguard that data in a way that still respects how a business needs to use it or share it. The absence of master data management will make that significantly harder. Companies that can’t identify the “golden record” of their customer data as it applies to the different types of use cases in their organization don’t generally apply controls consistently to all of the derivatives of that data that follow or alternatively they may be applying safeguards redundantly. Same point on metadata management — it’s an important input to the calculus on why we should care about certain customer data. Companies must understand the, what, where, why, when and how as it relates to their personal data in order to apply targeted controls to protect it.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

At some point we’ll solve the cybersecurity challenges we face. A main one to focus on is being able to protect the confidentiality, integrity and availability of information, ensuring that only the individuals or entities who should have it, have access to it. The confluence of technologies like cloud, quantum computing, authentication technology and zero trust networks will enable us to get to a place where the confidentiality, availability and integrity of the information will be ubiquitous. Having the ability to accurately know who is communicating with who will take us a long way in solving many of the cybersecurity problems we face because it will prevent someone from using someone else’s credentials to inappropriately access information. Businesses have been focused on identity and access management for years, which remain at the center of solving cyber security challenges. I’m hopeful that solving this particular part of the issue will provide a great deal of benefit to society at large.

How can our readers further follow your work online?

My EY.com profile or LinkedIn page are places where readers can follow my work:

This was very inspiring and informative. Thank you so much for the time you spent with this interview!


    Share your comments below. Please read our commenting guidelines before posting. If you have a concern about a comment, report it here.

    You might also like...

    Community//

    “Comprehensive Cybersecurity”, With Jason Remillard and Kevin Grimes, Sr.

    by Jason Remillard
    Community//

    “Understand the value of your data at risk. ” With Jason Remillard & Angela Saverice-Rohan

    by Jason Remillard
    Community//

    Charles Denyer: “IDENTIFY”

    by Jason Remillard
    We use cookies on our site to give you the best experience possible. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.