Understand the value of your data at risk. In order to make risk-based decisions on your cyber strategy and what privacy compliance efforts to prioritize, you must first understand not only what data you have, but how your organization is using it. This doesn’t mean that the organization needs to undertake a massive effort to inventory all of their data. Instead, identify and prioritize the systems that contain high value assets — that information that if exfiltrated, corrupted or released publicly would have a significantly negative impact on your business operations.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing EY Americas Privacy Leader, Angela Saverice-Rohan. She is responsible for leading the organization’s national privacy practice and a team of experienced professionals with diverse backgrounds, including law, risk, compliance, technology and audit. They are responsible for helping solve the data privacy challenges faced by EY clients.
Having worked with clients in a variety of sectors, including financial services, global ecommerce and health care, she has helped manage national data breach incidents, and led responses to Federal Trade Commission’s consent decrees and Senate investigations, as well as privacy-related class action litigation.
Prior to joining EY, Angela served as managing director of the national cybersecurity and privacy practice of another Big Four organization.
Formerly a practicing attorney, Angela earned her Juris Doctor in Law from Mitchell Hamline School of Law and her BA in Philosophy from the University of Minnesota.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I spent most of my formative years living in Michigan and in Pennsylvania. My father was raised in Ohio and was the first in his family to go to college — he went on to become a surgeon. My mother grew up on a small farm in Iowa and became a nurse.
My parents’ Midwestern roots had a big impact on my upbringing and made me who I am today. The most important values in my family were working hard, not being comfortable with mediocrity and being your authentic self.
My parents are very academically oriented, so I’ve grown up with that focus and a strong work ethic. We had a very cerebral family, where dinner table conversations were about science, politics, current events and innovations. We were taught that we should always have an informed opinion on any given topic and the only way to do that was to read, listen and learn.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I started my career as a lawyer for a large private bank. This was right around the introduction of advancement of digital exchange and the introduction of digital checks so a lot of my job was focused on the privacy and security issues that financial institutions hadn’t really seen before. I was given one of the toughest internal clients our firm had — he had gone through four attorneys in the few years before me, but I was determined to take on the challenge and succeed. I spent countless hours on the side of my day job becoming proficient in privacy and cybersecurity and understand how it applied to this client’s business. Over time, I built a fantastic relationship with him. At times it was challenging and frustrating but in the end, it was one of the most rewarding relationships I’ve had throughout my career. Something he said to me during those years has been a North Star as I have progressed in my role as an advisor: “Your role is to give me good recommendations and advice, but you need to remember that as your client I own the decision, I own the risk, and I own the budget.” To be a successful advisor in privacy and cybersecurity, you have to embrace that clients are the ultimate decision makers and your role is to help them operationalize the right level of control and process that aligns with their risk appetite and supports their business objectives.
Can you share the most interesting story that happened to you since you began this fascinating career?
My colleagues and I joke that I always find myself in the middle of some sort of disaster — don’t worry, they are not by my hand! I often find myself in the right place at the right time — like starting with a new client and then having them experience a national data breach. Those tough situations have ultimately made my career as I was able to help manage and deal with the complex and high-stakes litigation or investigation that ensued.
Admittedly, I’m biased, but I think most clients would agree with me that the best advisor has actually sat in their seat, as an executive, in the midst of a crisis — like a national data breach or an investigation by a regulatory authority. That is where you learn the most and prepare for next time. You can’t just advise when the water is smooth sailing; you have to have the house completely on fire, and houses have certainly been on fire in my career.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I believe that no one has achieved success without all of the teams and peers that they work with. Many people have mentored me along the way and I think that’s something all of us can do better in a career- it’s simply about having the courage to ask.
Beyond mentorship, I believe in having a strong network of sponsors and being a sponsor yourself is what can move the needle. Going beyond just advice and guidance to being an advocate for someone when they aren’t in the room. I’ve been extremely fortunate to have a supportive network of sponsors who have helped propel me towards different opportunities, including new roles for me to grow into.
At the end of the day though, I’m grateful for my family who understand my time spent away and inspire me to continue being motivated and brave enough to push forward.
Are you working on any exciting new projects now? How do you think that will help people?
Many of our clients are on their journey towards modernizing their data ecosystem and what that means for privacy and cybersecurity. They’re also moving more towards cloud-based structures or data lakes. We have to be able to take everything we know about privacy requirements, expectations of consumers, and data protection, and operationalize that into different environments. It’s a combination of technology, rules, and policy requirements and putting them all together in a way that supports the protections we want clients to have. But, we must do it in a way where they can still have maximum use and flexibility of their data. I think this is an important advancement towards the future.
Another area I am seeing a lot of movement on is cross-border data transfer. The complexity of how we support multinationals that need to move data between the European Union and the United States or with China’s restrictions really energizes me… and keeps me up at night!
What advice would you give to your colleagues to help them to thrive and not “burn out”?
I think firstly, we all need to give ourselves a bit of grace and acknowledge that burnout is real and perhaps unavoidable.
It has taken me a long time to admit that the reason I work so many hours is not just because the job requires it, it is also because I love it. I have to be mindful to take a break and do activities outside of work. Exercise is a big part of my life, especially during quarantine, because it’s a huge stress release for me. I’ve noticed that if I don’t get up early and exercise before walking into a 10-hour day of work and then parenting, I become less productive on all fronts.
My biggest advice is to not take yourself too seriously! I like to remind myself that, unlike my father, I’m not a surgeon- no one is going to die on my table. We all like to think we are incredibly important and that if we don’t show up as our best self then our reputation will be ruined and everything will fall apart. But at the end of the day, I do my best and some days are better than others but thankfully, I’m not a surgeon…just a consultant trying to solve complex issues : )
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
First, I think the rapid pace of change in this profession is really what keeps it interesting. Each year, month, day there are new ways for companies to be subject to a hack or a data exploitation and we have to constantly stay on top of these changes, look for new technologies and architectures, and maintain security.
As a lawyer by trade, I love the combination of technology and policy that influences this industry. The law has never left me; I just moved into a new role where I apply my knowledge in a pragmatic way. Cybersecurity is another risk that the client has to manage, and I like that I can see the big picture.
I really find the puzzle that is this industry so exciting. Each client is different and helping them achieve their corporate objectives and grow is a new challenge each day.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
I think one of the biggest threats that global companies may not be well prepared for are the cyber and privacy risks that will result from continued geopolitical tension between the United States and other countries. Assume advanced and sustained attacks that may evade traditional detection capabilities. Companies should be monitoring world events for the specific purpose of informing their threat intelligence as part of their overall network defense efforts. The cybersecurity and privacy laws in certain jurisdictions support government surveillance and access to personal data, as well as imposing requirements to localize personal data processing. The requirements become threats depending on the data and operations you maintain in these countries. It’s important to understand how your current global footprint and where you store/process data impacts your cyber risk calculus.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I had one career experience where within two months of my arrival to this company, they came under Senate investigation. We were tasked with managing class action litigation that ultimately went to the Supreme Court and we had a successful ruling there. I learned a lot about how to manage cyber and policy issues politically. As a lawyer and advisor, much of it is about negotiating policy to reflect the realities of what is feasible operationally and won’t unduly constrain business. It’s about understanding technology sufficiently to manage for the associated risks while supporting my clients in their journeys to maximize its benefits.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
The cybersecurity tools I use most frequently include data discovery solutions, allowing us to find personal data, based on pattern matching or policy violations or via machine learning. We also use a number of tools to support data de-identification, including encryption and tokenization. Finding where personal data lives within an organization and then de-risking it as much as possible while still maintaining the usability of the data is a key focus for our team.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
The first step is to identify the vulnerabilities and threats to your business, based on its unique operations, geographies and data, to determine your cyber risk. This foundational exercise should help inform the focus for a resource constrained team and also highlight any necessary upskilling in a particular cyber domain. Protecting the enterprise against constantly evolving threats requires singular focus and accountability by someone within the organization to drive policy, remediation, obtain investment. Whether the title is CISO or otherwise, this individual needs to have sufficient influence to move the program forward and also be in a position to update the c-suite and the Board of Directors. As for OTC software, if you could only invest in one tool, I would say that a cloud-based endpoint protection solution is likely the best bet. These solutions offer a number of capabilities including antivirus protection, patch management and the ability to remove malicious files.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
If something is amiss, it’s because there was a point of entry. A larger phishing attack can potentially turn into an advanced persistent threat where someone has gained entry to the network and may be gathering information and credentials in order to further what they’re trying to do.
A point of entry companies need to be mindful of are disgruntled employees — this goes beyond just human error. This is an employee that has access to a significant amount of intellectual property who is unhappy or maybe transferring to a competitor.
Managing for cybersecurity threats is now considered a standard part of the business model. Whether a threat evolves into a breach will boil down to the operating effectiveness of your security controls related to detection, response and recovery.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
First and foremost, once a company is made aware of a breach they need to involve legal counsel and public relations. Breach management is all about what you found out, when you found out, and how you handled it, and when reporting breaches to regulators make sure you do so in a timely manner.
In investigative responses, we realize that the fact pattern changes almost daily. You think you understand the root cause and amount of data breached, and it’ll continuously change so be mindful of the change that will happen. There’s only so much you can do to prevent these situations- it’s now part of business.
How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA, GDPR and other related laws affected your business? How do you think they might affect business in general?
These laws have created a multitude of new obligations for companies to undertake. When the GDPR was put in place, many companies, even sophisticated ones, did not have a lot of the foundational capabilities to be compliant. Companies that do not have good data management practices, including the technology to understand what personal information they have, where it is, how it’s being used and for what purpose will have a very hard time complying with these obligations.
The laws have given individuals more direct access to the personal information a company has about them and provides them a level of control over that data. Now individuals can decide what should be deleted or only used in certain ways, which requires a significant amount of process and technology controls on the company’s behalf.
Because of these laws, we have been able to help clients think through a risk-based approach to implementation. We help them design the right technology stacks in order to support all of the policies and processes.
What are the most common data security and cybersecurity mistakes you have seen companies make?
One of the most common mistakes I’ve seen companies make is not managing their investments in data and cybersecurity technologies — if you’ve already made the financial investment, make the management investment. Another common mistake is poor patch management when updating legal systems — while this may seem simple, many organizations struggle with identifying and fixing critical patch updates as they’re occurring. With all of this in mind, the most important step cybersecurity and data leaders can take is educating the entire workforce on safe practices and protocols — no one is safe from making a mistake, so it’s so important for all employees to be knowledgeable in this area.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
The first error that many organizations ran into when the pandemic hit was in relation to collaboration platforms. Many companies were not previously using these and therefore needed to rapidly deploy them in order to accommodate the new reality. As a result, they weren’t vetted properly to turn off unsafe capabilities for their employees or integrated properly into the organizations network ultimately creating new security risks.
From a privacy perspective, working from home has also allowed us to literally see into each other’s homes. This has changed the dynamic between employer and employee. Additionally, employers have needed to ask health data questions that previously would have been unacceptable, such as whether they’ve been tested for the virus, if they are sick, where they have been, etc. This has led many to ask: Is it permissible for a company to gather this information? For the most part, yes. This is a unique time, and the sense of discomfort around privacy is certainly out there but most recognize the necessity for this data to be shared.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Understand the value of your data at risk. In order to make risk-based decisions on your cyber strategy and what privacy compliance efforts to prioritize, you must first understand not only what data you have, but how your organization is using it. This doesn’t mean that the organization needs to undertake a massive effort to inventory all of their data. Instead, identify and prioritize the systems that contain high value assets — that information that if exfiltrated, corrupted or released publicly would have a significantly negative impact on your business operations.
- Know your data defense and data offense strategies and be able to articulate why either strategy has more emphasis during any given year. Data defense focuses on minimizing the downside of data risk and data offense is about maximizing the value of your data to drive growth and efficiencies in your business. Data defense imposes constraints and includes cyber and most of your privacy measures. Your data offense strategy could be impacted based on how you design your cyber and privacy controls. Your Board should be updated on these strategies in unison, as it allows them to understand the bigger picture and make informed decisions on balancing between 2 equally important objectives.
- Understand how cybersecurity and privacy are operationalized in your cloud environments and data lakes. I see many clients who discuss cyber and privacy at the beginning of these projects to modernize their data ecosystem, but they don’t carry thru the requirements into the operating environment. This means that control ownership for cyber or privacy may be unclear (vis a vis the cloud provider versus the company) or in the case of a data lake, there may be uncontrolled access and a lack of restrictions around data use cases.
- Integrate your cybersecurity and privacy controls into the business and across the three lines of defense. This means that you should have security and privacy controls that apply at the right level of process, applicable to each business unit, This establishes accountability for the control and provides the right level of risk coverage. A proper framework that provides the basis for effective internal control should demonstrate traceability to all of the laws, regulations, standards and contractual commitments related to cybersecurity and privacy. It should also have delineated controls across the business and act as the single source of truth to support cyber and privacy programs, resourcing and technology enablement.
- Prioritize certain capabilities over others because of the gains to had. As attacks become more advanced, it will take longer for them to be detected, which compounds the risk to the organization. Don’t lessen your investment in the detection domain. From a privacy standpoint, create controls that support Privacy by Design, in alignment with your product/service lifecycle, as well as how personal data is collected, processed, stored, shared and disposed. Integrate these controls into the business via the points where change management occurs. Don’t assume all of your change management activities are centralized. Instead, confer with business units how change specific to their operations is managed and drop the controls into those existing processes.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I know I spend most of my day securing data and making sure companies are compliant in safeguarding as much as they can. But, I truly believe that the most advancement we can make as a society is to be driven by data sharing. I think there are many uses to wider data sharing but one that is close to my heart is medical innovation — we have a plethora of data that is protected but could potentially be used for more targeted, personalized medicine.
I have a family member with a very rare chromosomal abnormality — one of only 34 documented cases in the world. When I was originally learning about this unique abnormality, I was completely reliant upon other families that also had someone impacted to share information. Our existing medical privacy rules and a general fear of sharing data don’t make this easy; many people are reluctant to share their information. Ultimately, this data sharing has given my family and many of theirs a lot of hope, but it also completely changed my view on data.
There is a lot we can change for the better by coming together and sharing our data.
How can our readers further follow your work online?
You can follow me on LinkedIn: https://www.linkedin.com/in/angelasavericerohan/