Under Lock and Key
There's Mounting Pressure to Ensure Data Safety; but Project Teams Must Manage Risk and New Requirements
Alex Julian, PMP, BePM Trainer, São Paulo, Brazil
BY SARAH FISTER GALE
PORTRAITS BY CLAUS LEHMANN
There's mounting pressure to ensure data safety. But project teams must manage risks and new requirements.
Facebook CEO Mark Zuckerberg is vowing to make privacy protection its top priority in the wake of the Cambridge Analytica scandal.
PHOTO BY JOSH EDELSON / AFP/GETTY IMAGES
Data privacy risks
have IT leaders constantly on edge. Reports of breaches or mishandled data seem to occur daily, including some that rock the entire world. News that political consulting firm Cambridge Analytica harvested raw data from as many as 87 million Facebook profiles sparked cries from consumers to #DeleteFacebook, and forced Facebook CEO Mark Zuckerberg to testify before the U.S. Congress and the European Parliament.
But the Facebook privacy scandal is one of many that have organizations racing to launch projects to solve high-profile threats. In January, the Chinese government told Baidu and Alipay operator Ant Financial Services Group to strengthen user data protection practices, threatening punishments. In response, Ant Financial said it created a team to safeguard user privacy throughout the company. And in May, the Philippine government's National Privacy Commission gave fast-food chain Jollibee Foods Corp. just 10 days to come up with a plan to fix its website's vulnerabilities, which could have exposed the data of millions of customers.
“Security leaders have been telling executives for years that these projects need to be done, but they haven't always listened,” says Bob Olsen, managing director of cyber risk and information security practice for professional services firm Navigant, Baltimore, Maryland, USA. Everything from cost to competing priorities has kept data privacy projects in prelaunch mode at many organizations.
—Bob Olsen, Navigant, Baltimore, Maryland, USA
But now, that's changing as new security regulations, greater security threats and customers’ shifting expectations around privacy all drive these projects to the top of the priority list. Compliance with the European Union's (EU) General Data Protection Regulation (GDPR), which went into effect 25 May, has sparked a slew of compliance projects. That activity extends far beyond the EU, as the new regulation affects organizations within and outside the EU that offer goods or services to people living there.
Sixty percent of global organizations surveyed by PwC plan to spend at least US$1 million on projects related to GDPR, which sets complicated requirements for protecting the data of EU citizens and imposes huge fines for companies that don't comply.
“The most challenging scenario for any IT team is the data regulations,” says Alex Julian, PMP, project manager, BePM Trainer, São Paulo, Brazil. He notes that even in Brazil, many companies are focused on accommodating GDPR and preparing for a Brazilian version of the regulations.
THE VULNERABILITIES WITHIN
According to the 2018 Data Threat Report from Thales and 451 Research, just 13 percent of organizations say they will not be impacted by privacy regulations this year—a big drop from the 28 percent that said the same last year. Yet not every organization has the necessary knowledge in-house to effectively mitigate risks on data privacy projects, says Itsik Haberberg, PMP. He's a cyber information security and project manager with the Israel Courts Administration and a lecturer on cybersecurity and project management at Netanya Academic College in Netanya, Israel.
“Most project managers don't have a security background, and that can be a handicap,” Mr. Olsen says. “When they are building their project plans, they don't know what to incorporate.” Without a security expert as part of the IT team or as a prominent stakeholder for these projects, many teams are flying blind. And potential privacy vulnerabilities often go undetected until something goes wrong, he says.
That's true even when the project's purpose is to bring a site or product in line with new regulations, says Mr. Julian. Too often, these initiatives become an exercise in ticking and tying minimum requirements, rather than a holistic assessment of data security and customer privacy.
“Regulatory requirements are so complex, and few IT teams have the time or resources to understand them completely and identify every aspect of the IT system that might be affected,” he says. “There is a lot of guesswork involved, and organizations need more resources to understand the shifting regulations fully.”
Driving home true success on data security projects starts with resourcing the teams correctly, says Mr. Julian. “They need someone on the project team who knows the rules and risks, and can help them adjust their development life cycle.”
The business case for assigning those additional resources is easy to make: Nearly two-thirds of respondents to a recent 3GEM/Veritas Technologies global survey said they would stop buying goods and services from companies that failed to adequately protect their data. No wonder executives are nearly as worried about privacy controls as they are about hackers, according to a Scale Venture Partners survey released in April.
BEST FOOT FORWARD
Rather than merely reacting to new requirements from regulations or possible breaches, many organizations are shifting to a proactive security stance to better protect customer data—injecting security knowledge and review steps into their project planning process for all future IT initiatives. Tim McCain, chief information security officer, City of Aurora, Aurora, Colorado, USA, calls this a “security by design” approach, and he's partnering with the city government's project management team to make it part of their project life cycle.
“Project managers can be a huge value from a security perspective,” he says. To make it easier for IT teams to embrace a security mindset, Mr. McCain created a template of 18 data types that may indicate a project has associated security risks and requires a deeper review by security stakeholders. Red flags include whether a piece of software will capture Social Security numbers, medical data or criminal justice information. “The template gives them a framework to think about security and to discuss potential risks with their business owners,” Mr. McCain says.
—Tim McCain, City of Aurora, Aurora, Colorado, USA
The template also reduces bottlenecks that could occur from having to review every project decision with the security team. If none of the 18 data fields are associated with the project plan, the team can move forward without signoff from the security specialists. If the project does include any of that information, the IT and security teams can expedite conversations about how to mitigate risks. “IT projects are always time-constrained, so this framework helps reduce delays,” he says.
Building greater security awareness across both the project team and project life cycle is a win-win. “We need to build a security culture that is dependent on constant communication and education,” says Mr. Haberberg. “The more stakeholders are aware of the security challenges they face, the easier it is to spot in advance, mitigate and even remove cyber and security risks.” PM
Strengthening the Cloud
To gain security and ensure compliance with the European Union's General Data Protection Regulation, organizations around the world are launching projects to move data out of the cloud and back into corporate data centers, according to a report from Forrester published in May. The actions are a response to new vulnerabilities organizations are exposed to as widespread movement toward cloud computing continues. Other organizations, for instance, are focused on building better ramparts in a cloud-based environment.
“Our number-one topic of conversation around security is utilizing the cloud appropriately,” says Matt Klein, chief information security officer, Medical University of South Carolina (MUSC), Charleston, South Carolina, USA. “You have to be sure you can trust your vendor and their data centers to keep information safe.”
MUSC launched its Leverage Cloud Capabilities migration project in August 2017, and the security team was involved from the beginning to ensure security considerations were baked into the project design and implementation plan. “Historically, the cost of a project increases the further into the project you are without involving information security,” he says.
Getting security stakeholders to weigh in later in the project life cycle can also cause delays and trigger redesigns that throw the schedule off track even more, he says. “The sooner information security policy, standards and guidelines are followed, the smoother any cloud project will run, and costs and risks in most cases should be lower.”
Although no specific data security regulations govern the healthcare industry, MUSC aligns with cybersecurity guidelines from the National Institute of Standards and Technology (NIST). NIST provides more than 100 guidelines or security controls to measure an information security program against. Having the guidelines makes it easier for MUSC IT teams to determine if they are compliant and where they may face issues. “Then we build the security elements into the project around that framework,” says Mr. Klein.
Everyone on the project must understand their role in achieving a secure and efficient cloud environment, so a kickoff meeting was held with the MUSC IT team, Mr. Klein's security team and the team from Microsoft Azure, the cloud vendor for the project. “Even before the kickoff meeting, I had discussed in a few different forums that embedding security controls and capabilities into the cloud design would be of crucial importance,” he says.
At the kickoff meeting, Mr. Klein introduced one of his best security architects as the project lead to ensure the design was moving in a direction that met all security and strategic goals. “There is an art to finding a balance between reasonable security and user experience,” he says. “And it takes skill and influence to educate project members and get them to make the right decisions to protect patient, student and employee sensitive data.”
—Matt Klein, Medical University of South Carolina, Charleston, South Carolina, USA
Mr. Klein is still in the beginning stages of developing a metrics program that will measure the effectiveness of security controls for both the cloud vendor and the MUSC team. Even on cloud projects that move much of data management to the vendor, the project team still controls aspects such as who has access to the data, how user logins are controlled and how often audits are conducted. “It took a significant amount of collaboration to get the project design right.”
Privacy and Public Data
U.S. federal agencies suffer the highest volume of data breaches out of all government agencies worldwide, according to the 2018 Thales Data Threat Report. In one of the most highly publicized recent breaches, hackers stole the personal information of 22 million federal employees and contractors via the U.S. Office of Personnel Management platform. Investigators later determined that the files lacked appropriate security encryptions.
Yet data privacy missteps are hardly limited to the United States. In 2017, Sweden's government faced huge public backlash after a US$100 million outsourced project to manage vehicle registration and driver's license databases led to a breach of confidential data, potentially disclosing the identities of undercover operatives and other sensitive government information. And in Australia, nearly 50,000 citizens and 5,000 federal public servants had personal information exposed last year, including passwords, identification data, phone numbers and credit card numbers. The privacy breach was caused by an incorrectly configured cloud storage service.
“Government agencies often question the need for data security because of the belief that government data is open data,” says W.B. “Dub” Jones, PMP, business relationship manager for the City of Aurora, Aurora, Colorado, USA. Data security projects might come under closer scrutiny—and budget criticism—because “people challenge why the government is spending public funds on encrypting data that is essentially public,” he says.
—W.B. “Dub” Jones, PMP, City of Aurora, Aurora, Colorado, USA
Otavio Moreira de Castro, director of transparency and public oversight for Brazil's Ministry of Transparency, Brasilia, Brazil, faces this challenge on a daily basis. Brazil's open-data policy strives to make information about government projects, funding and other programs open for public consumption. But not all data can be equally shared, he says, which can cause conflict in project planning.
For example, Brazilian researchers want access to healthcare data to identify trends in diseases and treatment patterns, but the platform also must protect the identities of the citizens being treated. To find the balance, teams use encryption tools to anonymize the data and break data sets into pieces. However, if certain measures are not taken, there is still a chance that hackers can piece the information together. “There are always risks,” he says.
Project professionals can take fundamental steps to mitigate some of these risks. For instance, Mr. de Castro begins every project by meeting with all stakeholders—including government agencies, community groups and regulators—to define the goals of the data-sharing initiative, determine whether sharing the data creates vulnerabilities and define what can be done to mitigate any risks.
“This is where the negotiations happen,” he says. Whether the resulting plan includes encrypting information, requiring logins to access it or preventing access altogether depends on the benefits and risks. And a thorough review by the data security and the transparency policy teams can help inform that risk-benefit analysis.
Getting everyone involved at the start is no small feat, he says, but “by being active mediators to all of the agencies, we can get everyone on board with the final solution.”
Mr. Jones notes that government agencies looking to balance portfolio budgets with data privacy should do a better job of getting rid of data they no longer need. “Encryption is not inexpensive,” he says. “It makes sense to review retention policies so they're not spending funds protecting data that's no longer useful.”
“[IT teams] need someone on the project team who knows the rules and risks, and can help them adjust their development life cycle.”
—Alex Julian, PMP, BePM Trainer, São Paulo, Brazil