Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
As part of Data Privacy Week, IANS Faculty offer tips and insights focused on data integrity to ensure that policies are in place that manage, control and protect both personal and organizational data. In this feature, Rebecca Herold discusses common privacy and new data protection legislative challenges and provides best practices to make the compliance process much more efficient and effective.
Q&A with IANS Faculty member, Rebecca Herold
Rebecca Herold is Founder, Owner, and CEO of Rebecca Herold, LLC aka The Privacy Professor®, an information security, privacy, IT, and compliance services firm. She also co-founded Privacy Security Brainiacs, a SaaS platform, early 2020 with her oldest son, Noah. Rebecca also serves as a Distinguished Ponemon Institute Fellow and as an Advisory Board Member for multiple technology businesses and startups. Additionally, Rebecca serves as an expert witness for diverse cases, is an advisor on multiple high school and college/university curriculum and program boards and hosts a VoiceAmerica radio show called “Data Security & Privacy with the Privacy Professor.” For the past few decades, organizations have been struggling with how to better protect personal and sensitive data, while trying to comply with the growing number of legal requirements for using and managing it. New security and privacy laws and regulations continue to be added across the globe, in addition to revamping old ones, making the task all the more difficult.
Rebecca: Most organizations are lagging behind in meeting all the compliance requirements of new legislation. US and organizations in other countries in non-regulated industries often aren’t aware of all their other compliance obligations created throughout the past decade, such as those for the US states and territories, that are applicable to all types of organizations handling their residents’ personal data.
For organizations that are B2B businesses, most of the small-to-medium-sized organizations simply don’t know, or hundreds of them have told me that they don’t believe, that they need to follow the data protection legal requirements of their clients who are entrusting them with access to personal data. For example, throughout twenty years of helping a wide range of hundreds of healthcare covered entities (CEs) and many more of their business associates (BAs), a majority of the BAs have told me at first meetings they don’t have to comply with HIPAA. A significant portion of others tell me they don’t have to comply with any part of HIPAA except for the technical requirements. It is similar within other regulated and non-regulated industries. This is slowly improving, but often not until after one of their clients cancels their contract because of their non-compliance or following a breach within the contracted organization.
For organizations in regulated industries, particularly financial and healthcare, the larger organizations have been trying to keep up with all the new regulations while also complying with the long-standing regulations. Most of them struggle to find the experienced staff that they have told me they would like to hire (to drastically reduce position training and be able to “hit the ground running”) to fulfill all the requirements, after synthesizing all the requirements down to the most stringent necessary across all their legal obligations.
The small-to-medium size businesses also struggle. I still find many who indicate that they are doing some of the requirements and think that will be enough to show effort if they ever get audited. However, beyond that being an incorrect belief, it also leaves them vulnerable to mistakes, insider threats, and outside threats that will exploit their business ecosystem’s vulnerabilities, and at great risk of security incidents and privacy breaches.
Rebecca: Establishing best practices around data protection has multiple benefits for organizations. Some of the most valuable include:
Cybersecurity today is faced with a myriad of complex challenges, and the IANS Faculty will help you make informed security decisions that protect your business.
Whether you need guidance on program direction, a tie-breaking opinion on architectural considerations, tool implementation advice, a comprehensive security assessment, a penetration test, or mapping controls to a regulatory standard, we are a trusted partner to provide the best decision support for your security team.
Our mission is to help you make better, faster decisions, grow professionally, and stay compliant. Get in touch with IANS to learn more about how we can help move your security program forward.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.