In this Volunteer Spotlight, The Privacy Advisor checks in with AvePoint Chief Risk, Privacy and Information Security Officer Dana Simberkoff, CIPP/US. With AvePoint, Simberkoff works on risk management and regulatory compliance while maintaining relationships with executive management and compliance officers, both internal and external to the corporation, to provide guidance on product direction, technology enhancements, customer challenges and market opportunities.
Here, Simberkoff touches on her work with company executives on privacy and data security while lending perspective on both known and lesser-known privacy issues that have her attention.
The Privacy Advisor: How do you volunteer with the IAPP, and what is most rewarding about doing so?
Simberkoff: I served on the Education Advisory Board for the IAPP and also was a founding member of the Women Leading Privacy Advisory Board. In that capacity, I have worked, along with many of my amazing women colleagues, to help support programs at IAPP events around the world that are intended to inspire women (and men) in the workforce. It is this kind of educational, professional and intellectual programming and support I believe all women (and men) truly can benefit from in their careers. Currently, I am also working on a project with the IAPP to help define requirements for what "security people need to know about privacy."
The Privacy Advisor: How did you get your start in the privacy space?
Simberkoff: I have been working in the compliance and technology space since shortly after graduating from law school in 1996. My first job out of law school was working for a software company with a focus on regulatory compliance. I had an opportunity to become deeply immersed and well versed in supporting the privacy and operations security programs of many of our corporate and public sector clients. I now have more than 20 years of experience working with senior government officials and C-level executives in the U.S., Asia and Europe with standards setting organizations and advocacy groups. In addition to being an evangelist and subject matter expert, I am a published author on the topics of compliance, content quality, privacy, security, metadata and accessibility issues for both government and private sector organizations on a worldwide basis.
The Privacy Advisor: What do you feel is the most challenging part about consulting on privacy?
Simberkoff: As a person responsible for privacy and security inside of my company, I have always believed it’s important to know not only what our company is doing today, but also in the future. Realistically, technology is evolving faster than ever and certainly much faster than privacy regulations and laws, so it's critically important for privacy and security professionals to understand and prepare to minimize future shock. This means we must become the master of many domains and have a working knowledge far beyond privacy and legal compliance.
The Privacy Advisor: Some folks say it's hard to sell privacy to company executives. Where do you stand on that notion, and why?
Simberkoff: I think it's becoming increasingly easier to do so. As data is truly the new money fueling our digital economy, quite simply, we should be treating it with the same level of care we do for our cash. Privacy and security are neither free nor easy. And, ultimately, privacy is about trust. It's hard to maintain trust, and it's easy to lose. I believe that companies with strong privacy programs will benefit, and forward-thinking executives understand both the opportunity associated with doing so and the risk associated with not doing so.
The Privacy Advisor: What’s the privacy topic you emphasize most in your speaking sessions these days?
Simberkoff: I’ve been speaking extensively on the topic of whether it is time for a merger of the chief privacy officer and chief information security officer, at the very least, a growing need to align privacy and security programs. I have spoken on this topic at several IAPP events, and, in one of my last sessions, at least half of the participants in a very large lecture room had responsibilities in their organizations for both privacy and security. I am not surprised to see this as an emerging trend. Given the changing global regulatory landscape, it’s clear that the “new normal” for privacy laws will require clear, tangible and operational IT security controls. While both CPOs and CISOs may shudder at the idea of taking on any more responsibility than they already have within their respective domains, there are many good reasons for these teams to be closely aligned, even if the roles cannot be combined. My team holds both responsibilities.
The Privacy Advisor: What is the greatest privacy challenge no one is talking about?
Simberkoff: Writing policies that are unenforceable and not monitored or not reflective of your business create a huge risk in this corporate environment. Regulators require companies to say what they do, do what they say and be able to prove it. And, if a company is writing policies that don’t reflect reality, it is putting itself at risk. Failure to classify information is one mistake that leads to ineffective policies. If you’re not tagging or classifying your data, how do you have an effective GDPR program? How do you know what data you have, where it is, who can access it and what they’re doing with it? How do you know what you’ve lost if you have a breach? In order for these polices to be enforceable, the CPO really needs to be working closely with the CISO to understand the technology.
Photo by Keagan Henman on Unsplash