In January 2020, the FTC released a statement defining its new position on data security orders, to give companies a clearer understanding of the FTC’s expectations for security practices. The new orders specifically emphasize the role of executives in taking responsibility for overseeing policy, in the hopes that C-Suite and board-level buy-in will improve compliance.
Under the new orders, companies must present their board with an annual report on their security program, and senior officers must directly provide the FTC with certifications of compliance. According to the FTC’s statement, “This will force senior managers to gather detailed information about the company’s information security program, so they can personally corroborate compliance with an order’s key provisions each year.”
The FTC asserts that requiring high-ranking executives to provide certifications under oath has been effective in other sectors, such as securities law since it creates direct accountability for individual executives. They cite two studies that correlate executive involvement in data security with a decrease in breaches, including one that found a 35% decrease in the probability of breaches when a company’s Chief Information Security Officer is in the top management team and has access to the board.
"Find out why the @FTC’s new data security orders will require the C-suite and board to strengthen data security strategies."
Executives Are Influenced by Policy and Are Influencing It
PWC’s Top Policy Trends 2020 report surveyed over 400 CEOs, CFOs, and COOs, and concluded that data is “the unifying thread” across all the major policy areas the C-Suite is concerned within 2020. Specifically, the report highlighted data privacy as a central concern for the C-Suite, with 44% of CEOs listing it as one of the top three policies impacting their business the most.
While it’s healthy for executives to help create laws that are informed by the reality of doing business, business leaders must exercise care in attempting to influence legislation, or risk a backlash. A prime example is CCPA, which in its current form is significantly weaker than the original ballot referendum, which would have granted Californians more rights.
While fines under CCPA can still be significant, one of the initiative’s drafters, Mary Stone Ross, publicly criticized corporate lobbyists for their role in drafting the final legislation. Ross voiced the hope that new laws at the state and federal level would “learn from California and guard against the relentless efforts of corporations to weaken people’s rights.” In the long-term, this negative perception of corporate influence erodes public trust and makes it more difficult for businesses to wield their influence responsibly. Already, CCPA 2.0, which gives consumers more rights and increased enforcement powers, is set to be a ballot initiative in 2020. Policy aside, the public at large is increasingly sensitive to businesses whose actions don’t live up to their professed values. When Facebook’s stock tumbled 7% in January, despite strong quarterly revenue, The Guardian suggested that “continuing scandals and regulatory roadblocks may finally be catching up with the social media giant.”
Strategies for the C-Suite to Lead on Data Privacy
In the second edition of Navigating the Digital Age, published by Palo Alto Networks and the NYSE, experts and executives from across various tech sectors joined together in a clarion call for greater innovation, collaboration, and leadership on issues of privacy and security. Their advice ranges from big picture ideas (the word “moonshot” appears 28 times) to small but crucial suggestions for improvement.
In his chapter, security advisory Marc Goodman advises leaders to pay attention to the UX of cybersecurity, since the design of many legacy security programs is “abysmal and painful.” The design of a pop-up security warning window might seem insignificant, but if it’s all that’s standing between your employee and a catastrophic security mistake, it’s a big deal. Says Goodman: “It’s not enough that our security protocols work in theory; they have to work where the rubber meets the road at the end of a keyboard... And that requires a good understanding of human behavior—something infrequently accounted for in organizational cybersecurity strategies.”
"@FTC ordered the C-Suite and board to get more involved with data security. Why IAM is a strong place to start."
One subject that many experts mention as a lynchpin in transforming cybersecurity is authentication. Ann Johnson, Microsoft’s Corporate Vice President of Cybersecurity Solutions, writes that one of the most encouraging current developments in cybersecurity is “the imminent demise of passwords.” This outdated and breach-prone form of authentication is “giving way to biometrics and other steps in multi-factor authentication, making it harder for bad actors to penetrate our firewalls and grab our personally identifiable information, intellectual property, and digital assets of every format.” Of course, experts have been predicting the demise of passwords for ages, but until that day actually comes, it’s crucial to do a better job of securing usernames and passwords.
There’s a growing consensus that sophisticated Identity and Authentication Management (IAM) platforms offer executives a fast and comprehensive way to get control of data and step up security. That consensus is largely responsible for Auth0’s explosive growth in recent years. As Auth0 customer Rolf Bekkstrand attested, “As a CTO, I really don't want to be responsible for a data leak that showed passwords and user logins and those kinds of things. I'm 100% sure that Auth0, a company that is built around this, will have better ability to take care of the security than I'm able to do — your entire business depends on it.”
To Get Involved With Data Privacy, Start by Getting Educated
For the C-Suite, taking the lead on issues of data privacy and cybersecurity begins with listening. Executives must listen to their users’ concerns, and they must also seek out opportunities for expert education so that they can make informed decisions for their companies.
At Auth0, we pride ourselves on providing not just a cutting-edge IAM platform, but also advice for leaders (whether they’re our customers or not) who are interested in stepping up their approach to security. If you’d like to explore strategies to get your C-Suite up to speed, reach out to an Auth0 resource.