The Gist
- Collaborative data defense. CMOs, CIOs, and CISOs must unite to protect customer data effectively.
- SEC compliance essential. New SEC regulations heighten the need for transparent data risk management.
- Generative AI challenges. Ensuring ethical use of customer data in generative AI is crucial for trust.
In our increasingly interconnected world, the protection of customer data emerges as a critical team effort, especially for chief marketing officers (CMOs), chief information officers (CIOs), and chief information security officers (CISOs). In this article, I will explore the importance of collaboration as I interview three security executives.
The discussion dives into the ramifications of new Securities and Exchange Commission (SEC) regulations, the pivotal role of educating marketing and service leaders about data security, and the challenges posed in utilizing customer data with generative AI technologies. It also highlights the risks associated with proliferating customer data storage locations. This includes underscoring the importance of safeguarding customer data to ensure sustainable business practices and enhanced customer trust.
Meet our three security executives:
Proliferation of Where Customer Data Is Stored
In an era where data represents the new currency, the burgeoning sprawl of customer data across cloud platforms poses an opportunity and formidable risk. As businesses migrate their customer data storage to the cloud, they must grapple with heightened vulnerabilities for data breaches that could lead to substantial financial losses and severe damage to brand reputation. For this reason, organizations must understand the nature of data connected to their systems — whether it be sensitive or personal—and the jurisdictions involved. Smart companies tailor their security measures to ensure compliance and maintain a customer-first security stance that aligns with their core values.
Related Article: Consumer Data Privacy: Win Trust With Consent-Based Marketing
Matt Mills: Vendors Must Navigate Customer Data Safely
“Vendors need to be aware of the types of data their customers connect to their solutions. For example, is the customer connecting sensitive data or personal data? This could be as simple as a name or work email address, even if publicly available. The sharing of personal data with the vendor can trigger obligations under privacy and data protection laws. Another consideration is whether to include language in customer contracts that restricts customers from connecting certain types of data to your technology, product or solution. Frankly, this can be for the customers’ and the vendors’ benefit. Additionally, organizations should determine alternatives for how technology, products or solutions can be architected. It’s also important to be mindful of whose personal information is being connected to your technology, products, or solutions. Additionally, be mindful of whether the data being connected or shared with your technology, product or solution is coming from a highly restricted country. Lastly, I’d say, keep the company’s values in mind. Not only is protecting personal information required by 180+ privacy laws around the world and 14+ U.S. privacy laws, it is also about the reputation we have in the market as a customer-first security company.”
Related Article: 5 Ways Transparent Personalization Can Win Over Customers
Balaji Ganesan: Cloud Data Risks Threaten Brand Equity
“The rapid expansion of cloud data, predominantly customer information, presents both opportunities and significant risks for businesses. With the shift towards cloud storage, enterprises are increasingly vulnerable to data breaches that can incur heavy financial penalties and tarnish brand equity — a concept David Aaker equates to a balance sheet in his book on “Brand Equity.” Acknowledging the gravity of these risks, Gartner’s introduction of data security posture management is a crucial development. This framework empowers CIOs and business leaders such as CMOs to proactively identify and mitigate risk exposure, safeguarding sensitive customer data and ultimately protecting their organization’s brand integrity.”
Related Article: Effective AI Data Governance: A Strategic Ally for Success
Raj Rajamani: Secure Cloud Data with Strategic Classification
“First, you need to perform discovery across your cloud providers, this will give you an inventory and catalog of every customer data source/set that exists across the various structured (e.g. database) and unstructured (e.g. flat file on S3 bucket) data services that exist in your clouds. This process should cover data at rest as well as data in transit between different services. Next step is to perform classification on this data inventory. This allows you to identify which customer data is sensitive. For example, personal data such as a name, age, or address can be classified as PII data. Credit card numbers and payment data will be classified as PCI data. Once data is classified and you know what is sensitive, you then need to protect it with runtime policies and rules. This allows you to protect specific customer data flows that exist within your cloud environments. For example, if the data type is PII (personal data) and the network destination is internet facing (public) then create a critical alert for security to investigate.
“Finally, security teams continuously manage and govern the posture (state) of their policies and rules as data volumes, types and flows in the cloud continuously change. Think of posture as real-time visibility into all the customer data risks and policy violations that exist within the cloud.”
SEC Regulation Puts Brand Risk Front and Center
A recent SEC regulation has thrust brand risk into the spotlight by mandating organizations to disclose their data risk management strategies to both the public and their customers. This regulatory shift compels CISOs and CMOs to reassess and publicly articulate their approaches to mitigating data risks, fostering a new era of transparency.
Matt Mills: SEC Rule Changes Cyber Disclosure Dynamics
“The new SEC cyber disclosure rule immensely impacts organizations. CISOs and CIOs now must go out of their way to disclose everything, and it will run the risk of resulting in overreach. For board members, this means it will likely fall back on them, the CEO or CFO to determine how much oversight is too much, what is insufficient, and how much is just right. The reality is, the iceberg effect is all too real, but what’s far worse than having a breach be broader than originally disclosed is this: not being transparent — and extremely timely — from the start. Now, while I can’t speak to others’ attitudes about this change, in the conversations, I’ve had with CISOs — whether customers or prospects — this is absolutely something that is top of mind and, perhaps, in a different way and at a different altitude than it might have been before.”
Balaji Ganesan: New SEC Rule Unites CISOs, CMOs in Compliance
“The new SEC regulation is poised to bridge the gap between CISOs and CMOs, pushing organizations towards improved business practices by making them more aware of their risks. As poor practices now lead directly to public disclosures of material impacts, it’s crucial that safeguarding customer data becomes a top priority for both CMOs and CIOs, fostering greater collaboration and driving a culture of compliance and security across business sectors.”
Raj Rajamani: SEC Rules Elevate Cybersecurity to Board Level
“CISOs and C-suites have taken customer data risk seriously for a long time but with the new SEC regulations in effect, it is now a critical board-level issue. Specifically, public companies must be proactively sharing detailed cybersecurity practices and strategies with their boards and boards must have a deep understanding of what a strong cyber strategy entails. This process requires the full support of the executive team. A fundamental strategy for public companies handling the SEC’s disclosure rules is to establish risk mitigation and security processes that prevent material incidents from occurring in the first place. Legal requirements for incident reporting incentivize organizations to do everything they can to prevent a cyber incident from occurring. A large piece of this process is creating a culture that prioritizes cybersecurity and building a cybersecurity-first culture begins with 100% participation at the executive leadership level.”
Educating Marketing and Service Leaders
To effectively protect sensitive customer data in the cloud, marketing and service leaders need comprehensive education on various aspects of data security. This includes understanding the technical and legal implications of cloud storage, data protection laws and the specific security requirements of their industry. Furthermore, they should stay updated on proactive defense measures.
Matt Mills: Team Approach Key to Enhancing Data Security
“A customer’s security is a team sport — it can’t be done with just one part of an organization. At SailPoint, privacy and data security is embedded in the company’s culture, from how we design our products and features to how we protect the personal data of our customers and of our own employees.”
Balaji Ganesan: Leaders Must Master Cloud Data Security
“Marketing and service leaders must undergo comprehensive education on safeguarding sensitive customer data in the cloud, navigating a landscape where data proliferation resembles a relentless game of Whac-A-Mole. Data security is not just a domain for security teams. Improper safeguard can lead to security attacks that can dilute the overall brand and the customer trust. Business leads should invest time in understanding security frameworks and how teams can collaborate in achieving the common goal. Key to this is understanding Gartner’s data security posture management, which guides organizations in safeguarding data while ensuring it remains accessible to those driving digital transformation. The essential rule of the road is clear: protection of data is important but should not hinder its accessibility, ensuring both security and operational efficacy.”
Raj Rajamani: Leaders Urged to Secure Expanding Cloud Data
“Simply put, marketing and service leaders both need to know their data security posture at any given time. Data volumes in the cloud are always growing and constantly changing as businesses deliver new services to their customers. Marketing and service leaders need to know what sensitive customer data exists, what sensitive data is protected — and more importantly, what sensitive data is at risk and not protected. If leaders can’t see sensitive customer data, they cannot secure and protect it. Data privacy is heavily regulated these days by countries and states, so any failure to protect sensitive data results in significant fines and penalties.”
Protecting the Customer Data Going Into Gen AI
As generative AI systems increasingly utilizes customer data to drive innovation and personalized experiences, the need for stringent data security becomes paramount. Organizations employing these technologies must implement robust measures to secure and ethically use customer data as it is embedded in generative AI. The key to doing so is a transparent approach: ensuring that customers understand and consent to how their data is being used, with the ability to opt out if desired.
Matt Mills: Vendors Must Navigate Generative AI Data Challenges
“The regulations around the appropriate use of data are growing and changing rapidly. In the world of GenAI, the reality is while customers are more curious about how vendors are using their data, some customers want to incorporate sensitive data into a vendor’s solution to reach the right outcomes and achieve their goals. While a vendor can have sterile guidelines here, at the end of the day, it’s about making sure you are transparent with the customer, they agree with how data is used, and you are helping them securely achieve their business objectives. In other words, vendors must ensure they have a robust AI review and assessment process with all key stakeholders to ensure any decision to use customer data for generative AI is fully considered and that customers are informed of such use and have the option to opt out.”
Balaji Ganesan: Securing Data Amid Generative AI Advancements
“As Generative AI revolutionizes every aspect of work with its unique operational methods, the imperative to secure customer data utilized by large language models (LLMs) and vector databases is growing rapidly. Traditional data security practices are inadequate for these advanced technologies, prompting startups like Privacera to innovate specific solutions tailored for Generative AI systems. The goal is crystal clear: prevent Generative AI from becoming the new target for cybercriminals by ensuring data is used appropriately and securely, thus protecting both the technology and the data it relies on.”
Raj Rajamani: Generative AI: Balancing Innovation With Privacy
“Generative AI technology can be a powerful enabler for security teams, but this technology also raises critical privacy concerns. It is important for organizations to be thoughtful and intentional about what data — if any — is being shared with third-party entities. Users should also understand what data the large language models in their products are trained on and prioritize investing in tools that enforce role-based access controls to ensure appropriate use of data. Lastly, organizations should also consider how their products are protected against adversarial tampering, such as prompt injections or prompt leakages.”
Accessibility to Speed Transformation of Customer Interactions and Experiences
To transform customer interactions and experiences effectively, organizations must balance control with accessibility. Vendors should classify and openly communicate the types of data used, ensuring any personal identifiers are removed before usage for internal development and analytics. Enabling data scientists and key personnel to access relevant data is crucial for innovation and enhancement of services. This requires robust data governance practices that establish clear policies and pathways for safe data access. Coordination between CIOs and CMOs is essential to implement these practices, securing data while also leveraging it to drive business growth and customer satisfaction.
Matt Mills: Vendors Must Clarify Data Use and Consent
“Vendors should distinguish the types of data it uses and why. For example, most SaaS services providers will use customer data to improve that customers’ experience. They will also use usage data (with any identifying personal data of customer first removed) for internal development purposes and analytics. The key is ensuring that those working with the data like DevOps and Engineering, for example, follow the rules of the road and that customers are informed and consent to any use of data.”
Balaji Ganesan: Balancing Data Access with Security in Business
“Smart organizations recognize that while control is essential, enabling access to data scientists and other key players is crucial for transforming customer interactions and experiences. Good data security practices strike a balance, setting clear policies and controls while also defining clear pathways to access. With the buy-in of CMOs, justifying and implementing these practices becomes more feasible, highlighting the need for CIOs and CMOs to work in close coordination to both secure and leverage data effectively.”
Parting Words
In this article, we have evaluated with the help of our security executives the complexities of managing customer data in the cloud, emphasizing the need for stringent security measures and compliance with evolving regulations. This discussion underscored the critical role of transparency and informed consent in using customer data, especially with generative AI and other advanced technologies. We highlighted the importance of robust data governance as well and the collaboration between CIOs, CMOs, and other stakeholders to ensure data is protected and effectively utilized to enhance customer experiences. This balanced approach not only safeguards sensitive information but also drives innovative customer experience.
Learn how you can join our contributor community.
