October 25, 2022

You cannot have privacy without security.

While they once existed quite distinct from one another, they are now so delicately woven that they are nearly indistinguishable.

Over time, the GDPR has cemented the relationship between physical security and information security, and now, it’s incorporating data privacy.

This compliance triad has become the new normal for businesses everywhere– but what does it mean?

Rosemary Martorana, Chief Privacy Officer at Corning, joined me to discuss the blurring line between privacy and security and why compliance may be more approachable than you thought.

A critical key to fostering a compliant security culture and enabling compliance is transparency.

Transparency does a few things for your business & security:
– Increases trust
– Decreases DSRs
– Limits phishing attempts
– Decreases likelihood of breaches

To hear this episode, and many more like it, we would encourage you to subscribe to the Virtual CISO Podcast on our YouTube here.

To Stay up to date with the newest podcast releases, follow us on LinkedIn here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

See Below for the full transcription of this Episode! 

Speaker 1 (00:06)

 

You’re listening to the Virtual CISO Podcast, providing the best insight on information security and security IT advice to business leaders everywhere.

 

Speaker 2 (00:24)

 

Hey there. And welcome to yet another episode of the Virtual CISO Podcast. With you as always, your host John Verry, and with me today, and I will probably butcher the last name. It’s a good Irish name, I believe, Rosemary Martorana.

 

Rosemary Martorana (00:39):
Oh, you nailed it, John, perfect.

 

John Verry (00:41):
Wow. I will admit, I practiced for an hour this morning in front of the mirror. Martorana, Martorana. So I always like to start simple. Can you tell us a little bit about who you are and what is it that you do everywhere?

 

Rosemary Martorana (00:55):

Sure, sure. So, great. Thanks for the introduction. So again, Rosemary Martorana, as you pronounced perfectly, and I am Corning’s Chief Privacy Officer. I’m originally from a small town in upstate New York called Cazenovia. And anytime you’re from a small town, you can’t wait to get the heck out. So I actually went and spent some time overseas, did my undergraduate degree overseas and came back, was living in St. Louis, Missouri for a while, and felt like I was wedged in the middle. And so decided to balance over to New York City, spent some time there completing my masters and stayed there, working some nonprofits for a while actually, before getting picked up by the Department of Homeland Security in New Jersey.

 

(01:37):
And so I stayed with the Department of Homeland Security in New Jersey as a counter-terrorism intelligence analyst. And I left in 2018 as the Director of Intelligence for the New Jersey office. And that’s when I made my transition to Corning. My mother was from Corning, New York, have family in the area, wanted to get out of that city environment. And so started with Corning as the global security compliance officer. And then in 2020, took on the role as Corning’s Chief Privacy Officer. And I’ve never looked back.

 

John Verry (02:06):
It’s an interesting story. Now the one piece that, I’m sorry, if you saw me smile during your, is Cazenovia, that reminds me of that movie with a girl is the princess of Genovia. Do you know… So if you have kids, you probably see this. I’m trying to remember what the girl’s name is that stars in it. I just had this image of you being introduced at the court as the princess of Cazenovia.

 

Rosemary Martorana (02:31):
Anne Hathaway. Yeah, exactly. Right.

 

John Verry (02:34):
Anne Hathaway. That that’s who it is. I think you’d look good in a tiara. Yeah. I don’t know if it’s a look you’ve tried before, but I think it would work.

 

Rosemary Martorana (02:40):
I don’t know I have worn a tiara before. I can’t say in what circumstance for the podcast, but yes, absolutely, Cazenovia, New York.

 

John Verry (02:50):

I didn’t know they had a princess. That’s why I do these podcasts. I learn something every day. So before we get down to business, I always ask what’s your drink of choice.

 

Rosemary Martorana (03:00):

So I tend to change with the seasons. So in the summer I tend to be a Tito’s and tonic with a lot of lime kind of girl. And then of course, living in the Finger Lakes region of New York, now you have to drink some wine. So fall season becomes wine season. And then our winters are way too long. So I usually hunker down in the winter with a bourbon or a port and then dry out in the spring. How about that?

 

John Verry (03:23):
I think you and I could drink together three seasons. I don’t know what your fourth season is, but I have a hunch could do it.

 

Rosemary Martorana (03:28):
We’d figure it out.

 

John Verry (03:30):

Because all of those sit in my sweet zone. How are the wines in the Finger Lakes region? I was mentioning it to you earlier that I was out in the Hamptons and drank some Long Island wine. And I was surprised at the quality of the wine coming out of Long Island. It’s been a long time since I drank it. Finger Lakes region, where would you slot their wines?

 

Rosemary Martorana (03:49):

Fantastic. So I would say somewhere in between Napa and Long Island. They have a great variety of white wines. They’re up and coming in the red space, but the Finger Lakes, the soil, the acidity and the environment just make the white wines fantastic. I would say at times if you were to do a blind tasting, I bet bet they could contend with the Napa wines. So pretty good.

 

John Verry (04:12):

So chard, sabs? If I’m going to try one, because now I’m going to look for one.

 

Rosemary Martorana (04:18):

Sure. So I would go with either a Sauvignon Blanc, a Pinot. I’m not a Pinot actually, because that’s kind of the other-

 

John Verry (04:27):

Pinot Grigio or Pinot Noir.

 

Rosemary Martorana (04:29):

I would go with a Pinot Grigio and then actually if you’ve never had a Gewurztraminer or something like that, that’s always a good-

 

John Verry (04:34):

I’m not a sweet guy.

 

Rosemary Martorana (04:37):

Okay. All right. So I-

 

John Verry (04:38):

I’m a sweet guy, but I mean I’m not a sweet wine drinker. And this is going off the rails fast. We should really get to privacy because at this point, people going, “What the hell is going on in this podcast?” All right. So thank you for coming on. And privacy is a big issue. So from my perspective, we used to have what I often refer as two very disparate worlds. You had privacy and security. And I think with the introduction, most notably of GDPR and then CCPA and then APAC and then VDPA, I think that they’re rapidly becoming more integrated, for lack of a better term. On a daily basis, my job at Pivot Point is I jump on the phone and chat with people about challenges they’re having. And privacy is increasingly that challenge that people are having.

 

(05:30):

There’s a lot of hesitation and concern and discomfort because these folks often are information security practitioners. And now they’re being asked to do something which is not in their wheelhouse. So you have a very interesting career where you’ve been in security and compliance and you’ve been in physical security. So at some point you were at the same point that discomfort, hesitation, fear, and you’ve made your journey very, very successfully. So that’s the premise of today’s show. So let’s start. Could you define what you think is both the differences between, and also what the relationship is between privacy and information security?

 

Rosemary Martorana (06:14):

Absolutely. And it breaks my heart a little when I hear people hesitate or get uncomfortable when we talk about privacy. Because if you think about it, at its most basic level, information security is protecting against the unauthorized use of information and then mitigating those risks. And now let me just tweak that statement slightly and say protecting against the unauthorized use of personal information. So now you’ve just crossed into the world of privacy. So the two are so intertwined to your point. You can’t really separate them and you can’t have one without the other.

 

(06:49):

So there really shouldn’t be this sense of discomfort if it’s done correctly. And what I mean by that is it’s less about the work and more about, I guess, three things, is one, making sure you have the right relationships with your key partners, your information security teams, your law departments, et cetera. Understand your corporate risk tolerance. In other words, where is the corporation going? What are they trying to do? And where are they comfortable in each of these spaces? And then of course focus on the true purpose of the regulation. I think sometimes people get so hung up on the detail of the regulation. They forget how to actually implement it and put it in practice. And so yes, it can be uncomfortable at first, but I think if you follow those three guardrails, you find yourself in a more comfortable place. And again, you can’t have one without the other anymore, to your point. They’re all going to be intertwined.

 

John Verry (07:43):

Yeah. So I love what you said about the alignment and understanding the business objectives. Because I think whether it’s information security or privacy, that’s one thing sometimes we get lost in not doing. We’ve got to take that first step back and say, “What are we trying to look at?” Because it doesn’t matter if you’re secure and private if you’re no longer an ongoing, successful, healthy concern. So we’ve got to always do things that way.

 

(08:02):

I think the hesitancy comes into, I love that old adage, there’s no growth in your comfort zone. Information security now is a relatively mature field. A lot of people have been in it for, like myself, a long time. And what happens is I think you’re in your comfort zone. And there’s a much higher legal component. And I would argue that there’s a fear of a much higher compliance component that I think is the source of that discomfort.

 

Rosemary Martorana (08:31):

And I’d agree with that. I think, of course, with these regulations come some pretty hefty fines that make people wary. They’re not sure always how to interpret the rules that are set forward. And again, those rules can be nebulous. Those regulations are, they’re not always written with the utmost clarity that a lot of our information security professionals would like. And so I think that becomes the uncomfortable space people find themselves in.

 

(08:57):

I think having said that though, and you made a good point. I want to just circle back on this is the business is the one that the privacy and the information security folks trail behind. So to your point, having a healthy business model and then working closely with those business teams is going to be critical to be successful in the privacy space. I think there’s a lot of, I don’t want to belabor the point of being uncomfortable in this space, but it is a new space. It’s a nascent space. People are still trying to navigate and find their way, but it is getting better in the sense that there are opportunities to learn how other corporations are doing things and how they’re doing it right. And so I think we’ll start to see more of that in future years too.

 

John Verry (09:46):

And I think we’ll also see the privacy skillset grow in information security practitioners, whether they like it or not. And I think you’ll start to see more people become CIPPs and things of that nature, which is if I’m right Certified Information Privacy Professionals.

 

Rosemary Martorana (10:01):

You got it.

 

John Verry (10:04):

Okay, good. So the first time we chatted in talking about what the podcast should cover, you did something very interesting. I was talking about this idea of information security and privacy prior being two fields becoming rapidly integrated into one field. And you blew my mind a little bit because you said, well, don’t forget about physical security. It’s really three fields condensing to two. And intuitively my first response was, “I don’t see how physical security ties to privacy.” So I’m curious as to, if you could, we talked about that point.

 

Rosemary Martorana (10:39):

Yeah, and I actually think physical security and information security were married long before data privacy joined the party. In fact, you can see a progression over time. So for instance, most regulations started with physical security controls, like limiting access to certain spaces. And then we added those information security controls, so now limiting access to certain systems within those spaces. And now we’re seeing data privacy layered on top. So protecting who has access to certain information within those systems within those spaces. So it’s almost like concentric circles. And I really do feel that you just can’t have one without the other.

 

(11:18):

And it’s not just in the regulatory program space either. We see this with insider risk programs or intellectual property protection programs. You really need all three physical security, information security, and data privacy baked in, in order to have that successful program. So I really think it’s that three-legged stool. You can’t have one without the other.

 

John Verry (11:46):
So as someone who’s very experienced and knowledgeable in physical security, one thing much you haven’t heard a lot of talk about is how we’ve heard about the implications to information security, about the pandemic and the move to the cloud and the work from home. One thing which I don’t think we hear enough about is what are the implications to physical security of the last few years worth of transition to cloud and transition to work from home?

 

Rosemary Martorana (12:17):
Yeah, so I think probably the impact has been less impactful than the information security side if I had to place one above the other. The work from home, obviously that moved people out of those physical spaces where we could actually see where they were by using badge access controls, things like that, CCTVs. And we’re reliant more on those programs where we can now see how our employees are thriving and where they’re successful using online platforms. And so I think with the pandemic, we saw a transition in that space.

 

(12:56):
I will say, we as a corporation, at least at Corning, we got a little creative with our physical controls when it came to the pandemic. So for instance, in New York state, there were certain requirements around making sure that people were at testing to not having COVID-like symptoms if they were going to enter a facility. And so we would leverage some of our physical security technologies to make sure we were able to comply with that regulatory requirement. So I think you saw during the pandemic people getting very creative in all of their applications, both online and physical controls in order to contend with this new atmosphere we found ourselves in. So I think you’re going to see more changes like that. I think the physical security space is becoming the more nimble and adapting to what we’re seeing in the information security space.

 

John Verry (13:55):
Interesting. And your thoughts on whether or not physical security controls in people’s homes should or should not be a concern for an average information security professional?

 

Rosemary Martorana (14:10):
That’s a great question. I’ve never really given that too much thought, but it’s interesting because so much of what we do both at work and at home, we find ourselves having those… I think people for lack of a better word, they just don’t have much insight as to what those information security controls are at their home level. I think they know how to turn the locks on the door, but they don’t necessarily know what all these systems within their homes are necessarily connected to or how people can access that information. So it should be a concern. I just don’t think most of us think about it regularly.

 

John Verry (14:41):
Yeah. It’s one of those things that floats around, and I don’t hear a lot of talk about it. So when I had an opportunity to talk with a physical security person, I thought it would be an interesting question to ask. So we talked about the legal component and you come at this, not from that legal and compliance side. So how do you address the legal elements? Because GDPR is a law and there’s interpretation of said law, and that’s the domain of the JDs. So how do you address the legal elements?

 

Rosemary Martorana (15:21):
Yeah, absolutely. And so you’re absolutely right. My background is more in compliance, physical security and then touching on information security. And so when I took this role, that was the first thing that came to mind was I am not a lawyer, nor do I ever intend to be a lawyer. But the great news of course here at Corning is we do have fantastic in-house legal counsel. And I lean on them every day. And for a multinational corporation like Corning, we also have, of course, in region counsel that we lean on. And I lean on them every day for interpreting those regulations and helping to put up guardrails as to what we can and shouldn’t be doing. And we also have great regional counsel that can help with those issues as well.

 

(16:09):
Because I think what Corning did early on was made a conscious decision that they wanted to, we wanted to build a privacy program, and while lawyers are great at telling you about regulations and interpreting those regulations, they aren’t necessarily the tacticians on how a corporation is going to confine themselves to those regulations, which is where I tend to thrive.

 

(16:35):
And so we thought seriously about how do we want to build the program and what do we want to do to be able to sustain the program? And so Corning instead chose someone with some more project management skills, program management skills who really wants to be in the trenches. So if I had to flip your question maybe a little bit and looking back over the last several years since I’ve been in this role, if I were to look for a CPO, there’s a couple things I would look for. Yes, it’s important to have maybe some experience looking at regulatory requirements, but I would also look for some soft skills, someone with that intellectual curiosity, the ability to problem solve or those analytical skills. And then finally solid communication skills because they have to be able to transition between talking to the lawyers, talking to the C-suite and then talking to the businesses on how we’re going to do this and how we’re going to do it well.

 

(17:32):
So someone who is comfortable being uncomfortable, isn’t risk adverse, understands their corporate culture, of course, and then has the backing to be bold for lack of a better word. To me, that law background, if you can surround yourselves with those lawyers, you really don’t need that I think, to be successful in a position like this.

 

John Verry (17:54):
Yeah. That’s an interesting answer, because I’ve asked similar questions to other people about other roles and I’ve gotten the same answer effectively. You replace Chief Privacy Officer over there with CIO or CISO. And it’s really worth doubling down on this idea that information security is intended to do two things. It’s value creation and value preservation. I think most of us tend to focus on value preservation, risk management. The information security people are here to do one thing, make sure we don’t get hacked or reduce our risk of getting hacked. Yes, that’s a primary function. But if you limit your field of view to what that’s supposed to do, the question you should be asking is how can information security and how can privacy enable the company to achieve its business objectives and growth and things of that nature.

 

(18:40):
So I love your answer because what you’re basically saying is those skill sets are the skill sets that are going to allow you to align your information security and privacy programs with the businesses longer term objectives are going to be the ones that you should be prioritized.

 

Rosemary Martorana (18:56):
That’s right. That’s right. Yeah. And I think just to add to that, one of the things I always tell my team is that we will never say no to an ask of the business, but what we will ask them to do is help us make sure we wrap that security bubble around them. So of course we know the teams want to move. They want to move quickly. So how do we then ensure that they have the appropriate security controls in place to be successful? And I think that’s really key. And I think that’s why our businesses at Corning, they come to us early and they come to us often. So that we’re a part of those initial conversations and we can architect things appropriately so they can move forward and advance the corporation.

 

John Verry (19:42):
Well that’s because you’ve taken a, we’re not going to be a speed bump approach, which is what a lot of people in corporate America perceive information security as being. They’re a speed bump. There’s someone who’s going to get in the way of what we’re trying to accomplish. But what you’re saying is say, we’re going to partner with the business. You can’t be crazy. You have to live within certain risk tolerance guide rails, but we’re going to find a way to do that in a way that’s going to… And that’s that magic of communication that, and I love this, a line that says the biggest challenge in communication is the illusion that it has occurred. And I think what you’re talking about is with the right skill set, you don’t have those illusions.

 

(20:28):
As you noted, you have a very unusual background for someone in your role. You come out of the intelligence world at DHS. You were involved in physical security. You’ve been involved in information security, then compliance. So I’m assuming that each of those has in some way potentially contributed and positively influenced the work you do as a CPO. A, is that right? And B, how so?

 

Rosemary Martorana (20:51):
Yeah. First of all, anyone who’s had a linear career path is kidding themselves. If you’re good at what you do, you thrive in the uncomfortable and in the unknown. And I really like problem solving. And in each of these spaces, you’re really doing just that. In other words, how do I add the appropriate physical or information security controls in order to address the need to be compliant? Or how do we leverage privacy by design to meet the needs of the customer while still being compliant with data privacy regulations? So it’s just taking what you’ve learned in your story past and adding on.

 

(21:30):
Additionally, I think working in the intelligence community, you constantly find yourself leveraging the past to predict the future. So how will this recommendation inform a decision and what’s the impact? And I think that’s applicable across all these fields.

 

(21:46):
And you also start to recognize that you can and certainly will be blindsided at some point. I think that happened to me several times when I worked in the intelligence field and it happened to me in 2020 when we had the privacy shield invalidation, is how are we going to now contend with what’s in front of us? And so I think I’ve really enjoyed every part of my career to date. I’ve never found myself in a situation where I hated my job in any way. And I think each of those experiences and the people you meet along the way certainly influence who you are and who I am today as a CPO.

 

John Verry (22:25):
So Corning is a large company with lots of groups and divisions doing lots of different things. And I know that when we work in even a smaller company, the idea of getting to an accurate data map is exceptionally challenging. And then once we do have a data map that is recollected, let’s say, and we start to find things that are outside that, even harder is how, the only constant is change. So as context changes, every new application, every new project, every new client, what happens is our data maps change. And in a company as large as Corning, I can’t imagine that that is easy to stay on top of that. So increasingly we’re seeing cool technologies like OneTrust built in some data discovery. I just chatted with the big ID folks. They have a really cool product for doing automated data discovery and maintenance of data maps. How do you find leveraging? Are you using your leveraging technology, both from a data discovery perspective? And also we starting to see folks doing DSAR Automation, servicing these Data Subject Access Requests now. So how important is the automation to you guys?

 

Rosemary Martorana (23:44):
Yeah, no, you hit the nail on the head. So Corning is again a multinational corporation. Today we have about 61,000 employees in 150 locations spanning across 30 different countries. And not only that, John, but we also don’t just produce one thing. We’re in five market access platforms. So you can imagine what that means for our data flows. So yes, we do leverage assessment automation tools and data mapping tools to help manage and understand and process where our data is at any given point in time. And we’ve worked very closely with our information security team to understand some of the information flows as well. In terms of DSAR requests, those Data Subject Access Requests, fortunately for Corning, we are not a, I’ll say a customer facing organization. And so we tend to not have as many of those, knock on wood. And so what we’ve done is we’ve really focused our efforts around understanding our data flows, and we tackle those DSAR requests in a more manual fashion.

 

(24:59):
And so one piece of knowledge that is still, would be understand where to apply technologies within your organization and where technology maybe isn’t as better served. And so certainly, because we do talk to other companies that are looking at how we’ve put in automation practices. And I always advise people, make sure you understand, again, what your company does and where you really can best apply those technologies before you open that checkbook.

 

John Verry (25:36):
Yeah, no worries. I always like to say right train, wrong track. So one of the things these days, you need to be provably secure and compliant. So how do you demonstrate the maturity of your privacy program to key stakeholders when they ask?

 

Rosemary Martorana (25:52):
So today Corning, we’ve had a privacy program in place since about, predates me, about 2012 is when Corning started to really focus on what privacy is and what that means for the corporation. So very early on. And in all things we’ve been completely transparent about our privacy program. So today Corning operates under a binding corporate rules framework. So what that means is we have the ability to transfer data internally throughout the corporate enterprise and to show success. And how we do that, we do make sure we audit all of our entities regularly to ensure they are compliant with our BCRs.

 

(26:33):
We also have done a lot in the last several years with our supplier review procedures. So making sure who has access to our data at any given point in time, what they’re doing with that, and then how we’re going to manage that thereafter. And we’ve really taken pride in our customer interactions, both internally and externally with certain engagements. And we made sure that for our stakeholders, they understand what our privacy practices are at any given point in time.

 

(27:01):
So I think if I were to measure the success of a program, I would do it on a couple different things. So it’s the internal teams and customer engagement, which happens early and often. So as we spoke about earlier, internally our businesses come at us very early when they’re looking to Institute new PR process flows or practices. And similarly, we get involved early with our supplier and vendor management processes. The one thing I also measure the success of our program, and it’s not necessarily a quantifiable success is when we get accolades from our external customers and vendors, appreciating the amount of rigor Corning has around data privacy and its vendor onboarding space.

 

(27:45):
And then finally, again, we get a very limited amount of Data Subject Access Requests. And I think that speaks to our transparency about what we’re doing with our employee data, our customer data and everything in between. So I think it’s important to have, of course, KPIs that measure the success of your program, but then some qualifiable successes as well along the way.

 

John Verry (28:11):
It’s an interesting point you bring up. And I think that’s a point worth drilling in a little bit on. I think if you have that transparency up front and you do what you say and you say what you do, I think you do two things. I think the people that might have a legitimate reason to file a DSAR don’t believe that they need to. You’re not evil. You’re not using their data in a way which wasn’t intended to. And then the second thing I think is that many of the DSARS that I’ve seen are people fishing and looking for people that are not compliant and it’s a form of ransomware. So I think what you did by doing what you’re doing, being that transparent and demonstrating the maturity of the program in a visible way, I think you’re eliminating the likelihood of DSARS. Correct?

 

Rosemary Martorana (29:05):
I think that’s absolutely right. Yeah. And so I think to your point, certainly as soon as the new employees come into Corning, they understand what our data privacy practices are on day one. And so they know how Corning will manage their data throughout its life cycle as an employee with our corporation. Similarly, we provide that transparency to all of our customers, vendors, and suppliers up front too. And again, I think that just allows for communication. It allows for people to understand what’s going on with their information and then in turn limiting those requests, because to your point, I think if you shield what you’re doing with people’s data, that’s when people get a little squishy. They want to know what exactly you’re doing and why you need access to certain information. So being upfront, transparent, communicating regularly, especially if there’s any changes to how you’re going to manage that data is really key.

 

John Verry (30:02):
So what would you say the biggest challenge is for you and/or for other folks that are sitting in your position?

 

Rosemary Martorana (30:10):
So challenges, the first thing that comes to mind is just all the contending regulations that are at play. So it used to be back in 2018, you had GDPR. That set the global standard for how companies were going to have to start managing information, personal identifiable information. But since then you’ve had a onslaught of new regulatory requirements coming out of different nation states, different states within the US, et cetera. And so how as a data privacy organization, do you start to wrap your hands around all of that. And I’m not going to pretend to have the answer to that. We’re still learning about how to manage that, understanding of course, I just read a statistic the other day that by 2023, 60% of the world’s population will be under some sort of modern data privacy regulation. Doesn’t sound like a lot, but that’s a lot considering where we’ve come from in just the last few years. And so I think the biggest challenge is going to be how do people manage all of these disparate regulations we see.

 

John Verry (31:19):
I was going to ask you the one saving grace potentially. Would you agree that at least the vast majority of the ones that I’m familiar with have leveraged GDPR to some perspective, so they all seem to be variations on a relatively consistent theme.

 

Rosemary Martorana (31:35):
Yes, I would agree with that. I think GDPR certainly put the foundation in place and now most people are leveraging that and then adding to it. And so I think if you’re GDPR compliant, you’ve got a great foundation, but don’t [inaudible 00:31:52] laurels on that. Think about how other nations or states are going to be adding to that baseline.

 

John Verry (32:00):
So I’m going to ask you to do my job for a second, because I’m going to record this. It already is being recorded. And I’m going to use your answer because I don’t usually have the best answer for folks. So a lot of times we talk with, like I said, I’ll jump on a call and a common scenario is I’ve got a lead information security, a CISO or a director of information security. They’re working in a small to medium size enterprise. So they’re not going to be 60,000, but let’s say they’re 4,000 or 5,000 people. And they’re like, “Hey, I just got this data privacy addendum from one of our key customers. And the CEO is sitting on my desk and telling me that unless we can demonstrate that we’ve got a good privacy program, we’re going to lose this client.” So take me through how you would say, “Hey, here’s the plan. Here’s what you need to do.”

 

Rosemary Martorana (32:53):
Yeah. That’s tricky. So I would say first of all, start by understanding what the corporation has in place today, if anything at all, right. And then start to benchmark where you need to go. The data privacy community, John, is still so small and people still want to share best practices and watch outs and successes. And I think I would say, of course, if you have the opportunity and the time and the latitude, benchmark with other people, leverage resources, like IEPP to make those connections and understand how other people have established programs or answer that knock by the CEO at their door.

 

(33:40):
I think the other part of that is also understanding what is the company’s footprint and what’s the risk appetite? So in order to build a [inaudible 00:33:52], you have know what the baseline standards are going to be. So I’d start with that as well. It’s never a situation you want to be in when it’s a two-day turnaround by any meet. You hope you get the latitude to think about how you really want to institute a program or the capability holistically, but we’ve all been [inaudible 00:34:13] difficult. And so I would start by talking to folks in the field, understanding where you can get some short term or immediate successes and go from there.

 

John Verry (34:22):
And as you pointed out, this is not something that can be done in two days. And that’s probably the first thing to level set with the COO. It took us n years to get to this position. It’s going to take us a while to get out. Just going through data, really I think gaining that clear understanding of what information you’re getting, where you’re getting it from, how it flows through your organization is the critical first step. And that process takes time and setting that expectation, I think, is something people have to understand.

 

Rosemary Martorana (34:54):
Now I was just going to add to your last comment. It feels like it’s going to be insurmountable to establish program and figure out where those data processes and data flows are, but you have to start somewhere. And now is the time to start if you haven’t, because again, this field is growing. The regulations are only be going to become more daunting. They’re going to become more detailed. And so start now so that you aren’t sitting there with the CEO staring at you and trying to figure out where and how to begin.

 

John Verry (35:29):
And as you pointed out, you’re fortunate to be in the B2B space. A lot of our clients are in the B2C space, which is, I think even a more challenging place because as you pointed out, the likelihood of a DSAR as a B2C organization is significantly higher than is a B2B.

 

Rosemary Martorana (35:46):
No, nothing I can think of. It’s a topic you can talk about and round table for hours, but we’ll have to do that in subsequent podcast.

 

John Verry (35:57):
Sounds like a deal. So give me a fictional character or a real world person you think would make an amazing or horrible, I usually say CISO, but I’m going to say CPO or DPO and why.

 

Rosemary Martorana (36:11):
All right, let’s see. I’ll start with who I think would be a successful CPO. I give you two answers to that. The first would be MacGyver, because sometimes you’re given duct tape and bubble gum and asked to figure out how to do the impossible. And so make sure you have the ability to think outside the box. The other one I always think about is, not sure if you’ve ever seen Shawshank Redemption, but Andy Dufresne. So again, you have the resources, you know the structure you find yourself in. How are you going to get from point A to point B successfully? So those would be the two amazing CPOs I think could do the job.

 

John Verry (36:51):
So first off, neither one of us are old enough to have watched MacGyver when it was on, so we just pointing out to everybody that you and I both watched it on Nick at Night or something like that. And then the second thing is Shawshank Redemption-

 

Rosemary Martorana (37:04):
That’s right.

 

John Verry (37:04):
Absolutely one of my favorite movies. And the crazy thing about Shawshank Redemption that you would never expect if you didn’t know this is, Stephen King, it’s based on a Stephen King novel. Normally he writes all of the paranormal, crazy scary stuff. Shawshank Redemption, obviously not being in that. And it just turned into an absolute, Morgan Freeman and Timothy Robbins in that movie are just ridiculously good.

 

(37:32):
Listen, this has been a ton of fun. I very much appreciate you coming on. Rosemary, thank you.

 

Speaker 1 (37:39):
You’ve been listening to the Virtual CISO Podcast. As you’ve probably figured out we really enjoy information security. So if there’s a question we haven’t yet answered or you need some help, you can reach us at info@pivotpoint security.com. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.