October 10, 2022

Last Updated on February 23, 2024

This show marks our 100th episode of The Virtual CISO Podcast. It’s been an insightful journey, creating opportunities to have frank discussions with thought leaders that provide the very best information security advice and insights.

On this momentus episodic occasion, Dimitri Sirota, CEO & CoFounder of BigID, joined us to walk through BigID’s approach to privacy, security, and data governance. We dove into the shifting environment of data privacy and security and how technology plays a major role across industries.

You can’t have privacy without security—and today, you need a consistent display of transparency alongside those measures to foster good customer and employee relations as a company.

What does it take to meet those expectations, and how does that break down on a case-by-case scale?

The merits of gathering data beyond the usual locations and why traditional methods aren’t cutting it anymore

The conventional forms of tracking and reporting personal data are inefficient and often inaccurate. An individual or team has historically manually sifted through massive amounts of data to identify a subset of known repositories where personal data resides.

When a customer requested the data that was stored on them, employees would investigate only the areas where they believed such data was held. Unfortunately, this requires a significant time investment and fails to recognize the information employees are unaware of. But you can’t find what you don’t know to look for.

BigID recognized this problem and set out to fix it.

“We built a whole new set of technologies that allows you to look across your entire data estate and pick all those morsels of information and tie it together into this graph belonging to an identity.” — Dimitri Sirota

Leveraging an automated system that can explore in seconds places that would otherwise take a person weeks results in a more complete and accurate picture of captured data in far less time. Plus, a faster automated approach reduces the extent to which the data changes while you’re searching it.

You can’t truly attain privacy or security until you know what data you hold, where it is stored, and how you can protect it. Therefore, moving away from traditional methods of gathering data is essential to meeting stakeholder demands and maintaining a strong competitive position.

Discovery as the foundation of protecting sensitive and personal data

Creating a cutting-edge approach for data collection, storage, management, and retrieval for your business is often easier said than done. However, the core of any effective data protection is in the discovery phase.

“Whether you’re looking for regulated data, sensitive data, or metadata, it’s all about discovery.” — Dimitri Sirota

Dimitri argues that, regardless of context, data is data at the end of the day. So whether you’re taking the lens of personal information, GLBA, SOX, PCI, HIPAA, or otherwise, the processes and tools utilized in one context can often be effective elsewhere.

BigID built on this understanding to universalize the data discovery process.

While BigID started with a focus on privacy data, they were able to expand significantly beyond that. They built the capability to allow organizations to gain visibility into the data that matters to them in a range of contexts, whether that be business analysis, data security, regulatory reporting, etc.

Creating efficient and effective data collection systems

Beyond building a tailored data discovery system, Dimitri offers advice for creating a baseline privacy program for your organization.

Start with automated data mapping and inventory, he suggests. If you don’t understand your data clearly, you cannot adequately protect it.

Next, transparency is crucial. People have data privacy rights, such as knowing what data is stored about them, how it’s used, and having the ability to remove it. Creating a system that is transparent internally and externally greatly simplifies reporting for regulatory reasons and accessing data to meet consumer requests.

Businesses should also create a communication system that enables people to reach out via portal, chat, email, phone, or messaging.

These aspects create a strong systematic foundation to build a data privacy program.

Next, Dimitri suggests investing in assessments. This will validate security practices required by regulators and identify essential security functions. Then, once your bases are covered, you can begin weaving in more complex requirements like consent, cookie management, and more.

While specialists can do some of these things manually, creating a well-protected system in a quickly-evolving digital world requires technology.

“It’s impossible to foretell the changes in data. You know email is changing, your file folders are changing, your Snowflake is changing. For those environments, you have to have technology because you can’t map it manually.” —Dimitri Sirota

Data security and privacy programs can no longer rely on traditional measures. Instead, starting at the roots of data mapping and inventory, implementing automation, and continuously assessing to confirm your apps and systems meet your specific organizational needs will result in optimal data security systems and processes.

What’s next?

To listen to the podcast episode on The Two Audiences For Privacy & How They Drive Data Collection, click here.

ISO 27701 Certification Guide

Discover what you need to achieve ISO 27701 certification! You are 6 simple steps away from "provable" compliance with every Privacy regulation.