theNET presents Privacy-first security

Hello, my name is Jordan Lilly, and I'm here today with Cloudflare's Chief Privacy Officer, Emily Hancock and Director of Risk and Compliance, Ling Wu.

We're here to have a conversation around how security and privacy organizations should partner together.

So first, let's talk a little bit about yourselves and your role here at Cloudflare.

Emily, why don't we start with you? Sure. Yeah. Hi. So I've been here at Cloudflare for six years.

I head up the product, privacy and IP team. So that means I cover all the things related to product counseling as well as the privacy program.

Nice. Ling, what about you? I've been here for about five years and I have three basic teams.

We're under the security organization and I manage validations and regulations teams as it relates to security.

And I also manage a security risk team.

So ensuring that we have a risk methodology, manage risk through its lifecycle, performing targeted risk assessments, enterprise risk assessments.

And lastly, I have a customer compliance component, answering all of our customers, questionnaires, questions about our security posture.

And then, yeah, and then being able to provide them assurance that we have really great security posture.

So how do the privacy and security teams collaborate with one another?

Yeah, we collaborate so well. We're so, you know, so we talk all the time.

I think we, yeah, we work on, so when Ling was talking about like the customer questionnaires, for example, when customers have questions, a lot of times it's a, their questions are security, privacy questions kind of intertwined.

So we collaborate on that.

We collaborate a lot on looking at vendors because there's security review as well as a privacy review.

And then we talk a lot about the certifications because some of the certifications are strictly security and some of them are kind of a combination of privacy and security.

And we even have a couple that are only privacy.

So we work together on a lot of that. And I think, I don't know, I'll let you talk about some of the localization stuff that we talk about with certifications, but we have to collaborate a lot to figure out what markets we're looking at and what the pressures are in those markets in terms of what the certifications want.

I think I kind of break it down into like two main buckets, like one related to we team up together along with our public policy team to determine like when we go into a new market or a new region, what do we have to adhere to from a privacy or security perspective to be able to operate within that region, to be able to actually do business within that region.

And we tackle it together just to ensure that we're both aligned because people don't want to hear from us separately.

We need to be unified. And then we also think about it from a customer's perspective.

We both get pulled into a lot of customer conversations to understand the type of information that they want to send over through our products and services.

And then with that, it may be, are you compliant with XYZ? Do you have this certification?

Can you send this type of information through our products and services?

And we work together to determine like, what does it take?

Do we already have this? Can we go after this new validation? And we'll work together on achieving it as well.

I know the landscape has become more and more and more complex, and it probably will continue to be more complex.

So how do you keep up to date with the increasingly complex regulatory landscape?

Yeah, we have a number of sources, like I said earlier, like we have a really good relationship with our public policy team.

So they get us in front of regulators to understand what is up and coming, what's changing, how do we get in front of the regulators to let them know, like, our thoughts as Cloudflare, as a cloud service provider, or even within the industry.

And that is super beneficial for us. We also, luckily, I have a customer compliance team.

So we hear upfront what their expectations are.

And we incorporate that as a source for us. And we also have really good relationships with our auditors.

Like, they tell us, hey, there's a new version of ISO that's coming up.

We're having changes, or there may be changes coming with PCI or FedRAMP or any of these validations that we currently have.

And they will also let us know what is new. What should we think about for getting a testing to, whether it's a new AI certification, whether it's something else, they keep us up to date.

It's great that we have like all these sources. I think the last the last piece is like, how do we get organized?

Right? Like, we keep everything within our common control frameworks, we map all the privacy requirements, we map all the security requirements.

I think very early on, Emily and I, like when I first started five years ago, we were talking about our roles and responsibilities.

And we, we decided, like, we're going to put all the privacy related requirements into the common control framework, because it will make it a lot easier for one source of truth.

And we decided to do so. And it makes things way easier for like our engineering teams or technical counterparts when they're asking us questions about what do I have to do to maintain compliance, we could give them both requirements.

I like I like one source of truth. I like that a lot. And what about you, Emily?

And anything to add? Yeah, I mean, it's, it's really hard to stay on top of the regulatory environment right now, because pretty much, especially on the privacy side, every country seems to have some kind of data protection law.

And so, you know, my team and I are, we're just constantly reading, studying, talking to industry groups, trade groups, you know, our public policy team, as Ling mentioned, is really important in kind of being our eyes and ears out there to let us know what's coming.

The other thing that's really helpful is talking to customers again, because sometimes the customers actually are coming up with regulations that they're hearing about, maybe from their auditors, maybe from a sector, they're in banking or healthcare.

And that sector is putting out guidelines saying, well, if you're going to contract with a cloud service provider, you need to make sure you check these boxes.

So in addition to the legal landscape, there's also these different kind of guidelines that are out there.

And so what we've done is we've kind of taken from the privacy side, we've taken the GDPR, the European Data Protection Law, as sort of our benchmark for all the things privacy.

That's what's in our common control framework. And then as new privacy laws come up, we kind of plug those in to the extent that they may differ from the GDPR or create, you know, different requirements.

The other thing that's really new and harder to kind of keep up with is the increase in cybersecurity reporting requirements.

So this is kind of the flip side of privacy a little bit is, okay, you have a breach or you have an outage or something goes wrong, right?

And so there are new regulations there. We just had an SEC cyber reporting requirement go into effect in December.

There's a new U.S. CERCIA rulemaking.

So they're looking at a new guidelines on how to report cybersecurity incidents.

And then in Europe, we've had something called NIST, and now we've got NIST 2 that's going into effect later this year.

So it's not just the data protection, and it's not just the certifications, but it's also these new cybersecurity reporting requirements that have really kind of sprung up in the last few years and put a lot of pressure on companies like ours to make sure that we are meeting those reporting obligations.

And then our customers are looking to us to say, can you help with that?

And unfortunately, in a lot of cases, we can, but that's also some pressure that we're getting in from customers to say, you need to be keeping up with these rules.

Wow. Okay. So meeting a lot of new obligations, basically.

Okay, well, great. So this has been really insightful. To wrap things up here, the one thing I wanted to ask is, what's just the one piece of advice that you would share with them, like short and sweet and simple, to kind of like get through their days and get through everything?

Is there just one? I mean, there's probably a couple for me.

One is like, just work together. Like privacy and security teams and the legal team in general.

And there are, I don't know why, but over the last year, I've heard from my industry peers that they don't have really great relationships with their privacy team or their legal team.

But you know what, we're after the same mission.

We are here to protect data. Why not be aligned? Why not work together?

Because our technical teams don't want to hear from us twice.

And they also don't want to hear from like two different types of requirements or things might be opposing.

They just want us to be unified. They want us to be together.

They want to be able to execute on one set of requirements and go on with their day, honestly.

My second probably advice is probably just hand over the requirements after you provide some of, this is probably more so for those who are practitioners in privacy as well as in security compliance, like hand over those requirements after you give the guidance.

Like provide the guidance, but don't solutionize.

Don't solutionize it for the engineering organizations because they may not be able to adapt your solution in the environment.

It may not work. Also, like when you hand over the requirements, I feel like you're able to give them the sense of ownership.

Like it belongs to them. It'll work for them. It'll work for the environment, it'll work for the company.

So yeah, I think that's my second recommendation.

So I guess maybe I'll take two also.

So the first one is really kind of basic privacy 101.

But it's know where your data is, know what your data is, and know where it is, and know where it's going and what vendors.

Because all of the things that we were talking about, all these data privacy regulations, all of the cybersecurity reporting requirements, they all rely on knowing where your data is and where it's gone if it happens to leave the company.

And it's hard. It's a really hard challenge.

And so then on top of that, I guess I would say, you need to bring in really good security, because the best way to protect personal data is having really good security measures in place.

Now, some of those security measures, sometimes people are nervous because some of the security measures maybe seem like they impact privacy because they inspect emails, right before they land in an inbox to prevent phishing emails from landing in your inbox.

So it's really important to have the security measures in place to protect the privacy, think about the end goal, what data you're trying to protect, and then be really transparent with your employees about what security measures you're using, so they understand how that might impact the emails that come into their corporate account, or the browsing that they're doing on their corporate computer.

And so having that kind of like privacy first type of security is also really important when you're trying to protect the data of your customers and end users.

So Emily, you mentioned security is a really good way to protect personal data.

Can you elaborate on that a little bit more?

Yeah, yeah. I mean, so Cloudflare has a Zero Trust Suite, right? And that's our suite of services that helps organizations, usually corporations, protect their networks from bad guys getting in.

One of the ways we do that is something called our email security, also Area 1.

And that's a tool that allows us to scan emails as they come into employees' inboxes to look for phishing, any emails with malware, and then block them before they land in an inbox.

Because if somebody clicks a link, that's one of the easiest ways for bad guys to get into a corporate network.

So that's kind of one of those real life examples. And then talking to employees about that, so that they understand, you know, nobody's really reading your emails.

You know, it's a scanning that's looking for specific indicators of compromise.

That's one of the things that's really important. We also have WARP, which is looking at protecting the traffic as you're on your computer at work, and you're out there visiting the Internet.

If you go to a site that has malware or something bad, you know, we can protect against that.

And so these are the ways you also want to make sure that you're telling your employees, hey, look, this is this is what's going on.

And that kind of transparency, I think, balances the security measures that are necessary, that help us protect our customers' personal data, and then in turn, their end users' personal data.

Great.

Well, thank you both so much for your time today. And to learn more, go to Cloudflare.com slash data for privacy for security.