Meet the expert: Martin Gomberg to speak at Last Thursday in Privacy

Broadcasting January 26, Last Thursday in Privacy is a livestreaming experience that takes global audiences to the heart of the issues defining today’s digital landscape.

Martin Gomberg is Privacy Consultant at Cyberite LLC. Leveraging a wealth of sector experience, Martin was a CIO for a global media network for nearly two decades and has held multiple senior roles in Privacy and Security in private and US governmental capacities.

Martin will be appearing exclusively at Last Thursday in Privacy to discuss best approaches for instilling a company-wide culture of Data Protection, Security and Compliance.

Below, Martin elaborates on his career to date, and introduces the issues going under the microscope in his session at Last Thursday in Privacy.

Could you outline your professional pathway so far?

As the ‘Privacy CIO’ I advise companies on Privacy, Data and Business Protection. I write frequently on leadership and maturity, and am the author of CISO Redefined. My book speaks to leadership, risk, and business protection in the broader context of security, privacy, continuity, operational management, and compliance. 

I frequently consult and speak about why privacy and security projects struggle or fail, where the disconnects are with the way business is done, and how to mature privacy and security programs. 

Every business has internal barriers to adoption and success that need to be identified and cleared. Privacy is not solely a legal problem for an operating business, but too often is approached that way and struggles; nor is it solely a technical security issue. 

 

As a finance industry technical strategy executive and advisor, CIO for a global media network for almost two decades, founding member of the CIO Executive Council, a global CISO, a privacy, security, and incident preparedness specialist, and chair of both public and private enterprise security and privacy committees, I have worked with more than 70 companies globally, of all sizes, structures, and in all industries, to bring a business, risk, and operations perspective. 

Of course, there is a certain audacity in assuming the moniker of ‘The Privacy CIO’. I apologise but it was deliberate and purposeful. As I scan the online forums and privacy groups, it is very capable and incredibly informed lawyers and specialist privacy professionals that dominate the conversation, and to a lesser degree the CISO. Much of corporate leadership is virtually absent. Important voices are underrepresented, but equally, important perspectives and unique capacities. 

It’s not enough to say we have leadership support. Whether privacy, ethics, security, diversity, inclusion, sustainability, or any other quality of maturity by which a business can be measured, only corporate leadership holds the levers and the language to clear barriers, shapes corporate culture, and engrains core corporate values.

How big a problem is it to get C-suite and senior management to take data protection, security, and compliance culture seriously?

Businesses exist to succeed and to thrive. There isn’t such a thing as corporate leadership that doesn’t take data protection, security, and a compliance culture seriously. If there was, natural selection would address the issue.

But what would be the right indicator that these very important issues are taken seriously? Is it just investment? It is easy to throw money at a problem, but how do you know how, when, and where to make investments, on what, and how to determine their success, locally, or across an enterprise? Or at a minimum see evidence of directional progress, across lines of business, or over time within any one area, or across the enterprise from any investments made? If more investment is needed, what, when, where, and how much is enough? 

Focusing solely on investment is short sighted. Every company has barriers to success, whether security, privacy, ethics, continuity, or any other quality; whether it is resistance, divergent approaches, reach, regulatory differences, technical barriers, or simply poor and ineffective uptake. 

As I said above, it is corporate leadership that holds the levers to clear the barriers and has the voice to set the tone and message. The power of the CEO saying ‘I can’t express enough how important this is to our brands and to me personally’ to dissolve barriers cannot be understated. 

But amidst competing agenda, opinions, risks, and opportunities, how can compliance and business protection bring the right messages forward to help leadership to assume that voice, craft the right message, and take the lead? It is only by putting the message and the need in the context of the business in a way that can gain leadership consensus and the needed support (board, investors, or other) for executive action. 

 

Every business has a natural architecture or shape, and you can illustrate it simply. It may be wide at product sourcing with multiple centres from which to draw product, less so but still open at product assembly with multiple and adequately separated centres available to perform that function, but narrow and constrained at fulfilment where assembled product is shipped and held for distribution to markets. 

Expressed this way, exposures are very tangible to a company that is revenue-dependent on the speed of its distribution and so an argument to decentralise fulfilment may be viable. 

That decentralisation will require an increased investment in securing these geographically separate facilities is an equally reasonable argument, and the telecom between. Further, that crossing state or other geographic boundaries will introduce additional compliance, tax, and operational requirements, and that recruiting and hiring in new states and possibly opening new markets brings privacy and data protection and potentially breach and consumer requirements is all understandable. 

The sum of the new costs can be weighed to the risk. Prudent decisions can then guide executive action. Granted this was a comprehensive scenario and was intended as such. Neither the board, nor company leadership should care if you opt to use Survey X or Survey Z as the marketing tool of choice. They should care if we are getting effective consumer feedback. 

Companies are different, they are structured differently; public, private, local to multinational in size, scope, and reach, may or may not have operating boards, or the type, size, and capabilities of the boards, and the extent of its knowledge or available specialized advisement, all varies. So too vary the culture and personalities of the board and the leadership team. 

Equally, who communicates to the board and how, directly or through other board members, executives, or contracted advisors, and whether in person or in writing, and how frequent may be dictated by industry regulation. And so, I would argue that C-Suite and senior management, and the boards that guide them certainly take data protection, security, and compliance seriously, but to influence them to action, and to advise them so that they can best structure the tone and voice, the message needs to be the business.

Could you summarise best approach strategies when it comes to building a company-wide culture of data protection?

We should advocate and promote an ecosystem of ethics and compliance. We should care about our consumers data and rights in the same manner that we care about our own and embed that value in every transaction or interaction. 

We should encourage adoption of those core values we want as defining of our brands. We should see our purpose as the protection of our business in all aspects, not just effective security, or privacy compliance as our objective. 

We tend to treat privacy, security, business continuity and other areas of compliance as different. We see them that way, fund them that way, and we staff them that way, duplicating effort, duplicating investment and spending, and retracing ground. 

Having had oversight of all of these facets for about twenty years as a CIO, I find that view inefficient, but common. Data protection and privacy requires that we inventory and identify the processes that collect and manage personal data, where it flows, is stored, controls and limits, and with whom it is shared, on the ground or in the cloud. 

 

Data security requires that we know what data we collect and where it is so that we can apply the right controls and make the right investments, of the right size, in the right places, wherever that may be. If we don’t know what we have and where, then how can we protect it? 

Business continuity examines and documents all the critical processes that we perform, data that we collect, ownership, and our areas of potential risk, and assures we have thought through and tested the needed safety and protections. 

It is likely the best lens for examination of structure, process, workflow, relationship, and organisation available to a complex business. Our environments have become complex, our pace fast, and we have become specialists. Stepping back and bringing each of these to the table to share efforts in common from my perspective is prudent. The sum of the parts is greater than the whole. The goal is an ecosystem of compliance. Our purpose, a protected business.