#BeCyberSmart: What’s in a name? Defining Data, Cybersecurity, and Privacy

October is officially national Cybersecurity Awareness Month. Now in its 18th year, this important tradition continues to raise awareness about the importance of cybersecurity across our Nation. As the name suggests, this Department of Homeland Security initiative seeks to “ensure that all Americans have the resources they need to be safer and more secure online.” 

Throughout the month of October, McAfee & Taft is partnering with industry colleagues to share cybersecurity ideas, tips, and videos. These resources are designed to both educate and empower. We hope you will join us in this month’s journey to do our part and #BeCyberSmart. 

In first of our #BeCyberSmart video series, McAfee & Taft cybersecurity and privacy expert and attorney Joshua Snavely discusses what defines data privacy, data protection and data security with special guest Chad Thiemann, privacy director and senior director of Security Operations for CVS Health. They also differentiate privacy versus cybersecurity, and talk about why companies and business leaders should care about these issues.

About our guest

Following 14 years of active duty and national guard service as an Army Logistics Officer, Chad has worked in Corporate America for over 20 years. He has served in various roles spanning cybersecurity, IT audit, privacy, and risk management. He worked for Arthur Andersen and Schering-Plough Pharmaceuticals before arriving at CVS Health. He also is an Adjunct Professor of Cybersecurity for Dallas Baptist University’s Graduate College of Business.

Chad has undergraduate degrees in MIS, Computer Science, and Operations Management & Logistics from Boston University. Through the military, he completed various graduate level programs in leadership, strategy, and logistics from the Army Logistics Management College; Command & General Staff College; and the Naval Postgraduate School. Additionally, Chad has a graduate certificate in “Cybersecurity: Technology, Application & Policy” from MIT and an Executive Masters in Cybersecurity from Brown University.

.

Transcript

Joshua Snavely:  Welcome to our series on “Be Cyber Smart.” As we highlight and celebrate National Cybersecurity Awareness Month, we’re excited today to welcome a colleague and friend of mine, Chad Thiemann, who’s all things privacy and security at CVS health. He’s the current privacy director, but also the interim senior director of Security Operations, and in my view, there’s no one better that understands both sides of both cybersecurity and privacy, and we’re honored to have him and have a good discussion today. And so just want to kick it off there, Chad, with a little bit more about you and your background, how you got to where you are and some of your responsibilities at CVS.

Chad Thiemann:  I have a 20 plus year background in a variety of things, both cyber security and privacy, as well as data governance and risk management across international consulting arena, healthcare, pharmacy, and DOD and the US Army. Today, I currently serve, as you mentioned, in two capacities as a privacy director and senior director of Security Operations for CVS Health.

Joshua:  So perfect to answer my first question to you since you sit on both sides of the house, that we hear these terms used a lot, right? Security, information security, cyber security, data privacy, data protection, right? So help our viewers, those who will be watching this, help us understand, you know, when we say privacy, in your view and all that experience, what are we talking about?

Chad: Broadly speaking, privacy, the right to be let alone with the freedom from interference or intrusion. And information privacy is the right to have that control over how your personal information is collected and used. And why should companies and business leaders care about that? Because in today’s regulatory environment, whether it’s the state, federal, or international level, there are significant regulatory obligations with regard to ensuring customer or employee privacy, not to mention it’s the right thing to do in terms of customers trust.

Joshua:  I know I’m not the first person to say this, but wanting to see if you agree at where we’re headed from a business standpoint. I truly believe that data is the new oil, that it will drive business decision-making for the next 100 years, and you see a shift from, you know, big oil, big manufacturing, to now, I think, nine of the top 10 companies in the United States are all technology=related companies. And they deal in data, which often means we’re the customer, right? Or whoever the business is, so would you agree with that assessment? Sort of, where do you see business headed from a data standpoint?

Chad:  The forthcoming possibilities with regard to how we can leverage data to run businesses and grow revenue and customer basis is absolutely paramount right now to the point where organizations are collecting data en masse, in many cases, without even knowing what they’re gonna do with it today. They know that it has some intrinsic value. They may not have figured out how to apply that value or intrinsically derive the value from the data sets, but people are going about collecting as much data as possible with the intent of using it for some purpose in the future, which is dangerous in and of itself, both from a privacy and cyber security perspective, because the more data you collect, the larger your attack surface becomes, the larger the population of data you’re then tasked with securing and protecting grows. And those are tough feats to handle, especially with the fact that data collection is growing disproportionately these days.

Joshua:  So you used, I think an industry phrase in there, I want to sort of dive into for just a second. Something that when I’m talking with clients is a focus, is that attack surface and what that means for them and how they reduce it or understand it as it is, you know, defined for their business or their industry. Tell me a little bit more about that phrase, what you mean by it and, and why a business should care about what their attack surface is.

Chad:  Your attack surface is anywhere and everywhere you work collecting, storing, or perhaps sharing data that has value or regulatory implications. Quite frequently, you will see maybe a website will intake data on your customers. And then that data set will be copied internally. It’ll go to the digital team, the mobile application team, the marketing team, finance and where you may have had initially one data set to secure and protect, now you have eight copies of that same data set, which could amount to terabytes of data. It’s in eight different locations. You have a vastly larger swath of individuals who have access to that data. And in some cases it may even traverse in and outside the firewalls of your own network. It could be at vendor partners, it could be in the cloud. And as you intake this data replicated internally and externally, share it with partners, that is, in effect, increasing your attack surface and the amount of security measures you need to bring to bear to secure and protect that data. And it’s difficult because resources are finite. And as attack surfaces grow, your ability to deploy proportionate controls diminishes.

Captioning/transcript provided by Rev.

This information is provided for clients and viewers of McAfee & Taft A Professional Corporation. It does not constitute legal advice, and it is not intended to create a lawyer-client relationship. Viewers should not act upon this information without seeking professional counsel..