Mediaplanet: What kind of changes have you seen in Canadian organizations and their outlook on data security in the past year?

Robert Herjavec: Canadian organizations are maturing when it comes to data security requirements. There’s a clear understanding of the threat landscape and the need to balance multiple layers of technology along with processes and people for a proactive cyber defense. The recent communication around the  Canadian federal budget commitment to cybersecurity is another example of how the Canadian market is reinforcing the value of threat intelligence and the development of talent. We’re used to hearing that Canada lags behind the US in terms of cybersecurity preparedness and technology adoption, but we’re seeing strides in terms of third-party service adoption (including Managed Security Services and Identity Managed Services), emerging technology adoption, and a proactive stance to get ahead of compliance requirements — all of which are very promising.

MP: How should Canadian enterprises manage the security of their data with the upcoming implementation of the General Data Protection Regulation (GDPR) and amendments to PIPEDA in May?

RH: Canadian organizations need to be aware of how these compliance directives impact them and their customers. There are serious implications for non-compliance. Failure to comply with GDPR, for example, results in significant penalties — a $20M GBP fine, or 4 percent of annual turnover, whichever is greater.  It’s common that companies say ‘oh GDPR is a UK policy, it doesn’t apply to me’. That’s not the case. GDPR is a proactive reminder that all enterprises engaging with the data of a UK natural person — no matter their corporate location — should proactively assess their security postures in terms of their visibility, controls, and scope.

MP: The recent media explosion of Bitcoin and cryptocurrency in 2017 has more people understanding blockchain technology and the security benefits it provides to the financial industry. How can enterprises leverage blockchain technology to secure organizational user data?

RH: There’s been a lot of talk among cybersecurity professionals about using blockchain for identity and access management in the coming years. Instead of different institutions controlling different pieces of an individual’s personal data, it will be the individual that controls all that information. This allows us to present the minimum amount of identifying information needed to make a secure transaction. However, blockchain isn’t a complete cure-all solution for enterprises. Executives with security responsibilities should do their homework and engage with firms deep in Blockchain technology.  Deploying and leveraging this new platform will require a major investment and experienced staff from mid-sized to large organizations investing in it.

MP: When it comes to securing user identity and sensitive data, how do you define the difference between identity management and access/authorization management?

RH: Identity management is the program that governs who a user is within an organization. It summarizes the access tied to each user’s identity and controls what they can access, when, and for how long. Some access may be privileged at an admin level or may be non-privileged. Authorization management is the granting of those various permissions.

MP: How can adoption of trusted digital Identity and Access Management (IAM) solutions prevent or eliminate large-scale breaches?

RH: Safeguarding user identities and managing access permissions across the enterprise is one of the biggest challenges faced by security teams. Poor IAM leads to data breaches, causing financial damage and reputational harm.

Organizations require a solution that aligns identity governance with privileged access management to not only meet both policy and regulatory compliance— but more importantly, to avoid falling victim to a devastating cyberattack.

MP: Do you think enterprise executives should be fully knowledgeable on the topic of data security? Why?

RH: It’s a must. Enterprise executives have a responsibility to the protection of their businesses in terms of financial reputation, brand reputation, and overall customer credibility. Cybersecurity is not an IT-specific problem. It’s a business challenge that requires investment, commitment, and training company-wide. There has to be a governance at the executive and board level that monitors each organization’s progression on cyber initiatives. In the event of a cyberattack, it will be unacceptable for C-level executives to blame the IT department. Everyone must report on it and be responsible for it.