Striking the Right Balance Between Data Agility and Privacy

Session Insights
Written by Kara Bobowski

Nick Halsey




Brett Cumming

Information Security Officer



Kimberly Ebright

VP & Chief Privacy Officer



Juan Morales

CISO, Global Information Security



With rapid innovation and continuous change becoming the norm for businesses, security leaders need to maintain consistent and centralized control of their data. But, they also must ensure that data authorization is agile, adaptive, and leveraged in a timely manner to meet business needs. A top priority for CISOs is striking this balance between data protection and security and its access for business insights and intelligence.

At the Global CISO Executive Summit, CEO Nick Halsey of Okera moderated a panel discussion on this topic with Brett Cumming, information security officer at Skechers, Kimberly Ebright, vice president and chief privacy officer at loanDepot, and Juan Morales, chief information security officer, global information security at Realogy.

Data privacy and security are mission-critical priorities for CISOs today, and many recent examples of privacy breaches keep security leaders awake at night. As Halsey pointed out, brands and executives are at great risk of financial and reputational damage from a privacy breach. Halsey shared these statistics to lay the groundwork for the data privacy discussion:

  • By 2025, 463 exabytes of data will be generated and shared each day

  • 76% of US employees have inappropriate access to applications & data

  • 65% of the world’s personal data is covered by privacy regulations (many different regulations)

Halsey also noted that data privacy regulations are multiplying, and a patchwork of regulations is developing by region. California has its own privacy regulations, for instance, and 22 other US states are considering it. “Existing technologies are flawed given the scope of the problem,” Halsey said. “You need a fundamentally new approach with policies that are defined once and applied consistently everywhere.”

Halsey shared three critical pillars of the Universal Data Authorization approach, including: 

  • Easier-to-define policy that is done centrally, but also has distributed data stewardship
  • Enforcing policies at enterprise scale in a modern, cloud organization
  • Central auditing and reporting, such as compliance reporting, auditing permissions, etc.

Integrating Privacy and Security

Halsey asked the panelists if they feel their organizations are playing offense or defense when it comes to integrating privacy and security? Juan Morales of Realogy said, “I wouldn’t say we are necessarily playing defense – more focusing on agility in using data as a differentiator moving us forward.” Juan also echoed the concern about states developing their own versions of privacy laws, saying that they are trying to find commonalities to help them comply. Kim Ebright said that her team at loanDepot tries to be proactive and work closely with additional internal stakeholders that track regulations. “We want to get issues in front of the leaders of the business, so there are no surprises for them,” she added.

It doesn’t work to wait for the next regulation to pop up.” 

- Brett Cumming

Brett agreed, saying, “What’s critical is not playing catch up and not only playing defense.” He is looking at the issue from a technology and people perspective: becoming more centralized on the technology front and taking a federated approach for interacting with data on the people front. 

Leading the Integrated Effort

The panel discussed who is – and who should – lead the effort at their organizations in mobilizing privacy, policy, governance and security. Panelists primarily had a cross-functional team of leaders collaborating on the issue – and most agreed that it can’t just be an IT or security initiative.

This is not a technology issue to solve – it’s a business issue.”

– Juan Morales

Juan said, “While some work is led by InfoSec or IT, it’s not a technology issue…. We start with deliberate messaging: this is not a technology issue, it’s something the organization is going to take on.” He added that it was important to create a partnership with legal and compliance. 

Kim added that her leadership team reports to the board quarterly to show progress over time and ensure that they understand the impact of the regulatory requirements on the company. She also noted that while it’s good to work from the top down, it’s also critical to keep all employees up-to-date on the threat landscape so they don’t unknowingly put customer and company data at risk. The panelists also agreed that it was important to work closely with security to give them time to implement any controls. 

Finally, the discussion touched on whether or not companies should have global requirements for their privacy policies or attempt to adapt to each region’s requirements. One participant commented that they were trying the global approach and the resulting impact to marketing was creating a “lively” debate. Brett noted that they have global standards, but “every region might have its own twist on a requirement.” As much as possible, they aim for a global policy.

To read more takeaways or join a discussion with CISOs from organizations around the world, visit the Global CISO Community page


Content adapted from the Global CISO Virtual Executive Summt. Special thanks to all participating companies.



by CISOs, for CISOs

Join the conversation with peers in your local CISO community.