Data Protection in Québec, Local Experts Voice Their Opinion (Part 3)
In this series of blog posts, I will relay information I collected from interviewing some of the most prominent leaders on data security and privacy in Québec. These experts have different backgrounds, expertise, and job titles. However, they all provided insightful thoughts on data protection. With the data protection and privacy laws getting more and more prevalent and stringent, practitioners and leaders may have a hard time focusing on what truly matters. I wanted to write this series to provide value to colleagues in the industry. At the end of the day, it’s always good to hear what others are doing and, more specifically, leaders in the domain. Hopefully this series provides ideas that can lead to the development of better policies and practices in your respective organizations.
In the last installment of this series, I had the honor of speaking with Sara Anvari, CISO at BDC, and Cédric Brossard, former CISO of Fiera Capital and Air Transat.
Sara emphasizes the necessity of foundational data protection controls, which organizations often overlook. She asserts, “The basic controls are among the most important: data classification and management, an up-to-date inventory, a catalog of data owners with clearly communicated roles, a culture of least privilege access, and a systematically applied data tagging scheme.” She highlights that these are essential before implementing more advanced cybersecurity frameworks like ‘defense in depth’.
When asked about the most common privacy incident in her experience, she replies that it’s information oversharing by individuals who lack the appropriate methods of working and are not malicious by intent, leading to unintentional data leaks. Sara uses a metaphor to describe building effective preventive controls in cybersecurity: “A powerful river doesn’t stop flowing just because of a dam. It might carve a new path around it, erode the dam over time, or even overflow it”. Cyber controls are very similar, we should guide the river (users) but not aim at stopping it, because it is counter productive.
On what makes an effective privacy officer, Sara believes in a dual understanding of technology and business processes to anticipate needs and recognize the value of information assets. She advises fellow CISOs, “Data is often the most valuable asset of an organization. Remember that threats, regulatory environments, technology, and business priorities evolve, so adapt your data protection approach accordingly.”
Cédric shares his comprehensive insights on data protection from his experiences, including his role as CISO, Associate Partner, and Director in a Big 4 consulting firm. Addressing the seriousness of GDPR and Law 25, he observes, “The financial, legal, and reputational impact becomes really significant,” yet he notes a disparity between public claims of compliance and actual prioritization, attributing it to a lack of understanding of the risk. He suggests robust measures: “Organizations should appoint a Data Protection Officer who should work closely with the Chief Information Security Officer, IT, and business sectors.”
On the topic of frequently overlooked controls, Cédric emphasizes the importance of the 18 basic controls from the Center for Internet Security (CIS), lamenting that “asset management and vulnerability management are often poorly deployed.” For more mature organizations, he recommends implementing automated attack simulation controls and establishing a ‘Purple-Team’ to maximize the efficiency of cybersecurity programs. Sara added her grain of salt by emphasizing that basic security hygiene like patching and protecting IT assets are not a luxury but rather foundational to any cybersecurity program.
Discussing the use of disclosed data breaches for third-party risk management, Cédric confirms its utility, though he notes the incomplete nature of such data. “It’s already the case, although not all organizations report their incidents,” Cédric explains, advocating for rigorous due diligence when engaging in business relationships that mayinclude IT integrations.
Finally, Cédric outlines the ideal traits of a good privacy officer: “A good DPO must foremost be a leader, familiar with the organization and regulations and should effectively collaborate with the CISO and IT departments.” His legal expertise should be clear, supported by legal counsel if necessary.
