Balancing Privacy and Competitiveness in a COVID-19 World
Earlier this month, I had the pleasure of being a panelist on a virtual seminar, “Balancing Privacy with Competitiveness,” hosted by the Privacy + Security Academy. The ACT | App Association represents 5,000 tech companies like SentryOne and helps them understand legislation and navigate regulations in a digital world. I was joined on the panel by two other esteemed panelists and a facilitator. My job was to represent the challenges and costs associated with complying with privacy and data security laws with limited resources in a constrained economic environment where every dollar of investment needs to be scrutinized.
Larger companies are in a better position to create compliance programs and hire experts dedicated specifically to compliance. Theoretically, small businesses such as SentryOne are potentially at a competitive disadvantage when it comes to complying with privacy regulations. I would argue that being able to certify compliance with a strict privacy law is a major competitive asset. It shows we can compete with larger companies on responsible data stewardship.
Inventory Data to Mitigate Risk
Although we have less than 200 employees and about 3,200 customers, there is a lot to unpack when it comes to data privacy. We possess data about our customers and employees, and, because we have SaaS offerings, we store metadata in our hosted databases.
We are not a business application tech company, so we do not store personally identifiable information (PII), but because we are a database tools company, we might possess PII that is exposed in queries or column headers. In our End User License Agreement (EULA), we clearly state that we are not responsible for that data and that best practices dictate that customers should be careful not to expose PII through metadata.
Employee and customer data is a different matter. We routinely perform data inventory and mapping exercises to identify what data we possess, where it is stored, and how it moves among our systems. We conduct risk assessments and produce “threat” models to identify critical data and the ways it could be compromised, such as through data leakage, hacking, server failure, or corporate espionage. One of the many objectives in our information security program is to minimize and mitigate risks.
Because we do quite a bit of business in Europe, we coordinate closely with our outside counsel to comply with data privacy and protection regulations such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and industry standards such as the Privacy Framework from the National Institute of Standards and Technology (NIST). We then set up a governance framework to lay down rules to ensure proper safeguards are in place to protect employee and customer data. Policies and communications codify these protections to ensure that all stakeholders involved are handling data responsibly. All SentryOne employees take an annual 30-minute online security awareness course, as well as a course on applicable data privacy and protection regulations, to ensure they are protecting company data, which is our greatest asset.
We also perform a Data Protection Impact Assessment (DPIA), which is a process to help identify and minimize the data protection risks of a project. For example, if we set up an Azure instance in Ireland, we need to understand how it will be secure for our German customers. Also, if we are running email campaigns across Europe, we need to be meticulous about what “opt-in” data we retain.
In addition, we have set up an incident response protocol to respond to data breaches. A common saying in security circles is that it is not a matter of if you are breached, but when. Speed is of the essence when it comes to unauthorized network infiltration, as indicated by this article, so preparation is key.
We have a full-time security engineer, who is one of our busiest employees. More and more of our customers are asking for a vendor security questionnaire to be completed and approved before they will do business with us, and, in some cases, long-standing customers are asking us to re-certify based on their own evolving guidelines. Between internal and external costs, we invest a disproportionally high amount compared to much larger businesses, but it is table stakes if you want to do business in a modern world.
Analyzing Data Lineage
One competitive advantage for the SentryOne team is that we have proprietary commercial technology that we sell for tracking data lineage and data flow mappings among internal and external systems. The product is called SentryOne Document, and it is one of the most popular products we sell. Most companies don’t document their databases and the flow of data between systems. We have database DNA, so we apply our knowledge to our own systems to give us tremendous credibility with our customers.
Continued Investment in Data Privacy and Compliance
When the COVID-19 pandemic hit us back in March, we evaluated all spend in the company, including the costs associated with data privacy and compliance, to prepare for a period of uncertainty and potential lower demand. All stakeholders, including customers, employees, and investors, insisted on continued full investment in data privacy and compliance. There were competing priorities for limited investments dollars but, in today’s world, data security and the protection of confidential data trumps all other priorities.
As CEO, Bob is focused on accelerated global growth for SentryOne, both organically and through acquisitions. Here he provides valuable updates on key company milestones and future strategic priorities. Check back often to read Bob's insights that offer a glimpse of SentryOne beyond the technology.