One of the challenges for enterprise in the year ahead is how to best manage the thin and fragile line between privacy and security: the two sides of the digital information sword.
In a recent Computerworld Malaysia interview, law firm DLA Piper's Hong Kong based partner, Scott Thiel, said: "Malaysia's Personal Data Protection Act 2010 (PDPA) [which came into force on 15 November last year] introduces a broad privacy regime in Malaysia for the first time. Prior to the PDPA, there were few requirements and little restrictions concerning personal data protection. Businesses and organisations that operate within and through organisations in Malaysia need to be aware of these changes, as even usage of equipment in Malaysia that processes [any] personal information would be subject to the Act."
During my meetings throughout 2013, the impression given by many firms was that the PDPA is more about 'consumer-based operations and not really the concern of technology enterprises and the like'.
Thiel said most companies are unprepared with a 'dangerous wait-and-see attitude' and face significant compliance challenges especially with the free flow of data, BYOD, mobile working and cloud computing, which are ongoing change drivers as we move deeper into 2014. "As we have seen in other jurisdictions [countries] that have implemented first generation privacy laws, many businesses will find that they have a long way to go to become meaningfully compliant and over-estimate their current level of compliance." Businesses have until 15 February 2014 to be compliant.
Trying to maintain some semblance of information security in an online globalised world, with increasing cyber crime, hactivism and state-inspired attacks, is the other side of the sword. President Obama's February 2012 cyber security executive order also becomes final in February 2014. The National Institute of Standards and Technology (NIST), which held a fifth workshop in Raleigh, North Carolina in November last year, has struggled with key issues surrounding security and privacy as stakeholders help to execute the framework.
Computerworld journalist Cynthia Brumfield reported that one privacy and cyber security expert, Harriet Pearson of Hogan Lovells, prepared an alternative privacy methodology based on feedback she received from a number of top critical infrastructure asset owners, which she presented during a topic specific session at the workshop. "This alternative methodology strips down the privacy requirements to those strictly related to cyber security issues already addressed in the framework core. Most of the major critical infrastructure providers involved in the NIST effort can agree on this alternative methodology, the privacy attorney said."
Industry adoption of such cyber security frameworks is complicated by the linking of identity with security in systems. "Identity is the new security," another Computerworld journalist Eric Knorr wrote in his November blog listing 2014 trends. "A wild exaggeration, but the fact is that identity must now stretch to fit both on-premises and SaaS applications. Managing who has access to what-and deprovisioning employees when they leave the company-is becoming both more essential and more complicated. Without cloud identity management, enterprises can't adopt public cloud solutions safely and effectively."
Getting the balance right will be just one of the challenges we face as we move through the mega trends this year: the team here wishes you a truly successful 2014!
- AvantiKumar, Editor, Computerworld Malaysia & Malaysia Country Correspondent for CIO Asia, MIS Asia