Compliance Spotlight: William Hanning, CISSP, CISO

Marisa Polowitz

Associate Editor

Loyola University Chicago School of Law, JD 2023

William Hanning is a Chief Information Security Officer with Groups360 and close to twenty years of Information Security experience. Mr. Hanning has built and managed security programs in multiple industries in organizations of varying sizes, as well as within Fortune 100 companies. Here, he gives insight about the separation between data privacy and cybersecurity, the role of information security teams, and how cybersecurity relates to and supports the work of legal and compliance departments.

The following interview of Mr. Hanning was given in a personal capacity, and not as a representative of Groups360. As such, the statements made by Mr. Hanning reflect his personal knowledge, opinions, and experiences, and are not a reflection or representation of those of his employer or any other person or party.

Q: Please provide some background about how cybersecurity differs from data privacy.

In thinking about the realm of data protection and security, you have to first understand comparisons between the two, and then look at them as contrasting fields.

Information security is where the process began. It was about protection of data in both non-electronic and electronic forms against accidental disclosures. Cybersecurity is just the transition to focusing on security solely in the digital space.

Data privacy is looking at the elements of someone’s information and acknowledging that the individual has rights to remain confidential and protected from third parties. So, data privacy is solely focused around      an individual’s rights to have their data anonymized, minimized, and only stored for use as is appropriate. And in some cases, to be able to have their data and their person forgotten as soon as that data is no longer relative to the collecting party/organization.

Q: Can you please discuss the overlap and role of cybersecurity teams in furthering the aims of data privacy?

Data privacy is usually directed by some type of regulatory requirement or contractual obligation of an organization. It’s more closely aligned with compliance, meaning that privacy is something you must adhere to. Security is what you can do to align with the compliance element.

I explain it to people by comparing it to how the United States government is structured – you have three separate branches for the executive, legislative and judicial. So, if you look at it through alignment to those branches, compliance is the judicial branch. It’s what you must do and provides the enforcement. Privacy is the legislative branch. It’s most closely aligned with legal departments in an organization and represents the why. And then security is the executive branch. It’s the “how” of doing those things, the administration of them.

Q: How do compliance and legal teams work with a cybersecurity team within an organization?

I like to think of this by viewing compliance and legal departments as the subject matter experts in the industry in which they work. They know what the requirements are, what the regulatory requirements dictate based on their state, country, and industry. For example, in the healthcare industry, an organization is subject to the Health Information Portability and Accountability Act (HIPAA) Privacy Rule, or in education the organization would be subject to the Family Educational Rights and Privacy Act (FERPA).

The security team is the key for how to achieve those levels of compliance. Legal and compliance departments will, as subject matter experts, know what is specific to the industry you work in. They know the letter of the law and know exactly what your organization must focus on. It’s their responsibility to carve out what the requirement is from the general white noise and create a document outlining the policy required. They then take those elements to their security team and say, “this is what we are trying to achieve, help us achieve that within the context of what we have, and help identify gaps.”

It’s then the responsibility of security to make recommendations on how to close gaps and how to best achieve those compliance and privacy requirements.

[Interviewer Note: In regard to types of data protected, that determination is made by the subject matter experts within compliance and legal departments, as is dictated by regulation. Cybersecurity then executes on that.]

Q: Is there a point at which cybersecurity decides on its own to create heightened or further protection of additional data, or is this really only dictated by the legal and compliance groups?

In an ideal world, cybersecurity would pick up where the regulatory compliance requirements leave off and look to further restrict or secure data elements within an organization thinking about the potential “what-ifs” or what could be, as opposed to what must be.

Q: Who, within an organization, is responsible for ensuring protection of data?

Depending on the vertical, or industry, and the size and maturity of an organization, the responsibility for data privacy, data compliance, and data security can reside within one individual or within one group. Or it can reside in separate groups that have a bit of overlap. It really depends on the industry in question as to the requirements to separate out the responsibilities.

For those subject to HIPAA, for example, the organization is required to have both a privacy and compliance officer as well as a data security officer, known as either a Chief Information Security Officer or Chief Security Officer, named for the organization. Under the General Data Protection Regulation (GDPR), the focus is on private citizens’ personally identifiable information (PII). Organizations that have to deal with GDPR are required to have a data privacy officer named specifically for that role, and it cannot have any conflicts of duty when it comes to their regular job. So, in that case, you can have someone who works in the privacy side of the house, but they cannot be subject to any other stipulations under their job that could be a conflict of interest. In those cases, it is usually not a good idea to have your security officer also be your data privacy officer.

Q: What are some examples of basic cybersecurity measures that companies should or could take to protect their data?

It’s important to start with the basics, and not assume that the next best or new thing from a tools or platforms perspective is going to get you that much further along your data security and protection initiatives. The basics are what are important to an organization, and if you have strong foundations, you can build off of those to further strengthen and secure your program.

Some of the best things to do are actually free, and they are all centered around education and awareness. The more you can educate an organization and the people inside of that organization as to the importance of why we do these [security-related] things, what it means to your company, and what their role is to participate and strengthen those programs, that’s the most invaluable tool for any cybersecurity, cyber compliance, or data privacy practitioner.

Outside of those basics, focus on the things that make sense. Look at the roles in an organization and ensure that access is only being given at the level necessary. Always set permissions to the least permissive functions. So if someone is a data analyst, make sure they can only read the data they need to. Compartmentalize data based on job classification structures so employees can only see what is necessary to perform their job. A lot of organizations struggle with creating good role-based access policies. It’s low, to no, cost, and low, to no, tech, it just takes time.

Next important area would be passwords. While some practitioners have decided that passwords are no longer an effective security measure, I’m still a believer in layered security defenses. So while a password may be a nuisance, it creates an additional level of complication for a bad actor so it’s another step that can trip them up or slow them down enough to potentially catch them before gaining full access.

Q: Projecting a bit about the current and future landscape in cybersecurity, what do you feel is the most common cybersecurity risk to consumers?

I think that data privacy is number one – far too often people are willing to trade their privacy and anonymity online for a little bit of convenience. Whether it’s to sites interacting with social media or retail organizations that potentially track activity and save your data to target you as a potential consumer down the road. Individuals are really lacking this perspective, yet many of us have professional roles in the privacy and security realm and are practicing better security hygiene in our work environments. There needs to be a better alignment between people’s personal and professional lives in regard to privacy and security practices. If you wouldn’t do it in your personal online practice, why would you at work? And same goes for the other direction – if you’re using complex passwords and/or multi-factor authentication for work, why wouldn’t you adopt it for your personal online practices?