Data Sovereignty: Decoded.

Today, with a changing threat landscape, an economic downturn, and regulatory challenges across industries and regions, ensuring secure and compliant data processing is more complex than ever before. Data laws and regulations vary around the world, making it difficult for companies to strike a balance between compliance and good data governance and their strategic goals.

The United Nations Conference on Trade and Development (UNCTAD) reports that over 70% of countries have legislation in place for protecting data and privacy, and the acronyms for these laws, such as GDPR, LGPD, PDPA, and CCPA, are becoming more and more recognisable. Among others, the financial services and pharmaceutical industries are particularly affected by emerging data residency and security regulations that have a significant impact on operational efficiency. 

To explore the nuances and peculiarities of data governance and protection in these sectors, we sat down with former Chief Information Officer at UBS – Andreas Wuchner. With over 25 years of experience at renowned organisations including Novartis Pharmaceuticals, Deutsche Bank, and Credit Suisse, and a compelling track record in all aspects of IT security and risk management, Andreas offers a unique take on the current state of data security.

In this interview, we delve into Andreas’ vision for safeguarding data, exploring similarities in compliance rigour between the pharmaceutical and financial services industries, the impact of the pandemic on security teams, the role of innovation in cross-border data transfers, and other nuances in global operations.

Q: Andreas, you have an extensive background in both the pharmaceutical and financial services industries. Could you give us a brief overview of your experience and how it shaped your vision of data protection in particular?

A: I believe that everyone who has worked in a regulated environment has had a similar experience. On the one hand, there is the real world where we need to secure our infrastructure, our companies, and our data; on the other, there is compliance where regulators continually exert pressure on us. 

One thing you learn very quickly is that compliance doesn't mean security at all. Ticking boxes does get you out of trouble, but that doesn't mean that the company will be safe and secure.

Another aspect is that there's never enough budget to do all the things you think you should be doing as a security leader. So, you always have to keep your priorities straight to get your highest risks covered in return for the resources used or money spent.

There is also a constant dilemma between compliance requirements and opportunities to raise efficiency and empower employees. What I understood is that if the system is extremely secure, most probably, it is far from being user-friendly. The biggest takeaway from my experience is that security is always about prioritisation and balancing.

Q: Do you feel like there are similarities in terms of compliance rigidness between the pharmaceutical and financial services industries? 

A: Yes, they are very, very similar. There are differences in the details, but the topics they care about, such as reliability management, identity and access management, and threat monitoring – they're all the same. The policies and procedures might differ, but security and compliance fundamentals and key objectives remain invariable.

Q: From your point of view, what factors played the biggest role in changing the perception of data sovereignty and security in these industries over the last few years?

A: When JP Morgan was fined $200 million by US regulators for communicating with clients via WhatsApp, it made everyone realise that no matter how big and reputable your company is – if you’re not enabling your employees to do their jobs efficiently – you’re likely to face compliance issues.

In order to prevent behaviour that can lead to compliance breaches, organisations need to implement solutions that will empower their people and help them do their daily tasks in a straightforward, easy way. Everyone is willing to comply with data security policies and requirements as long as they're not completely counterproductive. 

So, I believe that companies’ approach to data security changed when they realised that strict policies are not enough to ensure resilience and eliminate workarounds. There’s more to avoiding compliance fines than just ticking boxes.

Q: According to the IBM Security Cost of a Data Breach Report 2023, the average total cost of a breach in the financial and pharmaceutical industries reached $5.90 million and $4.82 million respectively, putting them in the top three industries by cost.

One of the things that makes these industries so attractive to bad actors is the amount of sensitive data they collect, process and store. Do you believe that their data security policies are evolving fast enough to stay one step ahead of the ever more sophisticated methods of cyber criminals?

A: I see it as a race, where companies are ahead of the curve for the most part. But remember that hackers only need to get lucky once – once the system is compromised, they can collect the data and assets they’re interested in and roam the network freely for a certain period of time before they get caught.

This being said, I believe that security is a journey, not a destination. Technology keeps evolving and organisations continuously upskill their security and compliance teams in order to defend against new attack methods and techniques and potential regulatory breaches. 

Think of it as street traffic. Is it safe? Not always, regardless of whether you’re walking, driving a bicycle or a car. But is it safe for the most part? Yes, it’s pretty safe. You can never fully control the actions of other drivers and pedestrians, and the same is true for the IT world. We’re only responsible for our own security measures, and everyone is certainly doing their best to create robust defence architectures.

Q: What role does innovation play in safeguarding data storage, access and transfer, given the increasing role of compliance?

A: The real value of innovation is making processes better, faster and more efficient for businesses.

When talking about cross-border transfers and data localisation, the tools that companies currently have in mind or in place will not solve the problem or minimise compliance risks. Addressing these issues requires innovation brought by companies like Valarian whose solutions cannot be mimicked by existing tech stacks. They integrate seamlessly with existing business collaboration tools to ensure security, compliance and efficiency without making things hard for end users.

Q: How can companies get employees on board with new security policies and innovative solutions?

A: I believe that employees will always do everything in their power and interest to do their jobs right. If companies introduce new tools or processes that are easy to use and increase efficiency – there is no doubt that employees will use them.

On the contrary, if new policies and tools impede employees’ ability to be successful, this will most likely lead to the use of workarounds. So for me, the best way to get employees on board is to make their lives easier and enable them to do their jobs.

Q: But what should security leaders do in cases where employees’ workarounds are putting organisations at risk? What is the most effective response to this type of behaviour?

A: That's the reason why organisations need risk management to monitor and detect the areas where potential danger lives.

It is important to have a culture where people can speak up and where things get on the table before they escalate. We live in a free world and we want to keep it this way, so we need to trust people. To maintain mutual trust, security leaders need to enable employees to voice their concerns about what policies or tools are not working. This way, issues will be solved before they can cause any damage. This approach is much better than just ignoring existing problems.

Q: In the context of global operations, what are the nuances that executives must take into account when creating proactive frameworks for data security and resilience?

A: If you look at this year’s priorities for CISOs, you will see a strong focus on localisation and geofencing of data. Regulations around these issues have been around for some time, but it's only now that companies are paying huge amounts in fines that it’s really starting to hurt.

Today, it is essential that organisations have visibility and control over where their data is located, who has access to it, and how it is being processed. It is becoming more evident than ever that CISOs need to have a strong strategy in place with policies that start from the business itself and end with providers, third parties, and all the steps in between.

Q: As a security leader, what technologies do you see as most promising at the moment and are most excited to see develop in the near future?

A: I believe that our complexity is killing us. Let me explain.

Most financial institutions have somewhere between 11 and 15 security agents installed on their employees’ endpoints. This approach leads to far too much complexity and overload, making it so hard for organisations to do their job well and causing a shortage of security personnel.

So, something I wish to see develop in the near future is simplicity, clearer data regulations and more seamlessness.