Dwight Doscher, Director of Security and Compliance at Stride Health, shares his insights with Divebell’s CTO, Jeremy Mailen, on all things privacy and security. Dwight brings a holistic perspective to the table — he’s worked as a practitioner, consultant, and vendor — as he provides thoughtful answers to Jeremy’s questions.
This is a two-part conversation. In this first installment, Dwight talks about the interdependence of Privacy and Security, the cultural difference between the two, striking the right balance between business needs and privacy regulations, and how to build a successful career in compliance and security.
The Interconnectedness of Privacy and Security
You’ve had an exciting career in that you’ve worked on both sides of privacy and security. You’ve worked for solution providers and been in regulated industries requiring tight compliance, which you have implemented. How has that given you a different perspective, and how have you been able to use these experiences?
One of the significant differences between myself and someone who has yet to come down this career path is a fundamental understanding of how privacy and security are interconnected. This is especially true for risk management, which is the end goal of both privacy and security teams, and giving recommendations to businesses on risk exposure generated by what they are trying to do.
“ When it comes to protecting data, privacy is the why and what, and security is the how.”
I started telling people when I worked at Flatiron, and have continued to do since, that privacy is the ‘why and what’ — why are we protecting something, and what are we protecting? And then security is the ‘how’ — how do we protect the data by implementing the technical, personal, and operational controls to ensure that protection?
Understanding this is part of a lifecycle and an evolving model allows for more flexibility when discussing solutions. Security professionals can be a tad rigorous sometimes. While the industry has moved beyond that, some remnants of that rigor remain. We want to provide flexible solutions that incorporate both security and privacy considerations.
The Culture Difference Between Privacy and Security
Have you encountered any situations in your career where there’s a cultural or understanding gap between security people and privacy people? You mentioned these differences earlier when discussing the why, the what, and the how—being good at locks and doors and being a gatekeeper versus understanding the nuance of the legal system and the company’s business. These are two equally essential sides, but they probably lead to interesting real-world events.
Anytime you have a privacy team that is unclear or struggling to define what data needs to be protected at an organization, it can create issues. This is a challenging feat. Different companies operate in different ways with data. Coupling and decoupling of information through the lifecycle create very complex problems for privacy teams. And while privacy makes those decisions, security cannot wrap their hands around protecting that information. I’ve seen this happen at several organizations, especially as they change their views on how they want to use data.
It is a constant re-evaluation even as both sides figure out how to unlock more usefulness for the information for the organization and lessen rigor and hurdles. But it becomes tough for security without clear definitions and an overall strategy. Security then has a choice to make — whether to treat a specific piece of information as unclassified and lessen the controls around it or do they go the more extreme route where they are providing the controls that are based on the most sensitive information until they can clarify the position taken by the privacy team on this.
Security is paid to ensure that there aren’t any data breaches to the best of their ability.
And when there’s ambiguity around whether or not something is sensitive, most security professionals, myself included, would default to more robust controls. It is difficult to change established behavioral patterns, and pulling back on controls is simpler than trying to create strong controls after the fact.
Balancing Marketing Needs with Data Privacy and Security
Tightening, restricting, or loosening — these decisions cause the conversations. A healthcare company that I know was primarily doing clinical work. They wanted to start sharing some recommendations around health care — emailing customers or sharing more personalized information related to their health history. The engineers created the backend product to help them do this, opening up new boundaries for certain kinds of information. Have you been in similar situations where people unintentionally create risk for the organization?
This is a common problem because marketing always wants to unlock more ways of reaching out to individuals.
Providing clients’ assurances around data security and privacy while still delivering services is a tricky balance, and it must be worked through multiple times. The challenging moments are when you reach a point that genuinely tests the corporate philosophy on data protection. At this point, taking a step back and involving the senior leadership is good.
“ Providing clients’ assurances around data security and privacy while still delivering services is a tricky balance...”
I’ve tackled these situations by talking to the organization heads and sharing that data needs to be unlocked for marketing to create mailing lists and more personalized conversations. But to do that, we need to understand how much information the company is willing to unlock, for what purpose, and how the company wants to notify the individuals that this change is coming.
Nowadays, the latter part is more manageable, as this can be done by creating opt-outs. We work with our customers to help them understand why we need this information and allow them to back out.
Yeah, for sure. Consumers need to read and review several things and click a checkbox. Companies are getting better at making concise, explanatory screens. There’s talk about doing something akin to the health labels you see on the back of the food at the grocery store, where it explains to you very clearly what the nutrition of this thing is.
Yes, privacy is all about transparency. If you look at privacy regulations across the board, there are some clear restrictions. The way forward that accommodates these restrictions while being able to use the necessary data is to be transparent, honest, and know internally what you’re doing with the data. Once that is clear, you need to clearly and effectively represent how you plan on using this information and allow the consumers to remove themselves from the conversation.
Three Keys to a Successful Career in Privacy and Compliance
What are some do’s and don’ts for someone who wants to be on a similar career path as you?
Number One — to do well in compliance and privacy, just be ready to read extensively. If you like reading and updating your knowledge regularly, figuring out the rules of games, and then getting in front of your peers to show them how to play the game — helping them understand where the rules do or don’t allow them flexibility and how to best to move forward — then this is something you’re going to enjoy doing.
Secondly, to succeed in this job, you must enjoy teaching and educating individuals in the organization. That’s a big part of the role, whether at a junior or senior level. The type of education you provide might differ for a C-level or VP-level professional versus someone at a managerial level.
Lastly, I recommend focusing on building relationships, both within and outside the organization. While there are many different ways a compliance program can be built, the most effective programs that I’ve created as a professional in Security and Governance, Risk, and Compliance (GRC) are ones where I sought to build relationships with the business, learn what they’re trying to accomplish, and helping them understand that what we were creating are more guardrails and not blockers. By creating a dialogue, you can better explain that your goal is to keep them out of trouble rather than just saying no for the sake of saying no.
Using Indirect Influence
Yeah. Compared to other jobs in the tech world, it is a tough job in that you have a large wing span regarding the number of people you interact with and influence, but your direct control and budget tend to be smaller. That influence and relationship piece is a vital part of the skill set.
I was fortunate to go back and forth between being a consultant and working on the client side, working internally, earlier in my career. You get different experiences doing both. Internally, you tend to focus more on long-term problem solving, building lasting relationships, and working through problems more gradually, but one that is meant for long-term success. Consulting teaches you quick empathy. It teaches you quick problem-solving and to make recommendations fast. Two of those combined can turn into a great skill set. So if you’re earlier in your career and you’re struggling either on the internal side or as a consultant, switching your role from client to consultant or vice versa is worth trying. It’s just finding what fits better with your personality.
In the second installment of this conversation, Dwight and Jeremy discuss data privacy and security technology, the opportunities and gaps in the industry, what buyers look for in a solution vendor, and more.
Any opinions expressed here and statements made are not legal advice, nor representations or warranties, and are intended to promote discussion around technology and data protection.