Houston, We Have a Webinar

Wow, that was fun! Earlier today, we held what is the first in what will become a series of webinars on a variety of (hopefully) interesting security and privacy topics. The goal of the webinars is to inform businesses, academic institutions and local government bodies of ways to think about how to begin to integrate both security and privacy into their everyday operations, and make part of the org’s culture (and do so without always having to break the bank).

The first webinar on proactive incident response is embedded below, as are the slides (via Slideshare).



If the webinar generates questions that we can answer, please use the Contact Us page on this site or email info@secratic.com, and we will get you a response right away. If you have ideas for future webinars, please do the same!. If you are interested in having Secratic help you to integrate these concepts into your organization, please also email info@secratic.com.

Robot Camera

Basics of Incorporating Privacy By Design into an AppSec Program

A question came up recently about how to begin to incorporate Privacy By Design concepts into an Application Security program. Here are some ideas:

  1. If you are not familiar with the original Privacy By Design principles written by Ann Cavoukian, the former Information and Privacy Commissioner of Ontario, take a look and use them as the basis for your definition of Privacy by Design.
  2. Identify someone with responsibility for privacy and get them added to the product management process (and if you don’t already have doing this from a security perspective, add them too!). Add privacy requirements as features/stories to the backlog and have them get prioritised and slotted alongside standard features and security stories.
  3. Work with the product management and engineering leads to hold 3-5% of each sprint to be dedicated to security and another 1-3% for privacy tasks that need to be addressed in a timely manner. If not needed, those earmarks can be given back on a sprint-by-spring basis and allocated to other features, but only if no security or privacy work is backlogged. Also, try to have 1 out of every x sprints be dedicated to security and privacy, and have them scattered throughout the year for the bigger ticket privacy (and security) tasks and projects.
  4. It’s very important to work with the overarching business areas to understand how they want to use the data, both at a broad and detailed level, and do so before it is collected. Use this to set the company’s data use ethos early, write it down hold people accountable to align to it.
  5. Set up a review board that can be used to have business, legal, security/privacy and marketing (and any other parties you think have a material part in the collection and/or use of data) to discuss and weigh the current and new uses of data and approve and document accordingly. This board should be lightweight to keep data moving, and should involve business leaders at a sufficiently high enough level that they both understand the benefits and can accept the related risks of using data vs. customer sentiment, breach or regulatory violation.
  6. Be transparent with users about what you are doing with data. Use simple statements that everyone can understand, and keep legalese out of it. Also use the same transparency with internal colleagues, especially developers and product managers. Ensure that they (and you) always talk the talk, and walk the talk on data use and privacy.
  7. Always do what’s good for the user first, and that will translate into outcomes that are good for the company. Trust and confidence come from being upfront and focusing on the user first. This mindset also lets you bring security and privacy into the product as a feature or a tentpole, and stop them from just being seen as a cost center.Privacy is growing with customers, suppliers, huge with users, take that momentum and run with it.  For further information on ways to build privacy into your operational application development program, contact us!

Announcing the Secratic Webinar Series

We are excited to announce the first in a series of upcoming webinars to help growing businesses begin to tackle important security and privacy topics that are important for organisations, regardless of size. We will begin on 4 September 2019 with a webinar entitled Incident Response: Proactive is the Best Medicine. This session will help attendees to be proactive and think about actions that can be taken now to minimise the impact of a malware or ransomware attack or data breach in your organisation, and to be prepared in knowing how you will deal with it when it does, including technical response, outside resources to have on standby, and communications with affected customers.

Future webinars will include the basics of establishing a privacy program, reviewing how data is used and shared within your organization, and building trust in your brand through visible, transparent security and privacy practices.

Register via our Eventbrite page.

We also have created an Events page on Secratic.com that lists all events, including this and future sessions in the webinar series, as well as opportunities to hear people from Secratic present in person or online.

Check out our Events page.

And don’t forget to sign up for the Secratic Newsletter, which will contain the announcements of future webinars, as well as timely information about information security and privacy, data and risk management, and information about how Secratic can help guide the security and privacy programs within your organization.

Sign up for the Secratic Newsletter

Onboarding with Secratic

A question that we often get asked is “how do I get started with a CISO-for-Hire or CPO as a Service?” We have developed an onboarding technique to bring new clients into the various Secratic services, be it to help with security or privacy discussions, or both.

As many leaders new to their role agree, always begin your time by simply listening and understanding. The best way for us to get to know a new Secratic client is to spend time listening to the people that have input on security and privacy from your product, technology, legal, compliance, and leadership teams. All these people will be encouraged to share their thoughts on ways to improve or known or suspected gaps. These happen through interviews, but not in the usual question/answer format; the nature of the chat is more organic and adaptive than you would see in a traditional consulting engagement or audit. It is also more focused on the intersection of business and security/privacy rather than purely focused on whether all the necessary ticks are in all the right boxes.

A critical differentiator of Secratic’s approach is that we also look at the business as a whole, the culture of the company and its employees. We also look at those driving the company’ direction, interactions with partners and suppliers, as well as the risk potential and likelihood both as perceived by business leaders and the market you operate in. All these viewpoints give Secratic the ability to understand your company in the same way that a full-time CISO or CPO would in their first few months.

After two to four weeks of interviews, either in person or via video or telephone, Secratic brings back a set of risks and challenges in your security or privacy program and will call out the most critical things to do to begin to advance the program. We will also include strategic recommendations of ways to address the risks in the context of the business as a whole, as understood during the first phase listening sessions. If you have specific areas of concern for us to focus on in this phase, we can focus just on those or give you a full-breadth set of recommendations.

Now, with actionable items in your hands, the ongoing portion of Secratic’s offering can take over: the CISO-as-a-Service (or CPO, if privacy is your need). In this mode, your company has access to an experienced CISO or CPO and can make the most of the information gathered during the listening phase to receive contextually accurate and informed replies to queries by your technology or security teams, product managers or business leaders. Secratic uses secure chat messaging with your groups to provide synchronous, private access to their knowledgeable Secratic CISO or CPO. This model mimics the way an on-staff CISO or CPO gives informed and timely responses to questions and direction on situations or incidents.

Your Secratic CISO or CPO will be most successful by staying up-to-date on your company’s business and operations, customer requirements, market changes or other items that may affect the risk, security posture, or compliance recommendations given to your company by Secratic. Quarterly, we will schedule a security/business update discussion to ensure we continue to provide security and privacy insights that are accurate for your business.

This model emulates the way full-time CISOs and CPOs work with their respective businesses, but does so at a scale, pace and cost that suits your company, and can expand to meet your ongoing needs for both security and privacy advice and insights as you grow.

If you would like more information about Secratic’s CISO-as-a-Service or Chief Privacy Officer-as-a-Service offering, or to begin the process to bring one of us into your company, please email info@secratic.com or visit the Contact Us page on our website (https://secratic.com/contact-us)

ICO Fines British Airways

Today the UK’s data protection regulator, the ICO, announced their intention to fine British Airways £183M as provided by the GDPR for a recent breach which leaked 500M people’s personal information.

This fine is notable in that it is 1.5% of global revenue – which is a lot for a purported attack, which resulted in data loss and in which the company worked closely with regulators throughout the process. It will likely be a critical case that will be used within companies to demonstrate the long-standing mantra of privacy professional of “you did some things to protect, but you didn’t patch, you didn’t close issues, a bad thing happened, and a huge fine came in the door.”

This announcement should help reinforce enterprise DPO’s messaging to their respective businesses that privacy costs time and money to do, but costs a lot more not to do.


Article: Facebook Is Giving Advertisers Access to Your Shadow Contact Information

Facebook’s use and sale of shadow data profile of non-FB users is proven; Facebook says “yep, we do that.” This is exactly why the tech industry wants to make sure they can develop the US privacy laws, not let the states (or the citizens) get control over their own privacy as it will cost tech dearly to have to stop peddling in personal info.

Via Gizmodo: Facebook Is Giving Advertisers Access to Your Shadow Contact Information


John Gruber (via Daring Fireball) sums my thoughts up perfectly: “At this point, I consider Facebook a criminal enterprise. Maybe not legally, but morally.”

Apple vs. Google: Two Opposite Sides of the Same Privacy Coin

As the technology companies head to Washington to testify about privacy legislation, you can start to see where some of them are going to want to be when the dust settles.  Google is trying to show that they can “do better” on their own and head off highly restrictive GDPR-like privacy regulations, whilst Apple effectively says “we built our products around privacy, so bring on robust privacy-protecting legislation, US Congress.”

Via 9to5Google: Google revamps Safety Center and proposes data privacy framework

And Via 9to5Mac: Apple to support ‘comprehensive federal privacy legislation’ tomorrow at Senate hearing

With my iPhone in hand, I am hopeful that Apple’s stance wins the day since I purchase my devices as much based on privacy as the underlying technology capabilities.

Facebook Continues To Demonstrate Lack of Care For User Privacy

I’m sensing a continuing theme with Facebook when it comes to slurping data and not asking for permission from the person it is about.

Via The Verge: Facebook wanted banks to fork over customer data passing through Messenger

In related news, earlier today, an EU Justice Commissioner quits Facebook and calls it a “channel of dirt”

Via Washington Post: E.U. justice commissioner quits Facebook, describing her experience as ‘channel of dirt’