Boris: Welcome to our Interview with Steven Minsky. Steven is a CEO and founder of LogicManager, which is a powerful risk management software with a comprehensive solution that supplies organization with focused and improved risk management processes.
Steven thank you for your time and coming to our interview today.
Steven: Thank you so much is a pleasure to be here today with you on Privacy Day.
Boris: Exactly, today is the Privacy Day and we have a very interesting interview in front of us. I must say that you have been a prolific blogger and contributed to a lot of blogs including Global Risk Community. I wanted always to connect with you and now is a good time to have a comprehensive interview.
Steven: It's been a pleasure. I've been blogging on risk management since 2005. So it's been a long time.
Boris: Apart of your blogging, you were able to create a very dynamic company. Can you perhaps tell us a short story about who you are and what you guys at LogicManager have been up to these days?
Steven: Excellent. So LogicManager is the first risk management software built by practitioners for practitioners. We focused on a risk-based view for helping all governance areas. Of course the privacy being a topic of today, but everything within IT and IT Governance of security as well as audit, business continuity, compliance, vendor management, the list goes on and on, taking all of them and putting them on a common platform with a risk-based point of view. This all rolls up to the world we live in, which is the see-through economy.
And that's something that basically, since the advent of the mobile phone, the smartphone, there is a recording and pictures of everything that you do. And of course with other technology the data is transferred around the world with social media and the risks have never been higher in a very rapidly changing society. And really this is what Risk Management is all about in COVID days and what our role is in helping organizations.
Boris: Fantastic. Today we will do a deep dive into data privacy and how regulations like GDPR changed the game for businesses. Steven, you often speak about a see-through economy. Could you perhaps walk us through, what does it mean for us and how is it applicable to the business?
Steven: Sure. It's easiest to understand that in terms of how things were just 10 years ago to today, 10 years ago, you could have a press release and if there was a stumble or a scandal in some way, or a company or an organization could put their viewpoint out and dominate the news cycle with their view on whatever happened. Now with the see-through economy, every consumer can weigh in on their opinion of what happened.
And now the company press release is only one of millions of voices on the internet and it gets drowned out nearly completely. The truth comes out within days instead of within years and therefore the accountability for anything that comes out. There's been a really three, a big findings in the last 15 years that we've proven.
Number one, all scandals are known by the organization, which they occur at least four to six months before the scandal gets known externally.
That has been 100% of the cases, therefore, since it's known and it's usually known by several people within the organization that makes it preventable. And in 2010, they actually changed the legislation for fraud and negligence to have the same penalty. So if it was known by your employees and you didn't do something about it, that's negligence, if you knew about it and you purposely didn't do anything about it, it's fraud, but the penalty is the same.
So leaders of organizations need to say do they want to be in the news for negligence or fraud? And the answer is neither since if it's hundred percent knowable it's a hundred percent preventable. And that's really what the see-through economy is all about. As the world has demanded that these scandals come to an end.
From a privacy standpoint, just think about the massive changes we've had even in the last several months, new legislation that companies have to show who they are.
You can't have blind Companies anymore, that the GDPR has moved to its next level. Just November of this last year, taking the personal Privacy of GDPR and extending it to the data that organizations have. And these are some massive, Privacy changes happening
Boris: Let's dive into the data Privacy topic. What are the biggest challenges organizations are facing when it comes to data privacy and how companies need to proactively address any issues or gaps in their compliance related to this issue.
Steven: So you can think about it a little bit, like the problems of say data security 15 maybe 20 years ago. If you have security too tight, then you can’t function and if you have your security too loose, then you have breaches and things of that nature.
So Privacy is that kind of challenge. Unless you have a flexible way to manage Privacy, if you go too far without this risk-based approach, you can actually hurt your consumers, that you and your audience and stakeholders that you have a mission to serve. And of course going in the other direction and being too loose would also hurt those stakeholders.
So I think the key of Privacy is how do you put in the flexible systems that allow you to do business and serve your constituency, but still be respectful and give them control of their information, which they deserve.
Boris: We are currently in the midst of a major crisis, I think the most important disruptive period in our society in the peace time history and the pandemic is having serious implications for businesses across the globe as they adapt to the new normal of operation. So can you perhaps elaborate more on this topic because there are many security and privacy issues involved with the work from home situation? What tips do you have for risk manager's to help them to stay the course during this pandemic crisis?
Steven: I think the first thing to realize is that in terms of crisis, bad actors will take advantage of that void. So whether it be Privacy or security or vendor Management, they're looking for the easiest way in to your organization's Data and that on the flip side. So, needing to divide this and say, you can't just let Privacy be a backburner topic just because there's a pandemic going on.
People expect organizations to be able to walk and chew gum at the same time, they expect them to Privacy as an inalienable right. And you should be able to do your mission and protect your privacy at the same time. It’s not one or the other it's both. And I think that's an important lesson for risk managers.
Third one I think is carving Privacy out on one hand to be able to focus on, but integrating it in terms of all that you do. Marketing is involved, which is not a traditional risk management stakeholder, but they're very much involved from a privacy standpoint and so all the other areas of your organization.
So understanding that GDPR and privacy is not a single siloed problem. This is something that has to happen on the enterprise level and has to happen at the activity level. Again, the message to risk managers, it's not one or the other -enterprise or the activity level. It's both.
So I think those are the, probably top three strategic take-aways and they sound maybe a very simple, but if you remember any other massive change, like in financial reporting or compliance or technology. In practice, just rolling out these three alone is a significant challenge.
Boris: It makes me sometimes very nervous when people and brands know about me or my company. So for example, they know the appliances I use in my house, the software that I installed, websites that I've visited. They can even can read emails that I am sending. It's like there is no privacy anymore. So where do you think the data privacy as a whole is headed. And what the other trends in this area and what should we expect from you guys in the future?
Steven: So I think that you've brought up a very important perception versus reality. So first of all, again, I think the starting point is that Privacy is an inalienable right. This is not optional and companies and all organizations, governmental non-governmental private public, all organizations need to protect the rights of their individuals that they serve and the information that they collect on them.
I think when you start from this position, from a positive standpoint, that glass is half full. And you say like when you visit a doctor, you need help and you give your doctor private information. That's okay. You're just expecting the doctor to do the right thing with it. If that information is going to be used for medical research, you consent to have medical research done and have this data available for medical research and has kept private and it's anonymized.
So it's not about preventing things, it's about enabling things in a responsible way. And I think it's really that kind of a mind shift. Of course we have some very bad business models in the marketplace, notably Facebook and things of this nature that they, instead of making the business model around the customer, they are giving the services free to the customer and then selling the Data off on the other side.
This is really what has been, I think the worst precedent that has been established. Because it needs to be - let the people pay for the services and then let them opt into their data is being sold. And there will be lots of those if it's done in a responsible manner, they would be happy to have the data sharing. You share certain information willingly to responsible parties all the time. As long as it's dealt with, as long as the game rules are established and expectations are set and then those game rules are followed, I think pretty much everybody is okay.
Most people are okay with sharing as long as they are asked and they're involved and that they're respected. And I think at a very high level, these are the principles, but then you need to bring it down to the operating level and saying, how can I forget somebody in my organization? How do I identify where that data is? How do I identify what game rules I'm playing, what sport, if you will, and playing and how do I respect those rules? How do I have internal controls on those rules? How do I have auditing on those rules internally and so forth and so on?
And because good people sometimes make mistakes, how do you make a response? And what should the response be? Much like you have fire drills and you have all kinds of fire protection. You can’t eliminate fire, but you can respect fire and you can plan for fires so that it heats your house, cooks your food, but doesn't burn it down. And I think Privacy is very similarly. You can have a safe relationship with people with individual and organizational Data and have it not burn your house down and have it do great things for your organization and for your constituencies.
Boris: Fantastic. I would like to hear your personal opinion, what is a commonly held belief as it relates to Data Privacy that you strongly disagree with?
Steven: I think that Europe is far ahead of the United States in this area, which is where I agree. My personal view is that Europe has got it right with GDPR, that Europe has put a lot of thoughts into not just GDPR, but into the larger sense of Privacy and the world has been following, Asia Pacific and the rest of the world.
And very slowly in United States as well with legislation in California, in New York that is starting to take notice and follow those protocols a lot more work to be done. Going to the other side of it, the most egregious part is which I personally feel is unacceptable is for organizations to feel as though they have a right to your data and that you don't. This is a very similarly to the lawlessness on the street to say that people don't have rights to life and Liberty.
These are some of the things that we've worked through in the last centuries that people have a right to live and right to be healthy. They have a right to privacy. And I think this is the core when, if you don't have people on the same page with this recognition of this fundamental right, it's very hard to have a conversation on being a good steward of that information. So it really has to start with a tone from the top in the organization. And it needs to go through and permeate all aspects of the organization and with the appropriate controls and the appropriate processes and procedures.
And it's not so difficult to do, it really starts with one thing. Do you recognize the right that people have and organizations have to their data and to their Privacy and then work from there is it is all a manageable, the technologies are there, the processes are there. This is not a technology problem, this is a policy problem.
Boris: For someone who is listening to this interview and want to take action, what do you recommend as a starting point?
Steven: I think that there's two ways to look at this. And that's a really excellent question that you've just asked. I always look at it from a risk-based point of view. One could look at it and say, there's so much to be done, this is so broad, it will take me 10 years. And that's, if all Privacy issues, you're going to do them all at once and treat them equally. No activity is ever done that way.
So we need to take a risk based approach and look at where are my highest risks? And it starts with a risk assessment to say, where are my greatest and most egregious vulnerabilities from a privacy standpoint, let's identify them and rank order them. And start with number one, for example, and look at it from a risk reward, trade off. I think in Europe, which is very important class action lawsuits have never been a precedent before they have started.
And when you look at the new lawsuits, particularly with a Marriott and several others, a British Airways and so on, the penalties were much lower than what people had expected. So the population felt that they have fallen short and the government perhaps is falling short. The private legal community is stepping in and class action lawsuits are now showing up and now the injured parties, which are in the hundreds of millions for these kinds of breaches and Data negligence and Privacy negligence, they're being rectified in the courts.
So I think this is an enormous new Risk for organizations that never knew that there could be a class action lawsuit on Privacy or those class action lawsuits on Privacy or working themselves through the courts.
And this is going to change the dynamic. And I think in a good way. I mean, it's difficult to hear what I just said as a good thing, but you have to say, change is painful, change is difficult. And this is showing in our risk registers. This issue is coming up to the top and the population in the organizations are expressing their demand. So if it were not important, there wouldn't be a class action lawsuit. So the fact that there is one is evidence that this is an important issue.
So I think that's really, when you look at both your risk on Privacy and your liability on Privacy, and you start working down your Risk list, it will be a much more manageable task. And by the way, I just wont to throw in there, when you do this risk based approach, you eliminate 95% of your penalties just by doing what I just talked about, because you're no longer negligent. Remember being negligent means, you say it's overwhelming and you don't do anything and you have no demonstrated plan on how to address something bad.
Things do happen, a good people. And that's taken into consideration into the courts and into these kinds of actions. And if you're putting together a risk assessment and you're showing material steps being taken, and some scandal or a bad thing were to happen, your penalties would be reduced in the 90% range, because you would be eliminating negligence just by putting your plan and starting to put material action and responsibilities around it.
So that's probably the number one recommendation to risk managers that you can't see, although it's easy to fall into a trap that it's overwhelming, we need to take those action plans to take negligence off the table as soon as possible.
Boris: Fantastic. These were all of my questions. Is there something that I forgot to ask you and you would like to add?
Steven: I think the most important thing is also another a piece of advice. I'm a practitioner of Risk, I've always taken a helping people kind of view. So what I would say to the risk management community is it takes a village to get this thing done, and we need to take the fear out of it. We need to talk to our stakeholders around the organization. We need to talk to our risk committees. We need to talk to our fellow peers and the executive suite. We need to talk to people throughout the organization. We need to let them know that we invite them to participate in our risk management plans.
And in this way, like I said, all scandals and I mean, all there isn't been a single one were the scandal wasn’t known, the vulnerability wasn't known with certainty six months in advance by the organization, typically by the frontline of the organization. Since they already know and if you don't know about it as a manager or as a leader in your organization, you're already negligent. So taking that very first step to engage them in the process takes negligence on the table, takes the fear and actually protects you in the sense, not just legally, but also from your reputation, because your employees are going to say, okay, we understand that this is a problem we've known about this, I'm so glad my organization is doing something about it.
The other way that is you get afraid. You think that nobody knows, and you try to hide it. And that is just in this day and age, as we talked about it with the see-through economy, there's no hiding in the see-through economy. So we need to change our mindsets and say, it's already known. So let's take that first step and engage with our employees, engage with our customers, engage with our stakeholders and let them know we want to do better. We are doing better, here's our plan.
That will take the stigma out of it. That will take the fear out of it and that will put you on your path to health. So that I think is all I would love to leave people with that positive thinking instead of a fear thinking because that’s just not a healthy view. We've got a lot going on in the world right now. And privacy can be a contributor by the way. COVID has a lot of Privacy information about it. If we can have privacy as we do with COVID, why does it have to be either or. We will be able to help crowdsource if you will, medical information from the community.
That's what the new laws that that were proposed in November 25th in Europe with the next level of GDPR. Let's just do this medical research in a responsible way. It's necessary, but it doesn't have to be at a sacrifice a Privacy. We can solve world’s problems and have a Privacy at the same time.
Boris: All right. Thank you. Steven for your very thoughtful interview, and I wish you and your acompany success and growth in coming years. And I hope to see you again on our show.
Steven: I'm a big fan. Thank you as well, happy Privacy Day and it has been a great honor to participate as always with the Global Risk Community.