Is more data always better? Are companies collecting an unnecessary amount of consumer data?

Culture & Values Artificial Intelligence & Machine Learning (AI/ML)Data Privacy +1 more

565 views2 Upvotes17 Comments

CISO, 1,001 - 5,000 employees

The core of a CSO role is effective risk management and risk tolerance: business empowerment and risk tolerance alongside it. And I think if the perception around data is simply “more is better, more is more, the end,” it becomes difficult to have an informed risk tolerance around the acquisition of data. If there's no liability and there's a touring test kind of analog that has to happen in the courts for AI and ultimately the company behind it to be rendered liable, I look at this and I think, "What is legal's responsibility here for the implementation of AI?" And then we as cyber practitioners, if there is no liability behind certain algorithmic implications what then, for the larger status? And how do you form risk tolerance atop that.

1 2 Replies

Director of Security Operations in Finance (non-banking), 5,001 - 10,000 employees

As folks who live and exist to support the business, part of our job as businessmen and women is to explore the art of the possible. When you are young and struggling and looking to dominate market space you set the very low “is it legal” bar for that, which is reasonable to be honest with you. If there is no standard that says there can be a tasked illegality or liability, there is going to be that tendency just to try and create a new product, new service, new revenue stream, or find a niche in the market to head in that direction. But the larger issue that we have here is the speed to discriminate. Now, back in the day my dad would talk about, and I grew up in Massachusetts, those folks who would steer people of color away from certain neighborhoods or would price people of color out of doing certain things and create a level of exclusiveness or discrimination on an individual basis. That takes time, that takes energy, it's more evolutionary. It will happen but the great conspiracy to do this is probably not going to be very effective because there are six of us trying to do this across 150 mile radius, etc. It's going to take time. AI shrinks that time potentially down to picoseconds and expands that reach over a broader geography. So, I think the question that not just businesses but folks like us have to struggle with is, “Yeah I get it's not illegal, I get it's not liable, but before we dip our toe in the water should we establish that level of principles around what we will and won't do?” Because if we just rely on legality or even worse liability to determine what we do and don't do we will be farther down a path with potentially larger implications prior to the point of us hanging back.

CISO, 1,001 - 5,000 employees

It’s those race-to-the-bottom minimum compliance standards where overall regulation trails industry adaptation to new technologies by 10-15 years. I think it's a terrible way to look at the “should” standard of an emerging technical area. And I think you see this bubble up in the crypto space a lot around blockchain. You're seeing a very similar conversation. Regulatory narratives trail by a significant lead time.

no title, Self-employed

Shoshana Zuboff wrote a book called The Age of Surveillance Capitalism. It goes into how data driven advertising changes a person's behavior and subtly over time can guide a person to make a certain decision and argues that the more data you collect you can actually control people’s in person behavior. Additionally, it outlines the general lack of regulation across data. There is an ethical issue at hand here and also a tension as changes in privacy law will greatly impact companies that rely on advertisement revenue. What we’ve done and what you're starting to see in other companies is that the CISO is now the head of digital / consumer product engineering. This provides the opportunity to have someone with oversight of activities that use data that also takes to heart security and data privacy - this has to be a priority within product teams. We have people within our cyber team that have the specific responsibility product and consumer trust and I work hand in hand with the privacy team, having daily interaction. I think an interesting viewpoint on data collection and use of AI is, are the actions that are being driven from it something that people would expect us to be doing? If not, we probably shouldn't be doing it!

2 Replies

CISO, 1,001 - 5,000 employees

I hear in what you have presented a fundamental separation of duties commentary around AI, the segmentation of consumer experience with privacy and security.

Board Member, Advisor, Executive Coach in Software, Self-employed

That separation of duty is a principle that we should have in AI.

Director of Security Operations in Finance (non-banking), 5,001 - 10,000 employees

We've used the term data in a very generic way, similar to how the term APT or cloud was being used many years ago. We use the term data homogeneously. There's data, there's information, there's intelligence and there's knowledge. And we and the greater American consumer confuse the terms. Data is the stuff that we gather that are facts and are not changeable. Information is data in context. Intelligence is that data or information that lies below the surface from another set that's not readily visible. And knowledge is what conclusions you draw from that.

I teach my students this concept with a 10 digit number: 3013170124. Out of context it's a 10 digit number, it has absolutely positively no meaning. You throw context around it, you throw commas in certain places it's a number slightly over 3 million. You break it up into two groups of five, five groups of two, you put the three, zero up front and it's the area code for Belgium. You put a couple of dashes between the third and fourth and the sixth and seventh number you get a North American telephone number. And that is the correct context for this. Now, if I add another couple of pieces of data or information to tell you the 301 is one of the codes for Maryland and that I lived in Maryland from '95 to 2003 you may be able to glean some intelligence here that says that may have been my old phone number.

When I have discussions about what we should be doing regarding data collection and then what we do with it, I try to swing the discussion so that we are determining what information or knowledge we're trying to gather and what we are trying to do with it, which then will precipitate what data we need. We seem so focused on collecting as much data as possible because we don't necessarily know what we can or want to do with it. We stop asking the questions: What is it I'm trying to gather or achieve, et cetera? And that can help frame the discussion regarding what we keep, what we don't keep and by the way how far we are willing to go to get that data.

Adding to that the greater American public in my mind has not actually understood that distinction between data and information. I have a piece of data therefore I have information. They have conflated the two and we have seen countless examples of that, not the least of which is the stuff that's going on in the background in U.S. politics right now. But a lot of that has to deal with conflating data versus information versus knowledge. And if we're going to have these discussions we need to begin to separate those and define them appropriately.

3 Replies

CISO, 1,001 - 5,000 employees

The first thing that comes to my mind is the automotive industry and the technology industry's much beloved OKR model, Objective Key Result. And if we look at this space and we have an objective building upon the narrative you just expressed: our objective is to provide this set of services to this customer base and these business units, no more and no less, with an emphasis on doing that excellently and dominating the market in that way. Perhaps the very capitalist desire to surge and dominate and excel in a market space if aligned with an objective can be a helpful tool. I'm not espousing a view or an ideology or anything like that, I'm saying perhaps objectives and key results could be a very powerful tool in applying principles to AI and working on that normative piece, the “should” of it.

Board Member, Advisor, Executive Coach in Software, Self-employed

If we have OKRs defined properly, by the nature of defining them properly, it does data minimization.

no title, Self-employed

That's the process we went through when our CISO became the head of consumer product engineering: the conversation flipped to what is the data required to do this? Excess data is excess risk, lets eliminate everything we do not specifically need. In other words - we conducted data minimization exercises across the board.

CIO in Education, 1,001 - 5,000 employees

Is more data always better? To me, it all comes down to the usage intent of that data. If it's for understanding your business and making decisions based on data you're already collecting or that's publicly available, sure. If it's just additional information for the sake of collecting, that's a different story.

Board Member, Advisor, Executive Coach in Software, Self-employed

We don't treat data as it being toxic and maybe if we thought about data as being toxic we would handle it with different care. I think we can relate data to chemicals and toxicity of chemicals particularly when you combine them in different forms and fashions and you don't know what you're doing because you're just trying to figure it out.

4 Replies

Director of Security Operations in Finance (non-banking), 5,001 - 10,000 employees

That would be a mindset shift for most businesses who if they think about their data strategically they think about it as an asset or a resource.

Board Member, Advisor, Executive Coach in Software, Self-employed

So does Dow Chemical when it's creating all of its stuff in DuPont but it recognizes that what it's creating, all of the stuff inside of that creation has a degree of toxicity with a high degree in safety concern for not only the workers but the environment around the factory if it gets screwed up.

Director of Security Operations in Finance (non-banking), 5,001 - 10,000 employees

I see where you're going now and I like that, that's amazing.

Senior Information Security Manager in Software, 501 - 1,000 employees

Is more data always better? Always, no.

In 2020, and soon to be 2021, data is a liability. If you have more data, that is more data that can be breached. If you have more data, and are in scope for GDPR, CCPA, etc., than there is a lot more data falling under regulations.

More data is better if you have specific use cases that warrant if. If not, every bit of data is a liability, and should be stored only if there is a specific need.

And companies are collecting an unnecessary amount of consumer data. They often do not realize it until they are on the receiving end of a warrant, subpoena, etc., and suddenly have a very rude awakening.

Are companies collecting an unnecessary amount of consumer data?

Content you might like

What do you do when you inherit a team(s) suffering from change fatigue? How do you get them on board with even more change?

Change & Release Management Culture & Values Talent Management & Performance +1 more

Director of IT, Self-employed

One thing I do is include them in the meetings about the changes that will take place and get their opinion. I also lay out the pros and cons of the changes and how it will effect us as a team moving forward.

2.4k views1 Upvote1 Comment