Larry Whiteside Jr. on being the 2024 Tech Titan

Chief Information Security Officer

RegScale

"Data privacy risks are prioritized based on its impact on business outcomes. This means, does the risk have a high, medium, or low impact to business outcomes."

ABOUT LARRY

Reach out to me directly if you are aware of something that takes a current problem we face in the information security, cybersecurity, risk management, or physical security industry and adds value or attacks a threat/problem in a new innovative way with outside the box thinking.



My goal in life is to bring value to those I interact with. This being the case, one of my charges is to help better the practice of risk management/information security/cybersecurity and the people that represent it around the world.



I bring over 25 years of experience in the Information Security and Risk Management field. I have presented to Corporate C Level Executives and many high ranking government and military officials. I provide a unique background in the Information Security field due to having held Executive Information Security roles in many different verticals of business in both the public and private sector. Through that experience I have gained vast knowledge that I am willing to share or collaborate with others in the industry. I have been nominated for and won different professional and industry awards over the years as an attestation to the good work I have accomplished. I routinely speak at industry events (RSA, Secure World, Gartner, SC World Congress, to name a few). I have had numerous articles published or been quoted in many industry periodicals and magazines.



If there is ANYTHING you need related to the broad topic or subtopic of Technology Risk Management/Information Security/Cybersecurity, or Physical Security, I am willing to provide some insight. I provide security marketing and analysis for many different security start-ups, investment management, and VC's. If you are interested in having a conversation with me please feel free to reach out. If you would like to just collaborate or bounce ideas off of me about something you are thinking about whether it be technology or career decisions, I am open to listening.



Ask

Larry

Share a key aspect of your approach when building privacy programs and how it aligns with organizational objectives.

For me, this comes in a few basic principles. The details may change at a granular level, but the principals and tactics remaining the same:



Principle #1 – Understand Your Data

To comprehend the privacy implications for your organization, it is imperative to be aware of the data at your disposal. This requires a thorough investigation to identify the type of data, its location, users, and access. Although seemingly simple, this task can be complex, emphasizing the critical importance of Principle #2.



Principle #2 – Establish Ownership

Ownership is key for the execution of any program or process. To ensure accountability, assemble a team of stakeholders with board-level visibility to establish policies and standards governing the organization's use, collection, and maintenance of data.



Principle #3 – Implement Sensible Controls

At a high level, three control categories—physical, technical, and administrative—need consideration. These controls serve as the linchpin for determining how to handle Privacy Data effectively and align with Privacy Regulatory mandates.



Principle #4 – Minimize Unnecessary Data

Organizations often collect data for specific purposes without establishing processes for its proper disposal once it becomes obsolete. Failure to address this exposes companies to unwarranted risks. Following Principle #1 allows organizations to identify data that should be disposed of to mitigate potential risks.



Principle #5 – Continuous Improvement

Many organizations halt their efforts after completing these fundamental exercises, which can be detrimental. A "rinse and repeat" approach can ensure that privacy measures remain effective, adapting to evolving circumstances. Ceasing at this point risks rendering previous efforts obsolete, as the context of data evolves over time.



How do you measure and prioritize data privacy risks, and what strategies have you found effective?



Data privacy risks are prioritized based on its impact on business outcomes. This means, does the risk have a high, medium, or low impact to business outcomes. In todays framework under the rules from the SEC, many organizations are moving towards the material impact. As it relates to strategies that work, measuring the risk has always been challenging. I feel identifying them is the largest part and then letting the business measure them based on impact to the business. This has to come from a committee of some sort. Like a Data Governance Committee or Privacy Committee. This is not the role of the CISO. The CISOs role is to identify the risk and help the business understand the threats cause or create the risk.



Reflect on a notable challenge in your data privacy work and the specific steps you took to overcome it.



In the past, the largest challenge I had was getting the business to understand that it was NOT the CISOs risk, but the businesses. The business often feels that Cybersecurity is responsible for owning data and privacy risk. I always communicated that the job of the CISO was to identify the risk, communicate the risk, and the mitigate the risk based on the decision made by the business or whatever committee had that responsibility.



If you could have any fictional character as your best friend, who would it be and why?



This is honestly a tough question. For me it would likely be The Flash. The ability to speed up, slow down, or possibly reverse time would be an amazing complement to any cybersecurity team / leader in my book.



If you could time travel to any era, past or future, for a day, where and when would you go, and what would you do?

I would likely travel into the future so that I could meet my great great grandchildren and see if the legacy I tried to leave behind was still present. My spouse and I have a personal goal and a set of values that we hope will be passed on for generations. So being able to see the impact of that would be amazingly powerful….one way or another.