‍The following is an interview we recently had with Anne van Eck who holds the position of Cyber Specialist at Deloitte Switzerland. In her daily work, Anne supports clients in how to work with privacy and cyber security as business enablers rather than business restrictions. Continue reading the interview to learn what is the biggest issue that companies must address from a privacy standpoint when they suffer a data security incident.

1. Can you give us an introduction about yourself, Anne? How did you venture into the data protection world?

My background in business and law combined with a strong interest in technology made me venture into the data protection world a few years ago. When I realised that these three areas perfectly collide in the area of cyber and data protection, I had to look no further. Supporting different organizations in finding the best and most efficient way to protect the data of their costumers is what I do with passion every day.

2. What has been your most career-defining moment that you are proud of?

I am proud of several things but if I have to choose one I have to say I am most proud of one of the projects that I was involved in more than a year ago. A very diverse team of people within my organization were developing new ways to fight financial crime. For this, financial transactions from different banks were put together, meaning a lot of (sometimes sensitive) personal data. I contributed to the project from a privacy perspective and truly made an impact on the future of the anti-money laundering landscape.

3. What soft skills do you think are most important for data protection specialists?

In my opinion, the most important skill one needs to have is communication. As a data protection specialist, you are not the one processing the data. This means that the only way to effectively protect the data is by doing so from the core of the data processing. Getting the people who actually work with the data on board is key. This requires strong communication and sometimes persuasion skills to convince stakeholders within all levels of the organization.

4. What is the biggest issue that companies must address from a privacy standpoint when they suffer a data security incident?

One of the biggest challenges is to ensure you communicate to the regulators and/or your customers on time. You need to be able to assess and analyse the security incident as soon as possible. There is a fine line between reporting a wrong positive and thereby scaring your customers and doing the right thing by reporting and allowing the right mitigating measures to protect the data of your customers. Again, communication is key. 

5. Could you please tell us what was the most important information security lesson you learned in 2020?

Hopefully, 2020 learned us to always be prepared for any incident. COVID-19 overwhelmed almost all of us and organizations were not prepared for any of the consequences the pandemic brought. It is worthwhile to continuously test and iterate your incidence response plans and mechanisms. It does not matter if we talk about cyber incidents, computer viruses or corona viruses, make sure to prepare for the worst and hope for the best.

“There is a fine line between reporting a wrong positive and thereby scaring your customers and doing the right thing by reporting and allowing the right mitigating measures to protect the data of your customers. Again, communication is key.”

6. How do you see innovations in information security impact the way organisations think of information security?

As in every other area, there are ways to automate. This can bring benefits to information security in any organization. E.g. SOAR (security orchestration, automation and response) can make cyber professionals shift their focus to the most important things instead of having to deal with repetitive monitoring and controlling work.

7. What trends do you expect to see in information security in the next 3 years?

From a data protection and privacy perspective, a trend I see is a focus on digital ethics. Costumers are increasingly interested in how their data is processed, and this goes beyond regulations like the GDPR. Something can be perfectly fine according to the law but still, go against ethical principles. There is a trend that organizations focus on asking the right ethical questions, and consequently pushing the regulators to further sharpen the legislation.

8. Why are there not more women in security and technology? What is your take on that?

In my opinion, there are two reasons why there are fewer women than men in security and technology. First, the number of women that study technical subjects at university is lower than men. Hence, the pool of female job applicants in that field is significantly smaller. Second, in my experience, there is very little transition from non-technical jobs into the cyber security domain among established professionals. My take on the latter is that you do not always need to have a technical background to end up in the cyber security domain and I can speak from personal experience here. As said before, there are many different skills required in this field and you are      never too old to learn when you are passionate.

9. What do you think we should be doing more to encourage more women to consider a career in information security?

I would like to come back to the two reasons I mentioned in the previous question. Firstly, I think it is important that we raise our children with the open view that they can become anything, that there is no such thing as a male or female professions. Hereby the promotion of technical studies and jobs by means of e.g. mentorships could help increase the pool of female applicants. Secondly, we should encourage professionals without a technical background to enter the cyber field. The choices we make at an early age do not have to limit our future. We are never too old to learn.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.