Security Expert Interview Series: Laura Kiviharju
The next expert whom we had the opportunity of speaking with is Laura Kiviharju. Laura is a certified (CISSP, CIPM) legal professional with experience in data protection, information technology, and IT/cybersecurity. Laura discussed the 3 must-have skills a data protection officer & lawyer should have, how can businesses best inform users that their data is secure and private, and shared with us what personal development she regularly does to keep herself sharp. Continue reading and uncover her full insights below.
1. When did you first think of “Data Protection” as a career?
It was around 2014-2015 when the GDPR was under preparation in the European Union. At that time I was working in cybersecurity and thought that data protection would be an exciting, growing new field to enter into.
2. What are the 3 must-have skills a data protection officer & lawyer should have and is technical background necessary?
Technical background is not a total must, but experience and/or knowledge in information security definitely helps as it is an inseparable part of data protection. Otherwise, beyond subject matter expertise, I find good communication skills and understanding of the specific business crucial: you need to be able to discuss with the business people, understand them and come up with solutions that address the risks effectively but which are feasible and not overbearing.
3. How have you seen the data privacy landscape change from a legal perspective over the past 3 years?
According to the statistics of the United Nations Conference on Trade and Development (UNCTAD) in 2020 66 % of countries in different parts of the world had put in place legislation to secure the protection of data and privacy. 10 % had draft legislation. These figures tell that data protection is not only a European phenomenon but keeps constantly growing in all regions meaning that a global approach is ever more important for any company that operates internationally.
4. With rising consumer privacy awareness, how can businesses best inform users that their data is secure and private?
In general, by being transparent and concrete towards the users about the steps the company has taken to protect personal data. The GDPR introduced data protection certifications as a new concept for demonstrating compliance. There will be certification mechanisms soon available for businesses and this can be a very helpful tool to inform users and customers about the level of data protection.
5. You have previously held data protection positions in multinational companies, advising business functions on various topics in data privacy, negotiating data protection agreements, and drafting data privacy guidance and processes. What was the most important career lesson you learned in that position?
I have learnt a lot about how different business functions operate and what kind of specific data protection challenges they face. I find these insights very valuable. Data protection issues for IT-system development are different from the ones for – let’s say – sales and marketing activities.
6. What are the most dangerous threats to the security of personal data on the Internet today, and how can we protect ourselves from them?
New technical vulnerabilities are of course emerging all the time and cybercriminals may be able to successfully exploit them in their attacks but, as many data breach statistics show, the human factor is one of the top threats causing incidents such as loss of mobile devices and malware through clicking suspicious links in emails, just to name a few. Training employees in the companies and educating the public about the consequences of breaches and what an individual can do to prevent or lessen the effect of a breach can certainly go long way to reduce human errors.
7. What trend(s) do you expect to see in data protection in 2021?
I expect to see more awareness among the “average” users and interest in privacy-friendly solutions even if the providers of these solutions are not – at least not yet – big players in the market. The growing use of alternative instant messaging apps is one of the indicators of this trend.
8. What advice would you give to women who may think data protection is a more masculine profession and hence, not a suitable career path?
Although it might be that the majority of the data protection experts with technical education are men, I have actually met a lot of women working in this field. Therefore my experience doesn’t confirm a belief that data protection would be a more masculine profession. I think it is more important to go after what interests you, what you are good at, and not let gender expectations or statistics get in the way.
9. What do you think we should be doing more to encourage more women to consider a career in tech, data protection, and information security?
Perhaps showing successful yet relatable female examples and investing in mentoring women in the beginning of and during their careers. These are things that have helped me forward.
10. Lastly, what personal development do you do on a regular basis to keep yourself sharp?
I visit data protection conferences and events (at the moment online) that I find relevant for me. Otherwise, networking is very important in any field especially if you are the only data protection expert in your organization.
Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.