Data sovereignty decoded: A new take on data governance with Andreas Wuchner

Today, with a changing threat landscape, an economic downturn, and regulatory challenges across industries and regions, ensuring secure and compliant data processing is more complex than ever before. Data laws and regulations vary around the world, making it difficult for companies to strike a balance between data management and their strategic goals.

The United Nations Conference on Trade and Development (UNCTAD) reports that over 70% of countries have legislation in place for protecting data and privacy, and the acronyms for these laws, such as GDPR, LGPD, PDPA, and CCPA, are becoming more and more recognizable. In addition to data sovereignty and localization laws, organizations must also comply with other relevant security standards, such as SOX, PSD 2, PCI DSS, and BSA. Among others, the financial services and pharmaceutical industries are particularly affected by rigid data privacy and security regulations. 

To explore the nuances and peculiarities of data governance and protection in these sectors, we sat down with the former CIO at UBS – Andreas Wuchner. With over 25 years of experience at renowned organizations including Novartis Pharmaceuticals, Deutsche Bank, and Credit Suisse, and a compelling track record in all aspects of IT security and risk management, Andreas offers a unique take on the current state of data security.

In this interview, we delve into Andreas’s vision of data security, exploring similarities in compliance rigor between the pharmaceutical and financial services industries, the impact of the pandemic on security teams, the role of innovation in cross-border data transfers, and other nuances of global operations.

Worldr: Andreas, you have an extensive background in both the pharmaceutical and financial services industries. Could you give us a brief overview of your experience and how it shaped your vision of data security in particular?

Andreas: I believe that everyone who has worked in a regulated environment has had a similar experience. On the one hand, there is the real world where we need to secure our infrastructure, our companies, and our data; on the other, there is compliance where regulators continually exert pressure on us. 

One thing you learn very quickly is that compliance doesn’t mean security at all. Ticking boxes does get you out of trouble, but that doesn’t mean that the company will be safe and secure.

Another aspect is that there’s never enough budget to do all the things you think you should be doing as a security leader. So, you always have to keep your priorities straight to get your highest risks covered in return for the resources used or money spent.

There is also a constant dilemma between compliance requirements and opportunities to raise efficiency and empower employees. What I understood is that if the system is extremely secure, most probably, it is far from being customer friendly. The biggest takeaway from my experience is that security is always about prioritization and balancing.

W: Do you feel like there are similarities in terms of compliance rigidness between the pharmaceutical and financial services industries?

A: Yes, they are very, very similar. There are differences in the details, but the topics they care about, such as reliability management, identity and access management, and threat monitoring – they’re all the same. The policies and procedures might differ, but security fundamentals and key objectives remain invariable.

W: From your point of view, what factors played the biggest role in changing the perception of data sovereignty and security in these industries over the last few years?

A: When JP Morgan was fined $200 million by US regulators for communicating with clients via WhatsApp, it made everyone realize that no matter how big and reputable your company is, if you’re not enabling your employees to do their job efficiently – you’re likely to face compliance issues.

In order to prevent behavior that can lead to compliance breaches, organizations need to implement solutions that will empower their people and help them do their daily tasks in a straightforward, easy way. Everyone is willing to comply with security policies and requirements as long as they’re not completely counterproductive. 

So, I believe that companies’ approach to data security changed when they realized that strict policies are not enough to ensure resilience and eliminate workarounds. There’s more to avoiding compliance fines than just ticking boxes.

W: According to the IBM Security Cost of a Data Breach Report 2022, the average total cost of a breach in the financial and pharmaceutical industries reached $5.97 million and $5.01 million respectively, putting them in the top three industries by cost. Do you believe that their data security policies are evolving fast enough to stay one step ahead of the evolving tactics and methods of cyber criminals?

A: I see it as a race, where companies are ahead of the curve for the most part. But remember that hackers only need to get lucky once – once the system is compromised, they can collect the data and assets they’re interested in and roam the network freely for a certain period of time before they get caught.

This being said, I believe that security is a journey, not a destination. Technology keeps evolving and organizations continuously upskill their security teams in order to defend against new attack methods and techniques. 

Think of it as street traffic. Is it safe? Not always, regardless of whether you’re walking, driving a bicycle, or a car. But is it safe for the most part? Yes, it’s pretty safe. You can never fully control the actions of other drivers and pedestrians, and the same is true for the IT world. We’re only responsible for our own security measures, and everyone is certainly doing their best to create robust defense architectures.

W: What role does innovation play in safeguarding cross-border data transfers, given the increasing role of compliance?

A: The real value of innovation is making processes better, faster, and more efficient for businesses.

When talking about cross-border transfers and data localization, the tools that companies currently have in mind or in place will not solve the problem or minimize compliance risks. Addressing these issues requires innovation brought by companies like Worldr whose solutions cannot be mimicked by existing tech stacks.

W: How can companies get employees on board with new security policies and innovative solutions?

A: I believe that employees will always do everything in their power and interest to do their job right. If companies introduce new tools or processes that are easy to use and increase efficiency – there is no doubt that employees will use them.

On the contrary, if new policies and tools impede employees’ ability to be successful, this will most likely lead to the use of workarounds. So for me, the best way to get employees on board is to make their life easier and enable them to do their job.

W: Now that the pandemic pressure is finally starting to decrease, do you think that security teams are shifting from being primarily reactive to focusing more on strategy?

A: Two and a half years ago everyone did their nine-to-five in an office and things were pretty stable. And all of a sudden, a global pandemic facilitated mass lockdowns, shifting daily life and work to the digital domain. Despite the odds not being in their favor, IT teams were able to have businesses up and running relatively smoothly in an extremely short period of time. I think they did a tremendous job enabling businesses all over the world to digitalize and transform overnight. 

Did this come with failures? Absolutely. But the portion of cyberattacks that were successful was small compared to the overall context and challenges that security teams were facing. We will always be reactive and there will always be a lack of time to spend on strategic decisions. It was and continues to be about prioritization.

A lot of companies definitely have to catch up on certain things, but compared to the craziness and evolving attack factors out there, I think they’re not in a bad shape overall.

W: But what should security leaders do in cases where employees’ workarounds are putting organizations at risk? What is the most effective response to this type of behavior?

A: That’s the reason why organizations need risk management to monitor and detect the areas where potential danger lives.

It is important to have a culture where people can speak up and where things get on the table before they escalate. We live in a free world and we want to keep it this way, so we need to trust people. To maintain mutual trust, security leaders need to enable employees to voice their concerns about what policies or tools are not working. This way, issues will be solved before they can cause any damage. This approach is much better than just ignoring existing problems.

W: In the context of global operations, what are the nuances that executives must take into account when creating proactive frameworks for security and resilience?

A: If you look at the 2023 priorities for CISOs, you will see a strong focus on localization and geofencing of data. Regulations around these issues have been around for some time, but it’s only now that companies are paying huge amounts in fines that it’s really starting to hurt.

Today, it is essential that organizations have visibility and control over where their data is located, who has access to it, and how it is being processed. It is becoming more evident than ever that CISOs need to have a strong strategy in place with policies that start from the business itself and end with providers, third parties, and all the steps in between.

W: As a security leader, what technologies do you see as most promising at the moment and are most excited to see develop in the nearest future?

A: I believe that our complexity is killing us. Let me explain.

Most financial institutions have somewhere between 11 and 15 security agents installed on their employees’ endpoints. This approach leads to far too much complexity and overload, making it so hard for organizations to do their job well and causing a shortage of security personnel.

So, something I wish to see develop in the nearest future is simplicity, clearer data regulations, and more seamlessness.