Dr. Mansur Hasib CISSP, PMP, CPHIMS is the Program Chair, Cybersecurity Technology at The Graduate School, University of Maryland University College. Looking to better understand cybersecurity and privacy topics? Read more below.
What inspires your passion for data privacy?
I personally think privacy has been largely misunderstood since its very inception. Even today, I see organizations keep privacy officers and security officers in two separate departments and often, these departments clash with each other. Yet, I view one of the key goals of cybersecurity professionals is confidentiality. Privacy is simply legislated confidentiality. Confidentiality means that the right people have access to the information and the unauthorized people do not have access to the information. Unauthorized people don’t necessarily have to be outside the organization, they can be within the organization too. This is something that has been largely misunderstood.
Other people have also focused on just the digital/system aspect, but information could also reside in someone’s head. For example, a doctor or a nurse can violate privacy, simply by talking about it—so information doesn’t have to be in a system. What we need to also understand is that privacy laws are giving individuals rights over their information. It also creates obligations for information custodians, or the people who are going to store information.
In addition, there are disclosure requirements and penalties for non-compliance and that’s essentially what privacy is. It’s legislated confidentiality. That’s a key thing we need to understand. My passion is to continue to explain that we cannot separate privacy from the overall discipline of cybersecurity and this is what many people have done. They’ve viewed privacy as a legal concept or they tend to look at legal compliance while forgetting everything else. In my view, doing this is very dangerous and it results in the haphazard implementation that we’ve seen.
Ultimate privacy is determined by the behavior of people, not technology. A cybersecurity culture is the key to ensuring privacy. My focus and passion has been to continue to educate people properly in these concepts.
How would you advise privacy leaders who are working towards creating a privacy-embedded culture? What suggestions do you have for organizations who are beginning to work towards embedding a culture of data privacy?
The key is to first understand the broad concept of cybersecurity. In my presentation, I’ll explain the broad context of cybersecurity within which privacy falls. If an organization does not understand that concept, they will fail because they will only be dealing with a small slice of the pie and will not be implementing it correctly.
It’s important to know that privacy culture cannot be separated from the cybersecurity culture or a patient-data safety culture. For example, hospitals already have a patient-safety culture, so we can simply tie in the data and privacy safety into that existing culture. In regards to those same people who are already engaged in patient-safety culture, we should works towards talking about patient data safety culture. That’s essentially what privacy is. What we need to do is embed the cybersecurity and privacy related trainings into job-related trainings for everyone and really incorporate training into people’s standard job training. We also need to provide incentives for people to embrace these trainings and do them well. Culture is best established with positive rewards and gamification. In other words, making this training fun is motivational to employees.
How do you see data privacy evolving over the next 5-10 years?
GDPR has the potentials to protect the rights of individuals. I also think that data privacy through revolutionary technology such as blockchain could be a game-changer. That’s because blockchain begins to give individuals real rights over their information and individuals would be able to protect aspects of their information. Right now, individuals have to share too much data about themselves to conduct a transaction. For example, why does everyone need to know so much information in order to conduct a simple transaction? In the future, I believe individuals will be able to control their information far better and that individual data record will start to belong to them. I also see the electronic health record for a patient, will stay with the patient, not with a central provider.
Can you tell me about your book, “Cybersecurity Leadership: Powering the Modern Organization”?
We need to recognize that this is a new world, and much has really changed. Cybersecurity is the digital strategy of modern organizations. Information has become a key asset for any organization, so in this book, I explain cybersecurity as a business discipline and an innovation culture, powered by people. Executive education and current MBA programs aren’t covering these concepts, but my book addresses this particular deficiency. I tried to write it in simple terms, so that everyone will understand it.
The book also covers all the topics that I typically cover in my cybersecurity leadership and governance course, which is a full university semester-length course. The book is also used by professors who intend to teach this topic. In the book, I explain cybersecurity, leadership, and ethical leadership. The concept of ethics is very important in our discipline because, without ethics, you simply cannot do any of this. I also explain CIO roles, CISO roles, and how to set up organizations.
Because of my passion for the digital transformation in healthcare, I also include many chapters that deal specifically with healthcare.
Additionally, I also produced an audio version of the book, because some of my fellow executives told me they don’t have time to read e-books or hardcopy books anymore. I knew that I wanted to reach out to them, so I produced an audio version as well as a hardcopy. New Audible users can download the book for free just by signing up for their free 30-day Audible trial—click here for more information.
As an industry leader, why do you think people should attend this conference?
This particular conference is going to be interdisciplinary. My hope is that people will understand that privacy must live within the broader context of cybersecurity. I also think networking is very important at this conference. I see every conference as the beginning of a conversation—the whole goal is to show you things and help you think of things that you haven’t thought about. To build those relationships that will let you carry on forward into deeper conversations is important. People should attend not only to learn, but to network—and they should come prepared to build relationships with people including leaders in the field and those who think differently than how they think. Personally, I’ve learned so much from conferences. Even my definition of cybersecurity changed after three years of attending multiple conferences while discussing and refining these concepts.
What is something you believe is most important for attendees to walk away from your presentation knowing?
The key context of cybersecurity and understanding where privacy lives. I hope they will begin to think in a more interdisciplinary manner and set up organizations properly and begin to think about these concepts in the right way.
Dr. Mansur Hasib, CISSP, PMP, CPHIMS, Global Award Winning Cybersecurity and Healthcare Leader, Author, and Media Commentator Program Chair, Cybersecurity Technology, The Graduate School University of Maryland University College (UMUC) is the only cybersecurity and healthcare leader, author, speaker, and media commentator in the world with 12 years’ experience as Chief Information Officer, a Doctor of Science in Cybersecurity (IA), and the prestigious CISSP, PMP, and CPHIMS certifications. Dr. Hasib has 30 years of experience in leading organizational transformations through digital leadership and cybersecurity strategy in healthcare, biotechnology, education, and energy. Within the Life Sciences field, Dr. Hasib served as Chief Information Officer at the University of Maryland Biotechnology Institute and the Baltimore City Health Department for 12 years.
