Oct 5 / Punit Bhatia

Understanding Privacy & Security

Drag to resize

Privacy and security cannot exist without each other, that’s why it is vital for everyone to know how essential this topic is for today’s generation. In today’s podcast, we have Egide who is a board member at ISACA and a security professional. So, let us hear host Punit Bhatia with our guest Egide talk about the importance of both privacy and security.

  • Intro
  • What is GDPR?
  • Why does privacy matter to security professionals?
  • How much privacy knowledge does a security pro need to have?
  • Vitality of Privacy and Security in Today’s Generation
  • Importance of credentials and certifications for being a security pro
  • Message of Egide to viewers about ISACA Belgium
  • What does SOCRAI do in terms of security and privacy aspect?
  • How do you find time to balance and manage everything
  • Closing

Transcript of the Conversation

Punit 00:02
We all know that there is no privacy without security. And we also know that security professionals need to know about privacy privacy professionals need to know about security. So where is the interlap? For this? I have found an exciting guest. Who is the board member of ISACA, just like me, and he's also the president of ISACA, Belgium board. And we're going to talk about what is security? Why does it matter to privacy professionals? And why does privacy matter to security professional? What do security professionals need to know about privacy and so on? So let's go and talk to Egide and I will struggle to pronounce his last name, but I will try Egide Nzabomina. Let's go and talk to him. And we'll have a wonderful conversation.

Punit 01:22
So here we are with Egide. Welcome to Fit4Privacy podcast.

Egide 01:28
Thank you, thank you for having me.

Punit 01:31
So it's great to have you. And let's start the conversation by asking you a simple question. As a security professional when you hear about or think about the word GDPR. What comes to your mind?

Egide 01:45
Well, great question. When I hear the word GDPR. Of course, it's always related to privacy. And also, it's Give me also a kind of link to the right, because we are talking about right in privacy, and of course limited to the European environment in which we are. So I think for me, it's already to see the reason we come up with the GDPR with those rights to be respected. And also in which domain of in each environment which we are in Europe to cover those topics are regarding the rights of the people the personal information. And also, of course, the way we are dealing with digital assets in Europe, according to the comm or the worldwide environment.

Punit 02:46
That makes sense. And why does that privacy element matter? For someone who's a security professional security Pro, because as a security pro, you are more interested in protecting systems, protecting data on network everything, not caring about protection, privacy, personal and everything you want to protect all data? And why does the privacy matter for a privacy Pro? Security Pro, I would say?

Egide 03:12
Well, privacy matter. Our say not only for security professionals, of course, it's matter for every individuals worldwide. So maybe just to start with a kind of simplify what we understand about privacy, privacy, like I said, it's the right right to be free from any intrusion, any surveillance in one person of like in group of people. So privacy, it's really a kind of matter of individual rights and recognize also worldwide with all different companies have in or different way. In other words, if we go anywhere, we still have to matter about our privacy. And each of us, of course, are really interested in somehow on the way we are giving our data and the way we are giving our information regarding who we are and what we are doing and what we are sharing with others. So it's really the ability to control access to your own data, your own information about what you were what about yourself and also to make choices and this is the reason we are talking about the right of course, making choices meaning that I'm able to choose when and how and what information I'm sharing with orders and in the way I'm sharing two orders. And if we are talking about, of course, security professionals and also security before that maybe also simplify the security what is security, security actually is the state of being protected and being protected, it could be against danger, loss of criminals and different other bad things that can happen to your data and also to your personal information. So its meaning really, regarding security is the way how are you putting a tick or a setting in place of putting in place measurements to protect your assets, the information, your data, of course, protecting also people, properties, and also different area of human being, and also regarding your companies. So if we see those two elements are for security professionals, privacy actually matter more than before, because we see that we are actually in the in the era of digitalization, we are using a lot of a lot of digital assets. And we are going also in the future to use more of those different innovation technology that we have today. So it's really metaphor professionals, to be sure that they can still be the one implementing such measurements, and also to know what have to be protected. And in which way, we see those complexity interaction between the systems and infrastructure, which we have, which we are using day to day to make sure that those one are protected, the data are protected for unauthorized access, that cannot be modified without the consent of the right of those people, which we are collecting data of modified of the destruction of those data. So it's really matter for professionals to be to keep an eye on the evolution of the technology, but also to keep an eye on the rights of every individuals worldwide. And especially here in Europe, of course, with GDPR.

Punit 07:22
That makes sense. And I think we always say there is no privacy without security. So privacy and security do go hand in hand. And then the question becomes, yes, privacy is important for security professionals. But how much of privacy knowledge does a security professional need to have? Do they need to become certified? Do they need to just be aware of it? Do they attend the training that's given in the organization? Because you will understand and you will agree to an extent that security has an important role to play in implementation and compliance of privacy? So if there's a security professional, how much of privacy knowledge do they need to have?

Egide 08:05
Well, great question. Great question here. Allow me before maybe giving what elements are very essential for security professionals of those working in the privacy domains that have to, to have us minimum, we can maybe start by looking to our society or work the way we are living today. I always, when I'm helping different companies and helping also some professionals in our sector, I always give them one of the example saying okay, we are in the company to bring value to what we are doing, it's going to be in the services that we are offering the product that we are offering in the markets and the company are not all insulated. We cannot do a business without being interconnected an interaction with other companies of whether with other people outside in the community and outside in the way we are living today. So it's brings me to me, the one example that I want to share with orders and I like to share with orders and which I like is that many years ago, the United the United Nation set up different goals to transform our words to they have re take time to look to the future. They were more than 195 countries contributing in this United Nations General Assembly way ago, and they come up with different goals. It's Actually 17 goals in in the way we kept, we have to look on the system sustainability development, meaning making sure that we have a sustainable economy, the economic development. And one of the analogy I always make regarding this, if we want to get sustainability, economic development, which is a way actually, if maybe we extend it very easily to orders, what's in it, for them, what's in it for day to day? Actually, it's, it's a way that we have to look at the future, what are the future needs, and come back saying, Okay, from day to day, now, what do we have to do to make sure that those future is will be much easier for, for the new generation for the planet for the economy, so that we have a sustainable future, and this kind of approach, and to meet the needs of the present generation, making sure that we, of course, we meet our needs, but also to have a look on the ability of the future generation to meet their own needs as well. So privacy and security, like we have just said, it's quite important here. And they those are the key elements in this era, where we are that we make the change. And this will make sure that in the future, if we want to read deliver those sustainable development, economic development, we will have to deal with those two key elements, which is privacy and security, of course, and, um, we used to compare privacy and security to the electricity today, if we see the electricity in, in some developed, developed country and not developed country, we see that it's plays a backbone role on the way you can develop. So privacy and security are like the electricity that powers those sustainable economic development, just as an externality is necessary today, for the infrastructure for the business that can stimulate the economic growth, and also bringing more digital innovation. So we see that those two elements, privacy and security are very essential. So it's where ask us today, from security professionals, and also for the future, to develop order skills that maybe we didn't consider in the past and that we will be needing in those digital development and those different skills that that we need and knowledge, of course, regarding privacy, will be on the site of there are some capabilities and orange needing an expertize expert expertized needs, on the technical way of doing things, meaning that you don't have to understand the to have an expertise on that box, you need a minimum understanding on how the technology is working, you need a minimum understanding regarding okay, if we are talking about innovation, innovation, by using the technology, how are we making sure that we are following the emerging technology and emerging trends to make sure that we are we are all up to date, and also following all those elements and making sure that the personal rights is all the time respected, and also that the security part is also different measurements are implemented. So there's we have to develop skills, we have to show up that we have enough of knowledge. And of course, we will still have to connect with those different stakeholders to make sure that we all the time we are informed and also that we know what we what is going on and what is the development immediate from there.

Punit 14:20
That makes sense. I really like the analogy with the electricity because electricity used to be the backbone of an industrial economy. As we get into a digital economy, privacy, security and digital laws, how you govern data, how you manage data, how do you govern privacy? How do you manage cybersecurity, how do you manage artificial intelligence is going to determine how strong or strengthened your digital economy is going to be? So I really like that idea. And if I am, if someone was a security professional, you tell them that they will the next question they will usually ask you is do I need to be I'm certified in privacy to have more stronger credentials as a security professionals. Would that be the case? Do you recommend that to your team?

Egide 15:09
Yes, I absolutely recommend that to my team and also, or other friends and other people that I meet on a day to day to make sure because why certified certifying, certify is a way to help you to make sure that you are up to date with all the different elements in such domain. Here we are talking about privacy. And in privacy, those certification can help you really give you a good understanding, a good overview on the subject of privacy solution that are existing on the way that you can focus and valid the technical skills and the knowledge which is needed in your in your in your sector and also in your way to way in your in your day to day. Business, it's really helped you also building and also making sure that you have a complete a comprehensive way on how data privacy measurement can be implemented in your in your in your business. And here we are talking about the last I think it's the past three years is ICA, which is an Global Learning Community worked whites have come up with a new certification, which is certified data privacy solution engineering, CDC, in short, and those certification really help professionals on those technical privacy skills gap to make sure that they have enough knowledge on the way they should protect the rights of, of the people and the right of the users and in the human aspect on that on the on the right. So it's really help you to mitigate the risk that can be found in those technology, we know that we do have, we cannot have 100% security. Anytime we are making change any time we are evolving, we are innovating. There is also those technology come up with some risk that have to be considerate it and different skills are really needed to make sure that you meet Have you can easily help your organization help your company to draw on those different matters. Those skills that we can find in those certification can be how do you I apply the knowledge of security and privacy? Like we were saying, because it's really a challenge today? How do you breach the technology and the legal aspects on those technology, as we know today, all the technology, what we are using, there is no more borders, those are technology that can be used in those different countries, companies. We were talking a few minutes ago regarding GDPR, which applies, of course, if you're processing that European data, but there are also other requirements of compliance, privacy compliance aspect in other countries as well. So because today we are dealing with digital and it's all the data can be over the words, this is a really a challenge for professionals. And it's a need to have a kind of harmonized way of looking to this topic. And certification is one of them. And it's one of the important aspects because it's helped you to have those such a great overview and to make sure that you have a good understanding on those different aspects. It could be on data lifecycle data privacy, privacy as architecture, privacy, best practices that can be shared with other professionals. We are privacy design, privacy, governance and different privacy solutions that exist. So as you see, there is a lot of things to be considered it and it's very good to have a certification because if you have such certification as this one provided by Zacha then you make sure that you have at least the minimum understanding on all different area which you have to cover us professional to make sure that the data and information of private and privacy are protected.

Punit 19:52
Completely agree with you and I think for those who don't know, me are board members at ESA The General Chapter and socket does offer as Ajit said, the CDP SC, which is a privacy certification, along with other privacy certification, this can be worthwhile. And this is more suitable for technology professionals, IT professional security professionals to gain various aspects of privacy, privacy, governance, data lifecycle privacy by design. And it's more geared from technical perspective. So you may want to consider it. And if you want to know more isaca.be can be a place to go and find out when is our next bootcamp? Where can we share details about these certifications. But that's a great moment for me to ask ISACA it's a large organization, we know that as board members, and you as the President know even better, that we have 163,000 now more members worldwide. And then we have the Belgian chapter. So what can we pass as a message to our listeners about Sarkozy? What is the saga? And why should they join Belgium chapter if they're in Belgium, or any other chapter based on wherever they are?

Egide 21:05
Great to add thank you too. Yeah, to have to make our notes to every every reason or here regarding our organization. And also, why we are so excited to share the information and to make sure that everybody can join this great organization. Just to make sure that everybody understand the way it's working, like you said ISACA is worldwide organization and learning community with different domains are regarding like privacy, like we have just mentioned. But there is also security and its word. And it's well known because it's existing more than 5050 years. That's a lot actually. And the all the benefits I can say here, one of them, which I like the most is that we've ISACA, there is a way to re interconnect on worldwide. sites are with all IT professionals with all people like minded on different subject where you can interconnect with them, we can network with them. It could be physically or online, of course, with all different technology that we can use to make sure that we can interact on those different subjects. And it's also a good way to make sure that you are not doing your own things in your company without checking what others are doing what is the best practices which can be shared with border experts worldwide. If we are talking like now, today, privacy and security, we know that those two topics are the topics that worldwide are a challenge and the way we can interconnect together within this organization. It's helped us of course, to come up with great idea how in your company, you can go fast implementing such projects regarding privacy and security. And the way also you can speak the same languages, we come up with the same terminology on the way we are doing things, we come up with a look and insights on really deep insight on the different elements regarding those two subjects, to make sure that everybody is aligned on it. And there is also an such opportunity that people can ask the questions they can meet whenever they want, they can choose which event they want to attend to make sure that if they want to be more experts in such demand. And of course, like we said they can be trained as well. There are trainings which are available for the members. And also numerous non members are welcome, of course, to follow those trainings, which are the trainings are also well known worldwide, meaning that the certification that you also get from ISACA are the certification that worldwide wherever you go in any country they know is a car because there is aka it's more present in more than 200 countries there are different chapters like they say like our chapters here in Belgium, in Belgium also we are very, very, very active. We have different activities that we provide to our community here in Belgium, which are also covering the different aspects domain like IT governance. Privacy, of course, like we said here, security, we have risk management. We have all those different topics that we can cover and we interconnect with the community here in Belgium of different other organizations to make sure that we are adding value to all or IT professionals in Belgium, to help them also grow in the carer to make sure that they have enough knowledge which they can be using in the in the day to day life, of course. So what I can say, just go to our website and follow the different events that we have, and come meet us. Most of the time, our events are also free to free for access, meaning that you can, you can meet us and you can discuss with different other IT professionals regarding those topics that we are talking today.

Punit 25:38
ISACA is a good community for security, privacy, and IT professionals. And most people think of copit as a framework copit comes from ISACA. That's something you need to know. And the good part about the SOCRAI membership is you get access to local chapter membership, which is means you get to local instance, the insights into what's happening. And the global events, which means you also retain a flavor of local and global for one membership rather than having to have two memberships. And it's very cost effective, it's not so expensive. So if you're in the Privacy Committee, community, security community or IT community, this can be a very good membership for you. And hence it one more thing, because apart from the soccer relation that you have, you're also the CEO of SOCRAI. So what does SOCRAI do that where your security knowledge and security insights and security impact in the region comes from?

Egide 26:38
Yes, thank you for asking the questions. Indeed, besides being the president of East Africa, Belgium, I'm the CEO of surprise, surprise, a private company, here in French area in Belgium. And what we do is really, we find it now it's in 2019, with one of my co founder here, nobles, and we will to working as consultant in different helping different companies on privacy, of course implementation with GDPR and order topic insecurity because we are both security professionals and also master in cybersecurity. So we found it because we saw that in the in the evolving of it, and evolving also on those technology. And in the in the in the in the consulting, there was always one element that have been always overlooked, which is the human aspects. So and we know each other for more than 25 years, my co founder and I, and we had this idea to say, Okay, we want to build a company, which really make sense in everything we that we are doing. And I think here, I'm very happy that you asked the questions, if we are looking to privacy and security. There is also one element, like I said, is the human aspects on this topic. And when we go, we are speaking with different people in the ITU words, sometimes we intend to forget that behind all those innovation behind all those technology that we see today. evolving and you be used by everybody. There is always an idea that this comes from one person. And it's quite important to address also in everything we are doing in the framework that we are implementing in the solution that we are implementing, will make sure that the human aspects are being addressed. Very it's it's quite easier to say it saying the human aspect. But if we see in the implementation, what we mean actually in there is to make sure if whenever I'm implementing something, as solution, like we are saying here for privacy, how do I make sure that the people the IT professionals behind have a good understanding on the human right, of course, but also the way that the learning path of those professionals, how do can do they make sure that they are following such framework learning and also addressing the people that are going to use those technology, what kind of knowledge to do we have to have. So the reason that's also the reason we created our own platform, which has now been tested by different customers, and this platform will help organization on the different Reyer in the company to learn according to of course, the project of the program that they are implementing in their own company, on the different elements, that and user of a non per year of a customer, which kind of information they need to know, so that they're speaking the same languages, they are on the same page, it kind of maturity, and also making sure that they are looking to the security as well. So we are, we are a group of more than today 16, what we call tribal members, with our people working with us and different companies, and also working with some partners out here in our community to make sure that we deliver an audit file to all of our customers, of course, on those different domain.

Punit 30:42
That's very nice to hear. And you mentioned about the human aspect. So I'll ask you a human question. Because that's what people ask me, because we are entrepreneurs, we are consultants, we are Board Members, we are founders, and we are so on and so forth. How do you find time to do all this? Because SOCRAI, ISACA, then the community, then networking, then family, then personal life? Fitness clients, customers, complainers, everybody's there? And then how do you find time to balance all these? Because that's a common question. And maybe people would be interested to know, how do you manage to do so much?

Egide 31:27
Well, great question. By indeed, I think I receive a lot of those questions, because people are saying, of course, during different activities. One key element, of course, is to have a great discipline, if I may say like that, it's a way you have really to manage yourself before you are managing orders. And before of course, you can interact with orders, you should make sure that you manage yourself, and it's quite important in there you that you there is a kind of balance that you have to find out and those different activities that you're that I'm doing, for instance, for me, it's really the balance that I'm getting from those different elements. And the way that I measured that I use, one of the things that I do also my, my co founder, I think we have learned that in a different way. Now we are doing our companies, we start each year by setting up our goals, making sure that we are aligned on the goals, but also not only the goals for the company, but personal goals I have now in my office, I cannot say show it now. But I have a kind what we call a mood boards, which I'm writing down every year setting Michaels saying, Okay, what is my balance on privacy and personal goals, and also professional goals. And also, how do I balance those two, those two elements, and it's quite important, of course, because we are interacting and engage in different organization is to make sure that I can get back those my investment that I'm sharing, but also by making sure that I'm giving back as well. So, um, we are very lucky, because we are working in the, it's not feels like working actually, because we do it out of passion in what we are doing. And we see that if I say in ISACA, and I see the interaction with the people, with my customer and interaction with different IT professionals, those are different people that you meet all the time, we have the same the same people. And it's quite easier in that matter. Because if I'm doing something for ISACA, I can meet different of my customers as well. I can meet different IT professionals which we are working together in a different project for our customers. And I can link as well so we can learn together. So we are developing different things together. And that's the beauty of all those activities. And the reason also we keeping engage in those area, because we get a lot of back on those different elements. And we can also give back to the community by sharing their expertise by giving our time of course, making sure that we are evolving as a person, but evolving us community.

Punit 34:40
Indeed, I think very well said discipline, priorities, goals, all these things help you to streamline and you need to have your goals not only professionally but personally financially, spiritually, mentally, physically, everywhere, and then you're following your goals and life. Of the all of course have 24 hours. But when we have goals, those help us propel and deliver more in those 24 hours. But with that, I would say, it's been a wonderful conversation. I've never felt realized that we are almost 30 minutes plus in the conversation. So I would say at this moment, thank you so much for being here, and sharing your time insights and wisdom.

Egide 35:23
Thank you very much for the invitation. And looking forward to the next one. Thank you.


Egide Nzabonimana is the current President of the Belgian chapter of ISACA. ISACA Belgium mission is to bring together digital trust professionals for networking, knowledge sharing and personal development.   We have been doing so for already more than 37 years. Presently, we represent more than 850 members from 450 different organizations.   As such, we are the largest Belgian organization supporting a broad range of Governance, Risk and Compliance topics aiming at increasing trust in digitalisation. Having over a decade of experience as well as a master’s degree in information risks and Cybersecurity from Solvay Business School, Egide is well versed in various areas of cybersecurity, including business risk assessment and information management.  Egide is a Certified Information Security Manager® (CISM®) and Certified Data Privacy Solutions EngineerTM (CDPSE®) IT Professional. As co-founder of the cybersecurity consulting firm SOCRAI, he helps businesses to identify potential weaknesses and blind spots, so they can make their IT systems more secure and more resilient – not just through technological solutions,  but also, by taking into account the one element that is often overlooked: people.  Making staff more aware of the risks and dangers, and changing their behaviour, constitutes a major step towards achieving improvements in cybersecurity in a more robust and sustainable way.’  


About Punit Bhatia

Punit Bhatia is one of the leading privacy experts who helps CXOs and DPOs to identify and manage privacy risks by creating a privacy strategy and implementing it through setting and managing your privacy program and providing scenario based training to your key staff.  In a world that is digital, AI-driven, and has data in the cloud, Punit helps you to create a culture of privacy by establishing a privacy network and training your company's management and staff. 
For more information, please click here.

Listen to the top ranked EU GDPR based privacy podcast...

Stay connected with the views of leading data privacy professionals and business leaders in today's world on a broad range of topics like setting global privacy programs for private sector companies, role of Data Protection Officer (DPO), EU Representative role, Data Protection Impact Assessments (DPIA), Records of Processing Activity (ROPA), security of personal information, data security, personal security, privacy and security overlaps, prevention of personal data breaches, reporting a data breach, securing data transfers, privacy shield invalidation, new Standard Contractual Clauses (SCCs), guidelines from European Commission and other bodies like European Data Protection Board (EDPB), implementing regulations and laws (like EU General Data Protection Regulation or GDPR, California's Consumer Privacy Act or CCPA, Canada's Personal Information Protection and Electronic Documents Act or PIPEDA, China's Personal Information Protection Law or PIPL, India's Personal Data Protection Bill or PDPB), different types of solutions, even new laws and legal framework(s) to comply with a privacy law and much more.
Created with