In April of 2013, I took on a new role and expanded responsibilities as chief data protection officer for my company. Think chief privacy officer with a dash of information security and some European flair. Reporting to the general counsel, the original idea was to use the position to better align information security and privacy functions across the organization. In actual practice, I found myself focusing 90% of my time on privacy alone. This caused me concern in the initial stages that I was moving further away from information security. In the last year, I’ve had the opportunity to pivot and adjust both my own and others’ expectations for my role, as well as find the importance of treating privacy and security as different but complementary sides of the same coin.
In this article, I’m going to share a few insights on how focusing on privacy actually made me better at information security and in turn, how my experience in information security has helped me operationalize privacy. It is when these two areas become complementary as opposed to distinct or disparate pieces of our organizational thought that we can better focus on the crux of the matters at hand: the value of the assets we’re trying to protect and the impact internally and externally when we fail.
If security is the “how”, privacy is the “why”…
We focus on firewalls and intrusion detection at the perimeter, antivirus and endpoint protection, encryption ad nauseum…all in the name of being “secure”. But if I ask a deeper question as to ‘why’ are we putting all of these resources to bear the answers will vary from “our regulators require us to do so” to “well, we don’t want to be breached!”. The maturity of a program and how well they’ve implemented a risk based approach creates exceptions to this, but I’m focusing on the majority in my experience.
Fundamentally though, the ‘why’ is rooted deeply in our personal and organizational concepts of privacy, and it is those concepts that provide value (monetary or qualitative) to the information assets we’re charged with protecting. It also moves the implementation of security controls away from ‘outcomes’, such as passing an audit or preventing a breach, to one of ‘accountabilities and responsibilities’: “I need to protect this information because <insert entity here> trusts me to do so”. The success of those controls therefore holds a lot more weight, at least to me personally, than if the focus is on outcome alone.
Privacy does not mean secrecy…
A previous entry on this blog focused on the discrepancy between the consideration for privacy equating to secrecy versus equating to confidentiality. The fundamental difference is one of keeping the data hidden versus ensuring the data is only collected, used, and accessed for the purposes it was authorized for in the beginning. The former does not lend itself well to a digital economy while the latter is the crux of a success in the age of big data and ubiquitous computing.
What that means for security and privacy is that we can’t focus on just locking down “the box” containing the information; this has been true since computing moved beyond the mainframe and it is more so now. We have to consider security controls in the context of enablement; enabling a consumer’s ability to choose, authorize, and be assured their data is being used as stated while balancing the organization’s ability to collect, process, and protect that information within the bounds of that agreement. This sometimes means creative approaches, concessions on “best practices” that may inhibit data analytics, etc. The complexity increases but so does the reward.
Data value is often influenced by privacy considerations…
The value of data is rarely derived solely from a single entity. It is often an aggregate of the data subject, the entity collecting the data, and the entity (or entities) that process that data turning it into information that can return value to the individual or the organization. A significant part of that value is driven by the sensitivity of that data, some of which is dictated by regulatory requirements but all are influenced by more personal perspectives of ‘private information’.
I’ve come to accept that my name, address, phone, and email, while personal information, is freely available on the internet, in the white pages, and in public records. My religious and political affiliations, telephone metadata, medical history, and even my search histories? Those hold more value to me and in turn have more value to organizations who’d like access to that information for a number of reasons, including surveillance purposes or targeted marketing. So we shouldn’t lump all personal information into the same bucket and apply the same treatment and controls. If all personal information are precious gems, we need to understand that means some are diamonds, rubies, and emeralds while others are peridot and amethyst. When we have limited resources, we need to focus those resources on protecting the assets of most value.
The best risk mitigations are not necessarily security related…
We discuss topics such as security by design, and involving security personnel early in the process for threat modeling and risk assessment, but I’d argue even then we’re coming in late to the party. Often we’re focused on ‘locking the box’, which is rarely a welcome conversation at the product and business level. Also, effective security needs to be applied where there is the most value (see previous paragraph) and at a project inception that is likely not yet determined.
Privacy by design though starts looking at why we’re collecting the data, what our intended usage now and in the future will be, and what impact that data has on the individual, our organization, our brand, etc. It’s a powerful tool that can change a proposal rapidly and drives back to the accountability and responsibility model I discussed earlier. It forces us to acknowledge these obligations early and often and throughout the data lifecycle and in turn can feed the design and build of those security controls. It’s also easier for the business and product people to grasp as it’s driven by a concept of “doing the right thing”.
But I think I’ve provided enough food for thought for one post. This past year has changed my worldview as it relates to recognizing the information assets we’re trying to protect and the fundamental importance (the ‘why’) that responsibility places on our shoulders. It has also refreshed my hope as it relates to achieving a balance between enabling the businesses we’re in and ensuring data privacy and security; two sides of the same coin and all that.
I am interested though in hearing others thoughts on this topic, particularly those who have had a foot in both the security and privacy domains or those aspiring to cross that gap. Please comment here or reach out to me on Twitter!