3 lessons privacy and security teams can learn from each other
Remember the old Reese’s Peanut Butter Cups commercial, where the guy’s chocolate bar lands in the girl’s peanut butter, and they discovered “two great tastes that taste great together?” Privacy and security are no different.
In many organizations the two disciplines often operate as siloes. But recent trends toward holistic management of privacy and security risks have more organizations moving the functions under one umbrella in order to improve communication and collaboration — and to learn valuable lessons from each other’s best practices.
Lessons from data security
Over the years, the IT industry has developed a host of data protection best practices that privacy organizations could adapt to their own activities.
Here are just three:
1. Standardize: The IT industry lives by standards that are developed, tested, and maintained through national and international collaboration, and these standards evolve with the technical and threat environment. For example, the Information Technology Standards Committee (ITSC) currently has working groups on cards and personal identification, health informatics, and cloud computing, in addition to a standing committee on security and privacy.
In contrast, privacy standards are more localized in nature, bound by geography and regulatory jurisdiction because they are in many ways a function of laws. While standards set by U.S. government agencies are relatively mature, our nation’s privacy posture is not. But organizations such as the International Association of Privacy Professionals (IAPP) and the Electronic Privacy Information Center (EPIC) have working groups researching and documenting best practices for privacy organizations, and advocating for privacy practices and efficacy. By supporting these development efforts and adopting new standards, privacy professionals can help the industry improve outcomes and control costs.
2. Measure: Business today is data-driven, thanks to the sophistication of information systems and data analysis tools. As part of IT, data security organizations track the amounts of data on their systems, network loads, etc., looking for unusual activity that might indicate breaches or attacks. Privacy organizations need to do the same. Key indicators such as a rise in privacy-related incidents or in privacy-related customer service inquiries, or unusual patterns of physical access to facilities could all help to quickly identify and mitigate privacy issues.
3. Automate: Data security organizations have used automated monitoring, logging, and analysis for decades. These practices have been applied with great success, for example, in identifying usage patterns that indicate credit card fraud or tracing the source of a data breach. Privacy organizations now have software tools available to help automate and streamline processes such as risk analysis and data breach response. By supporting consistent and objective analysis of privacy incidents, providing a central repository for all incident information, and streamlining the documentation and reporting process, these tools can improve outcomes and free the privacy staff to spend more time on prevention.
Lessons from the privacy side
The privacy profession has evolved rapidly in the decade-plus since massive data breaches have become commonplace, developing virtually in lockstep with government regulation meant to protect consumers against breaches and misuse of their personal information. As a result, the privacy profession tends to be focused on compliance and the consumer, working successfully with people and processes.
Here are three privacy best practices that IT security teams could apply to better protect their organizations.
1. Be Customer-Centric: The greatest risk from data breaches is the loss of customer trust and future business. Because they are responsible for incident response, including reporting to those whose information has been compromised, privacy groups are mindful of the human impact of data breaches. They tend to look at addresses, account numbers, SSNs not as data but as an information set that defines a person. Data security organizations can take a lesson and focus more, not just on encryption or keeping data behind a firewall, but also on how to de-identify data or use the minimum data set for each application, limiting exposure of data combinations that would leave a person vulnerable if exposed.
2. Operationalize: Data security needs to be a driver as organizations increasingly move from ad-hoc incident management toward an operational model. While privacy functions have been driving the trend towards an enterprise-wide approach to incident tracking and response, the role of the CISO has also been changing to become a privacy protection leader on the executive team. In addition to fostering collaboration that makes data security and privacy programs more effective, helping to operationalize will give data security groups a platform to advocate successfully for the tools and resources they need.
3. Communicate Proactively: A privacy program depends on policies and processes executed by people throughout the organization, so privacy professionals work hard at training and at building a culture of awareness and compliance. In contrast, many data security functions are implemented within the computing infrastructure. Security software and malware protection are critical pieces of a security program, but a system is only as strong as its weakest link, and often that is the person carrying a mobile device or responding to what may be a phishing email or phone call. Data security professionals are in the best position to know where the user vulnerabilities lie, and they should work proactively with privacy staff to identify and close these gaps through training and awareness programs.
And lessons to live by
In some areas, privacy and data security already agree on best practices. Both know it’s critical to have clear policies, and to enforce them.
Both recognize the importance of top-down support for their initiatives, and both believe in regular risk assessment and monitoring.
With so much common ground, data security and privacy organizations should be able to combine their strengths in the battle to protect personal data.