The International Association of Privacy Professionals (IAAP) and (ISC)² recently collaborated on a webinar , bringing a panel together to shine a light on the intersection of cybersecurity and privacy. Bringing together a conversation between Cobun Zweifel-Keegan from IAPP (Moderator), Ron Woerner, an independent CISO/Forrester consultant, and Robin Andruss from Skyflow.
“The nice thing about standards is that there are so many to choose from.” - Grace Hopper
After the early optimism of the internet era, data has turned into a problem, with privacy crystallizing many of the most pressing issues. One way to understand this is to view cybersecurity as being about protecting people and their data and personally identifiable information (PII). This is regulatory but also ethical. On a practical level, this demands that organizations know what their data is and where it is through conducting regular inventories. When data inevitably moves to a new location, each system must apply the same level of protection.
The first challenge of privacy is to see it as an end in itself and not simply a subset of more general security problems. Regulations such as GDPR have helped educate the market to this ethos, said Robin Andruss of data privacy vendor, Skyflow. Securing data and securing privacy are not, however, the same thing.
“You make sure bad people can’t access the data… but privacy is around what you’re collecting, how you’re storing it, who you’re sharing it with, and what is the purpose and use of the data.”
Whose Job Is Privacy?
Privacy always begins with why you’re storing it in the first place, according to Ron Woerner, an independent CISO and Forrester consultant. Then there is the issue of data integrity, that is who can change or manipulate it and who is allowed to view it. One ambiguity in the U.S. is whose job it is to protect privacy. Corporations will say that it’s the job of the individual to protect their own privacy, which assumes of course that the individual understands that this is necessary and how to achieve it.
“Many consumers don’t know what this means. They just put it [data] out there and hope for the best. But hope is not a very good strategy,” said Woerner.
At its worst, the risk ends up being handed to a single employee even though, should a breach occur, the underlying issue that caused this was beyond their direct control.
Adding to this is the fact that privacy, data security and data governance are rarely centralized functions and are typically spread out across different departments. According to Woerner, coping with this complexity requires that organizations develop a common governance model. This could be zero trust, which is data-centric, or through NIST, whose Cybersecurity Framework now incorporates extensive privacy controls. However, governance itself is always about who has the responsibility and authority to implement these controls.
Historically, having privacy in a job role was not a guarantee that the person doing this job would understand what this entailed, added Andruss. This is now changing as new state, national and international legislation appears.
The Compliance Trap
NIST has flourished partly because it’s free, but Woerner doesn’t recommend trying to follow every requirement because this might inadvertently harm business operations. NIST’s Framework is a tool to help understand the problem and gauge the success of a data privacy initiative. It should not be treated as a list of things every organization must achieve in every context.
The U.S. lacks comprehensive federal privacy laws and has focused instead on the protection of consumer PII to do the same job, something pointed out by IAPP’s Cobun Zweifel-Keegan. This has resulted in an era where breaches are seen as a consumer issue rather than one relating to underlying privacy systems.
“Even now, we’re becoming numb to all the breaches. However, where it starts to cause harm is that it hurts the organization from working with other organizations,” said Woerner. This has turned supply chain management into a hot topic. However, the third-party risk assessment services that can help with this don’t always use common frameworks across different jurisdictions and the globe.
An issue the panel touched on was funding – having the budget to put in place the controls that are needed. This is often cast as a financial decision, which can be a challenge in organizations where privacy is not seen as a priority. In the words of Woerner, “they are willing to pay the fine.” He noted that fines are often small in relation to the benefits of the privacy risk the organization was taking before it was breached. This is one of privacy’s biggest misalignments.
SMB Privacy and Learning
Not surprisingly, in the world of smaller organization, security, privacy and auditing are usually one person’s job. As these roles involve very different mindsets and goals, this has the potential to lead to conflicts of interest. According to Woerner, these people need to protect themselves by documenting decisions. Privacy is almost a legal mindset, said Woerner, whereas cybersecurity is more technical.
The wider question is how professionals gain the understanding of privacy that normally takes years to learn on the job. Andruss advocates for the wealth of online resources on YouTube, LinkedIn or free webinars as a place to start.
“It’s the journey to getting the certification. Too many see only the end goal but what are you learning from it?”, said Woerner.
How Often Should You Train?
The short answer is continually. But this doesn’t have to be formal training and should include constant conversation with staff about privacy. This is how you build a security-oriented culture from the ground up.