A Privacy-Driven Security Culture

It’s hard to go a day without seeing news of a data breach affecting thousands (to even millions of people). What additional skill sets can cybersecurity pros arm themselves with to tackle the new challenges that lie ahead? What frameworks can be used to help promote a security- and privacy-driven culture in an organization? 

ISC2, the certification body in charge of the popular CISSP certification, recently estimated a cybersecurity professional shortage of around 3 million worldwide. This means that with the ever-evolving threat landscape, security pros are going to need to skill up and wear more hats than before. We have been used to securing systems and networks with best practices from ISO27001, NIST Cybersecurity Framework to even implementing Secure Software Development Lifecycles, information protection by access control etc., but all of this hasn’t really gone to the heart of the challenges we face today. Many of today’s attacks do indeed still occur from the traditional methods of phishing, poor security hygiene and lack of a security culture, but I think there are also just as many issues in the application and project development lifecycle when personal data is not embedded as “Privacy by Design; Privacy by Default”.  

From a security standpoint, data ethics has rarely been a key area of focus during the development lifecycle. Ask yourself, how often during product development kick-off meetings have you had someone challenge the room about whether or not we should be even collecting that personal data field from the customer in the first place (otherwise known as personal identifiable information AKA “PII”). Businesses have been all about “Big Data” and thus, collecting as much data as possible to perform analysis and profiling of customers’ and their behaviours, with the ultimate goal of being able to serve more accurate and timely content to drive sales. With the pace at which apps are being developed, the concern is that privacy and ethics are shelved to make way for product delivery and profit. Don’t get me wrong – businesses do need to make profit, and in turn helps to drive the economy, but it doesn’t mean that it needs to be at the cost of data privacy. 

Both security and privacy can work well hand-in-hand if the right strategy and frameworks are used to help bridge the discussions between cross-functional teams. The NIST Privacy Framework in development can be used to help bridge legal and tech teams as per the blog here, but there are also other new frameworks, such as the NIST Special Publication (SP) 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, which can be a good framework for bridging ALL departments, as it brings it all together to look at security and privacy from a risk perspective for the organization as a whole. This can help with driving a privacy and security culture in the organization. 

The General Data Protection Regulation (GDPR) also has a good over-arching view on privacy by design and default, with requirements such as data minimalization, requirements  over the need for clarity over data Controllers and Processors, and through its Articles, outlines how organizations need to be upholding the rights of the customers you are collecting the data from. The challenge is in the implementation. From a practical perspective, it is not easy to take such concepts and for legal to simply tell the tech teams to implement this. They may have had legacy systems where it was designed and implemented decades ago, where transaction data includes unmasked PII data, or it could be companies who never thought to review database schemas during the design phase, to ensure that only necessary personal information was collected; the examples could go on. The challenge is understanding the issue from both perspectives. So indeed, it will take some time for companies to review legacy systems, but for new projects, security pros should take this opportunity to look at application and system development with a new eye, and embrace new security and privacy frameworks to help guide their cross-functional teams. 

I believe a well-rounded security pro needs to embrace a growth mindset, and realize that security is ever evolving, and thus requires ongoing upskilling to stay ahead of the challenges. Years of practical hands on experience is incredibly valuable for security pros, and for those looking to take the next step with additional learning, you should complement your knowledge with risk, compliance and governance (ISACA is a good place to start), and familiarize themselves with new and evolving data privacy regulations. Organizations like the International Association of Privacy Professionals (IAPP) have a large repository of resources for those looking to skill up and learn more, and a strong international network of privacy and security pros, who frequently share at industry events. 

It is not an easy road ahead, and I have only scratched the surface on the challenges of security and privacy, but my view is that with more “data privacy-minded” folk in the security, tech and product teams, organizations can bring to the table new perspectives on how privacy by design; privacy by default can built into the project development as early as the first design meetings.

*** This is a Security Bloggers Network syndicated blog from RSAConference Blogs RSS Feed authored by Jason Lau. Read the original post at: