As data privacy advocates celebrate the 16th annual Data Privacy Day many cybersecurity professionals remain conflicted. The concern is that data privacy is often conflated with security when in fact the former has much more to do with compliance than cybersecurity. The simple truth is organizations can comply with any number of cybersecurity regulations without being especially secure.
Data privacy laws are now advancing at a rapid clip. The California Consumer Privacy Act (CCPA) became effective this month. There are now nearly 20 states that are either close to implementing data privacy laws or considering legislation.
Most of those laws are modeled on the General Data Protection Rule (GDPR) enacted by the European Union. Unlike the EU, there is no national data privacy law for the United States. As more states adopt data privacy laws, it’s now only a matter of time before an initiative is introduced to reconcile at the federal level what inevitably will be a set of conflicting state statutes.
In the meantime, the relationship between compliance teams tasked with making certain organizations comply with regulations and the cybersecurity professionals focused on the integrity of applications and systems is in a state of flux. In most cases, organizations have two separate teams. However, Trevor Bidle, vice president of information security for US Signal, a provider of IT services, said in some cases the compliance and cybersecurity teams are now both reporting up through the legal department, as security becomes a larger concern.
Anis Uzzaman, CEO and general partner of Pegasus Tech Ventures, a venture capital firm, said organizations are struggling with the issue of determining the right boundary between cybersecurity and making applications accessible. If users find an application too cumbersome to employ, they will simply switch to another application to accomplish the same task. At the same time, however, users create a Catch-22 for organizations because they hold the application provider accountable for any data breach, noted Uzzaman.
Manu Fontaine, CEO of Hushmesh, a provider of identity services delivered via the cloud, said that while those twin demands appear to conflict, advances in concentric approaches to privacy and cybersecurity are being made. It’s now possible to restrict access to data and applications using a distributed network service that is simple enough for any user capable of taking a selfie photo on a smartphone to employ, said Fontaine.
That “Russian Doll” approach separates the identity access management from the application infrastructure to make it easier to manage access at scale, said Fontaine. The core problem when it comes to data security is that while it’s possible to encrypt all data, the keys to access that data are too closely associated with credentials that are easily compromised, such as passwords, he noted.
The tension between data privacy and cybersecurity has been long-standing. However, as organizations increasingly realize that data privacy and cybersecurity are two sides of the same coin, the more likely that progress will be made. As more data privacy laws are enacted, cybersecurity professionals should take some solace that regardless of whether compliance regulations create a false sense of security, the fact is the bar for data security continues to rise.