Data Privacy Day Surfaces Latent Cybersecurity Tensions

As data privacy advocates celebrate the 16th annual Data Privacy Day many cybersecurity professionals remain conflicted. The concern is that data privacy is often conflated with security when in fact the former has much more to do with compliance than cybersecurity. The simple truth is organizations can comply with any number of cybersecurity regulations without being especially secure.

Data privacy laws are now advancing at a rapid clip. The California Consumer Privacy Act (CCPA) became effective this month. There are now nearly 20 states that are either close to implementing data privacy laws or considering legislation.

DevOps Connect:DevSecOps @ RSAC 2022

Most of those laws are modeled on the General Data Protection Rule (GDPR) enacted by the European Union. Unlike the EU, there is no national data privacy law for the United States. As more states adopt data privacy laws, it’s now only a matter of time before an initiative is introduced to reconcile at the federal level what inevitably will be a set of conflicting state statutes.

In the meantime, the relationship between compliance teams tasked with making certain organizations comply with regulations and the cybersecurity professionals focused on the integrity of applications and systems is in a state of flux. In most cases, organizations have two separate teams. However, Trevor Bidle, vice president of information security for US Signal, a provider of IT services, said in some cases the compliance and cybersecurity teams are now both reporting up through the legal department, as security becomes a larger concern.

Anis Uzzaman, CEO and general partner of Pegasus Tech Ventures, a venture capital firm, said organizations are struggling with the issue of determining the right boundary between cybersecurity and making applications accessible. If users find an application too cumbersome to employ, they will simply switch to another application to accomplish the same task. At the same time, however, users create a Catch-22 for organizations because they hold the application provider accountable for any data breach, noted Uzzaman.

Manu Fontaine, CEO of Hushmesh, a provider of identity services delivered via the cloud, said that while those twin demands appear to conflict, advances in concentric approaches to privacy and cybersecurity are being made. It’s now possible to restrict access to data and applications using a distributed network service that is simple enough for any user capable of taking a selfie photo on a smartphone to employ, said Fontaine.

That “Russian Doll” approach separates the identity access management from the application infrastructure to make it easier to manage access at scale, said Fontaine. The core problem when it comes to data security is that while it’s possible to encrypt all data, the keys to access that data are too closely associated with credentials that are easily compromised, such as passwords, he noted.

The tension between data privacy and cybersecurity has been long-standing. However, as organizations increasingly realize that data privacy and cybersecurity are two sides of the same coin, the more likely that progress will be made. As more data privacy laws are enacted, cybersecurity professionals should take some solace that regardless of whether compliance regulations create a false sense of security, the fact is the bar for data security continues to rise.

Michael Vizard

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. This ... Read More
Palo Alto Networks

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 436 posts and counting.See all posts by mike-vizard

One thought on “Data Privacy Day Surfaces Latent Cybersecurity Tensions

Comments are closed.