SBN

When Privacy conflicts with Security, here’s how to fix it

Data protection and cyber security priorities can often feel in conflict. However some simple tools can help you get everyone on the same page.

This article reflects on a talk I delivered for the Channel Islands Information Security Forum as part of Data Protection Week.

Photo by Jason Dent on Unsplash

In the theoretical world inhabited by policy wonks in ivory towers, legislation and regulation is always here to help you. Rules on paper make decisions easier, and big fines provide incentives for management to support security programs. No board funding proposals or business cases needed— it’s the law.

In practice, it can feel a little different. Leadership attention is limited, and the high level of noise (or sometimes panic) around privacy legislation and regulatory fines can drown out the practical needs of cyber security programs, distracting focus from critical priorities.

The impact of this is also evident in how many organisations are currently investing in complex data process mapping projects or costly AI driven security solutions, rather than getting the basics right: knowing what you are trying protect, why you are trying to protect it, and how you are going to do it — then doing it.

It is evident in how often Boards consider the risks associated with non-personal data assets such as intellectual property, market sensitive data, corporate secrets. This is far less often than for personal information, even though objective assessment of the relative risks has rarely been carried out.

It is also visible in how many CISOs are wrapped up on multi-year governance projects when they want their teams to be getting their hands dirty delivering hard improvements.

Whichever way you look at it, the mismatch between noisy demand and objective assessment of priorities is very real and directly affects the performance of security programs.

One of the key drivess conflicting business priorities is that privacy (or data protection) and information security (or cyber security) have similar objectives but are fundamentally very different in language and in practice.

Let’s use GDPR to illustrate the problem. It helpfully provides the following principles:

  • Lawfulness, fairness and transparency (i.e. don’t break the law)
  • Purpose limitation (have a good reason for processing)
  • Data minimisation (only hold what you need)
  • Accuracy (keep it correct)
  • Storage limitation (bin it when you’re done)
  • Integrity and confidentiality (keep it secure)
  • Accountability (stated separately — your responsibility for compliance)

When the data protection principles in Article 5 of the GDPR are mapped to the security triad of confidentiality, integrity and availability, the areas of commonality are clear but far from complete — the focus is heavily on confidentiality and integrity, with availability really limited to providing information back to data subjects:

Mapping of GDPR Article 5 principles (simplfied) to the security CIA triad

We can take this one step further and look at how privacy and data protection rules map to the types of data that pose a risk to organisations. This picture is even more stark — focussing a security program solely on data protection rules could leave significant gaps in risk treatment. In some cases this could lead to serious misuse of resources — for example securing lower risk email list data before high risk nuclear submarine schematics.

Mapping of GDPR Article 5 principles (simplified) to common enterprise data types

The content and information asset focus of a privacy program is clearly different to a security program. However, the differences do not stop there. To understand the impact of conflicting priorities on delivery, it’s important to understand the organisational context too.

Privacy and data protection is often driven by legislation and led by legal or compliance functions in organisations (commonly called the 2nd line of defence). Security is often driven by operational needs and led by operations functions such as IT (1st line of defence). As a result the tools and approach used by management can be very different.

For example, privacy teams tend to focus first on the big picture governance questions that are essential to a privacy program, whereas security teams tend to dive quickly into the weeds by focussing on more operational questions that are essential to effective control. Neither team is wrong — they simply have a different outlook on information assets, as outlined by the questions below:

Commonly stated data needs for data protection and information security programs

Different language, organisational behaviour, reporting lines, visibility and other issues can also contribute to privacy and security having very different perspectives on the same fundamental challenges.

The stage is set for confusion.

When this comes back to the C-suite, board reports tell similar stories but in very different ways, supported by different requests for action and even different challenges. A privacy team may report they are inhibited by a lack of support from security, and security may report they are inhibited by overhead from privacy. The result can be high levels of confusion and a loss of confidence in leaders and delivery teams. That in turn can make it harder to deliver.

Given the potential for misalignment it is not surprising that the relationship between privacy and security can be a cause of risk rather than a means of addressing it.

Fortunately, five simple steps can help build stronger alignment, develop clear shared priorities, and obtain buy-in from senior management:

  1. Build shared artifacts.
    Whilst the operational behaviours and day-to-day needs of privacy and security functions are often different the tools are often the same. Often different teams have different risk management approaches, governance committees, and asset lists. A shared approach to policy, governance, and asset management may require some compromise, however it will go a long way to creating a ‘single view of the truth’ and therefore a shared platform for improvement that everyone can support.
  2. Deliver effective and meaninful risk assessments.
    Risk assessments are often qualitative and highly subjective. As a result, one team can assess a risk as ‘medium’ and another as ‘high’. Often attempts are made to iron out these differences behind the scenes leaving functional leaders with a lack of confidence in their own adjusted reports, or differences visibly unresolved. This rapidly undermines confidence. Instead, look at quantitative cyber risk assessment methodologies such as FAIR or QIRA, which can be used to objectively assess and report on risks.
  3. Implement cross-functional teamwork and reporting.
    There is usually no reason why privacy and security teams need different risk assessments and different reports. Risks are business scenarios, not functional ones. By working together to define properly specified risk scenarios each function can monitor report on those that are relevant to them. Even better, consider shared reporting that both teams turn up to present and defend.
  4. Determine privacy and security improvement priorities based on Return on Investment (ROI).
    Having undertaken a quantitative risk assessment and reported the risk exposure in financial terms to the board or executive committee, the logical next step is to review both security and privacy strategies and assess the expected return on each investment proposed. This need not be complicated, and if both teams can agree that control improvement A delivers a better return than control improvement B, it is easy for the board to endorse a shared plan of action.
  5. Focus on business objectives.
    Strip back the goals of each program so they connect with the organisation itself rather than compliance or operations priorities. For example, if your board is seeking to rapidly increase revenue, building scalable security and privacy programs will provide the ability to do that without excessive risk. Teams can focus on automation, effective processes, and gaining efficiency with scale. Team objectives can reflect this, showing the board how security and privacy actions work together to deliver on the company’s goals.

About the author

Matt Palmer is a recognised cyber security leader specialising in financial services and risk. He has led security and information technology functions across global banking, insurance, private equity and capital markets companies through change and M&A. He is Director of boutique cyber risk advisory firm Cyberclaria, a Commissioner at the Jersey Financial Services Commission, a board advisor to several fintech startups, and founder chairman of the Channel Islands Information Security Forum. Matt has presented at many international cyber security conferences and featured on national TV and radio news as well as in publications such as the Wall St Journal. He was awarded Security Leader of the Year by Information Age Magazine in 2018 and listed in the CSO30 top UK Chief Security Officers of 2020.

Connect with Matt Palmer on Medium, Linkedin and Twitter.

*** This is a Security Bloggers Network syndicated blog from Stories by Matt Palmer on Medium authored by Matt Palmer. Read the original post at: https://matt-palmer.medium.com/when-privacy-conflicts-with-security-heres-how-to-fix-it-13f65e0c6f42?source=rss-ca0fc895d58b------2