Operations

11/28/2016
08:00 AM
Mark Williams
Mark Williams
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Time For Security & Privacy To Come Out Of Their Silos

By working separately, these two teams aren't operating as efficiently as they could and are missing huge opportunities.

Security and privacy teams have equally important jobs: to understand and identify any risks to an organization through their respective focuses. It's security's job to deal with the confidentiality, integrity, and availability of data. Privacy places boundaries around information and manages who can transmit, retain, and access it. The differences between the two are subtle but important.

Security is much more business-focused than privacy and includes identifying risks to the business when data isn't properly secured. In the event of a breach, it's up to security to look at the cost per record, fines, etc. Privacy is much more driven by regulations; it focuses on the litigation and liability aspects of what might happen after a breach. Privacy must identify and act on risks that are germane to the exposed data. For example, in the healthcare industry, there are required minimum standards for reporting information leaks. Organizations that don't meet these standards may be subject to significant fines.

Managing in a Silo
To address these differences, most organizations manage security and privacy as two separate functions, each with its own staff, leadership, and responsibilities.

In theory, this structure is fine; however, what happens when there is overlap? Consider, for example, security awareness training, which is the responsibility of security. Should security awareness training include reporting potential privacy disclosures? If so, this is in the domain of the privacy department, not security.

When security and privacy are broken into two reporting structures, the two organizations may have different goals. This can lead to some issues, including these:

  1. Inefficiencies may occur because different things will be done for the same or similar initiatives.
  2. Opportunities are likely to be missed when there is no common repository to share what each area is doing, finding, etc.
  3. Opinion shopping is likely to occur as savvy users look to steer a project to the program that will give it the answer they prefer.
  4. Control gaps can occur when the controls themselves differ because there are different goals. If we're not looking at the same controls because they don't refer to a specific program, such as a security-related control being viewed from the privacy program, we may miss an opportunity to identify the gap.

All of the above can result in increased liability for an organization. Although security and privacy can be very different initiatives, there are often more commonalities than differences. It's time we start working toward a way to take advantage of these commonalities.  

Work Together
Organizations can no longer afford to have security and privacy run in silos. Managing them as separate programs isn't the best use of data, and it isn't the best way for executive management to stay informed. One way to make better use of resources would be to bring security and privacy together. Such convergence mostly occurs in companies that run lean and mean, such as startups. While convergence may make sense for some companies, politically it's not always welcome because whole careers are built on creating a privacy officer and a security officer. Asking people to give up control over their area isn't always realistic.

A more acceptable way to break down silos is by sharing common goals and resources. This means sharing people, tools, reporting, and management techniques. As security and privacy departments share more, the gaps in coverage will lessen.

For example, by sharing a risk register tool, there is greater awareness of risks and what each area is doing in response. When information is shared, security can provide its outlook on a risk that privacy spotted, and vice versa.

Cross-training staff, getting them to work together on various projects, or even having someone from security or privacy join the other group for a particular period can provide much-needed understanding of the role of their peers. At the analyst level, there is an opportunity for someone from privacy to take an audit or incident-handling course, and security pros can attend privacy courses. The bigger win is when we look at management courses, such as a Security Leadership Essentials course or an IT Security Strategic Planning, Policy, and Leadership course or the 20 Critical Controls, which cross security and privacy boundaries. These types of courses, offered through SANS, help managers understand how best to use the tools in their arsenal, including people and processes, to improve the overall program that they're running. 

Champions for Change
Realizing the need for change and appointing a champion for it is difficult, but not impossible. For organizations that focus heavily on compliance, a third-party person such as a chief compliance officer is a good champion for driving cooperation between security and privacy programs. In other organizations, the chief information security officer and chief information privacy officer might lead the change together.

It's important to remember that champions aren't limited to upper-level management. Change should also start at the junior manager and analyst level. For example, if something is identified by security that has a privacy component, the analyst should reach out to the privacy officer to see if he or she wants to get involved.  

Whether an organization chooses to merge security and privacy into one program or keep them separate doesn’t matter. What matters is breaking down the silos and looking for ways to work together. The more we share, the more we grow.

Related Content:

Mark Williams is an instructor with the SANS Institute and teaches the MGT514 IT Security Strategic Planning, Policy and Leadership and MGT414 CISSP Preparation Courses. He is also the principal systems security officer at BlueCross BlueShield of Tennessee. Mark holds ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lily652
50%
50%
Lily652,
User Rank: Moderator
12/11/2016 | 1:10:51 PM
prayer times

Fine post. Thanks, I ll follow the next one. Useful and interesting information. 

Joe Stanganelli
0%
100%
Joe Stanganelli,
User Rank: Ninja
11/28/2016 | 7:23:28 PM
Data protection
riThe fundamental issue here is that these two areas -- along with data compliance -- comprise a data-protection business unit that needs to be looked at and operated holistically from an overall cost-benefit analysis and risk-assessment perspective.  Better security begets better privacy (fewer breaches = more privacy), and better privacy begets better security (because if you collect and keep less information, that's less information available to be breached).
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1944
PUBLISHED: 2019-02-21
IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-For...
CVE-2018-1945
PUBLISHED: 2019-02-21
IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click act...
CVE-2018-1946
PUBLISHED: 2019-02-21
IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the stronges...
CVE-2018-1947
PUBLISHED: 2019-02-21
IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure withi...
CVE-2018-1948
PUBLISHED: 2019-02-21
IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to...