Operations

11/28/2016
08:00 AM
Mark Williams
Mark Williams
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Time For Security & Privacy To Come Out Of Their Silos

By working separately, these two teams aren't operating as efficiently as they could and are missing huge opportunities.

Security and privacy teams have equally important jobs: to understand and identify any risks to an organization through their respective focuses. It's security's job to deal with the confidentiality, integrity, and availability of data. Privacy places boundaries around information and manages who can transmit, retain, and access it. The differences between the two are subtle but important.

Security is much more business-focused than privacy and includes identifying risks to the business when data isn't properly secured. In the event of a breach, it's up to security to look at the cost per record, fines, etc. Privacy is much more driven by regulations; it focuses on the litigation and liability aspects of what might happen after a breach. Privacy must identify and act on risks that are germane to the exposed data. For example, in the healthcare industry, there are required minimum standards for reporting information leaks. Organizations that don't meet these standards may be subject to significant fines.

Managing in a Silo
To address these differences, most organizations manage security and privacy as two separate functions, each with its own staff, leadership, and responsibilities.

In theory, this structure is fine; however, what happens when there is overlap? Consider, for example, security awareness training, which is the responsibility of security. Should security awareness training include reporting potential privacy disclosures? If so, this is in the domain of the privacy department, not security.

When security and privacy are broken into two reporting structures, the two organizations may have different goals. This can lead to some issues, including these:

  1. Inefficiencies may occur because different things will be done for the same or similar initiatives.
  2. Opportunities are likely to be missed when there is no common repository to share what each area is doing, finding, etc.
  3. Opinion shopping is likely to occur as savvy users look to steer a project to the program that will give it the answer they prefer.
  4. Control gaps can occur when the controls themselves differ because there are different goals. If we're not looking at the same controls because they don't refer to a specific program, such as a security-related control being viewed from the privacy program, we may miss an opportunity to identify the gap.

All of the above can result in increased liability for an organization. Although security and privacy can be very different initiatives, there are often more commonalities than differences. It's time we start working toward a way to take advantage of these commonalities.  

Work Together
Organizations can no longer afford to have security and privacy run in silos. Managing them as separate programs isn't the best use of data, and it isn't the best way for executive management to stay informed. One way to make better use of resources would be to bring security and privacy together. Such convergence mostly occurs in companies that run lean and mean, such as startups. While convergence may make sense for some companies, politically it's not always welcome because whole careers are built on creating a privacy officer and a security officer. Asking people to give up control over their area isn't always realistic.

A more acceptable way to break down silos is by sharing common goals and resources. This means sharing people, tools, reporting, and management techniques. As security and privacy departments share more, the gaps in coverage will lessen.

For example, by sharing a risk register tool, there is greater awareness of risks and what each area is doing in response. When information is shared, security can provide its outlook on a risk that privacy spotted, and vice versa.

Cross-training staff, getting them to work together on various projects, or even having someone from security or privacy join the other group for a particular period can provide much-needed understanding of the role of their peers. At the analyst level, there is an opportunity for someone from privacy to take an audit or incident-handling course, and security pros can attend privacy courses. The bigger win is when we look at management courses, such as a Security Leadership Essentials course or an IT Security Strategic Planning, Policy, and Leadership course or the 20 Critical Controls, which cross security and privacy boundaries. These types of courses, offered through SANS, help managers understand how best to use the tools in their arsenal, including people and processes, to improve the overall program that they're running. 

Champions for Change
Realizing the need for change and appointing a champion for it is difficult, but not impossible. For organizations that focus heavily on compliance, a third-party person such as a chief compliance officer is a good champion for driving cooperation between security and privacy programs. In other organizations, the chief information security officer and chief information privacy officer might lead the change together.

It's important to remember that champions aren't limited to upper-level management. Change should also start at the junior manager and analyst level. For example, if something is identified by security that has a privacy component, the analyst should reach out to the privacy officer to see if he or she wants to get involved.  

Whether an organization chooses to merge security and privacy into one program or keep them separate doesn’t matter. What matters is breaking down the silos and looking for ways to work together. The more we share, the more we grow.

Related Content:

Mark Williams is an instructor with the SANS Institute and teaches the MGT514 IT Security Strategic Planning, Policy and Leadership and MGT414 CISSP Preparation Courses. He is also the principal systems security officer at BlueCross BlueShield of Tennessee. Mark holds ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lily652
50%
50%
Lily652,
User Rank: Moderator
12/11/2016 | 1:10:51 PM
prayer times

Fine post. Thanks, I ll follow the next one. Useful and interesting information. 

Joe Stanganelli
0%
100%
Joe Stanganelli,
User Rank: Ninja
11/28/2016 | 7:23:28 PM
Data protection
riThe fundamental issue here is that these two areas -- along with data compliance -- comprise a data-protection business unit that needs to be looked at and operated holistically from an overall cost-benefit analysis and risk-assessment perspective.  Better security begets better privacy (fewer breaches = more privacy), and better privacy begets better security (because if you collect and keep less information, that's less information available to be breached).
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Empathy: The Next Killer App for Cybersecurity?
Shay Colson, CISSP, Senior Manager, CyberClarity360,  11/13/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15769
PUBLISHED: 2018-11-16
RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server could potentially cause a Denial Of Service (DoS) on TLS clients during the handshake when a very large prime value is...
CVE-2018-18955
PUBLISHED: 2018-11-16
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resour...
CVE-2018-19311
PUBLISHED: 2018-11-16
Centreon 3.4.x allows XSS via the Service field to the main.php?p=20201 URI, as demonstrated by the "Monitoring > Status Details > Services" screen.
CVE-2018-19312
PUBLISHED: 2018-11-16
Centreon 3.4.x allows SQL Injection via the searchVM parameter to the main.php?p=20408 URI.
CVE-2018-19318
PUBLISHED: 2018-11-16
SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=manager&a=update to change the username and password of the super administrator account.