Operations
11/28/2016
08:00 AM
Mark Williams
Mark Williams
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Time For Security & Privacy To Come Out Of Their Silos

By working separately, these two teams aren't operating as efficiently as they could and are missing huge opportunities.

Security and privacy teams have equally important jobs: to understand and identify any risks to an organization through their respective focuses. It's security's job to deal with the confidentiality, integrity, and availability of data. Privacy places boundaries around information and manages who can transmit, retain, and access it. The differences between the two are subtle but important.

Security is much more business-focused than privacy and includes identifying risks to the business when data isn't properly secured. In the event of a breach, it's up to security to look at the cost per record, fines, etc. Privacy is much more driven by regulations; it focuses on the litigation and liability aspects of what might happen after a breach. Privacy must identify and act on risks that are germane to the exposed data. For example, in the healthcare industry, there are required minimum standards for reporting information leaks. Organizations that don't meet these standards may be subject to significant fines.

Managing in a Silo
To address these differences, most organizations manage security and privacy as two separate functions, each with its own staff, leadership, and responsibilities.

In theory, this structure is fine; however, what happens when there is overlap? Consider, for example, security awareness training, which is the responsibility of security. Should security awareness training include reporting potential privacy disclosures? If so, this is in the domain of the privacy department, not security.

When security and privacy are broken into two reporting structures, the two organizations may have different goals. This can lead to some issues, including these:

  1. Inefficiencies may occur because different things will be done for the same or similar initiatives.
  2. Opportunities are likely to be missed when there is no common repository to share what each area is doing, finding, etc.
  3. Opinion shopping is likely to occur as savvy users look to steer a project to the program that will give it the answer they prefer.
  4. Control gaps can occur when the controls themselves differ because there are different goals. If we're not looking at the same controls because they don't refer to a specific program, such as a security-related control being viewed from the privacy program, we may miss an opportunity to identify the gap.

All of the above can result in increased liability for an organization. Although security and privacy can be very different initiatives, there are often more commonalities than differences. It's time we start working toward a way to take advantage of these commonalities.  

Work Together
Organizations can no longer afford to have security and privacy run in silos. Managing them as separate programs isn't the best use of data, and it isn't the best way for executive management to stay informed. One way to make better use of resources would be to bring security and privacy together. Such convergence mostly occurs in companies that run lean and mean, such as startups. While convergence may make sense for some companies, politically it's not always welcome because whole careers are built on creating a privacy officer and a security officer. Asking people to give up control over their area isn't always realistic.

A more acceptable way to break down silos is by sharing common goals and resources. This means sharing people, tools, reporting, and management techniques. As security and privacy departments share more, the gaps in coverage will lessen.

For example, by sharing a risk register tool, there is greater awareness of risks and what each area is doing in response. When information is shared, security can provide its outlook on a risk that privacy spotted, and vice versa.

Cross-training staff, getting them to work together on various projects, or even having someone from security or privacy join the other group for a particular period can provide much-needed understanding of the role of their peers. At the analyst level, there is an opportunity for someone from privacy to take an audit or incident-handling course, and security pros can attend privacy courses. The bigger win is when we look at management courses, such as a Security Leadership Essentials course or an IT Security Strategic Planning, Policy, and Leadership course or the 20 Critical Controls, which cross security and privacy boundaries. These types of courses, offered through SANS, help managers understand how best to use the tools in their arsenal, including people and processes, to improve the overall program that they're running. 

Champions for Change
Realizing the need for change and appointing a champion for it is difficult, but not impossible. For organizations that focus heavily on compliance, a third-party person such as a chief compliance officer is a good champion for driving cooperation between security and privacy programs. In other organizations, the chief information security officer and chief information privacy officer might lead the change together.

It's important to remember that champions aren't limited to upper-level management. Change should also start at the junior manager and analyst level. For example, if something is identified by security that has a privacy component, the analyst should reach out to the privacy officer to see if he or she wants to get involved.  

Whether an organization chooses to merge security and privacy into one program or keep them separate doesn’t matter. What matters is breaking down the silos and looking for ways to work together. The more we share, the more we grow.

Related Content:

Mark Williams is an instructor with the SANS Institute and teaches the MGT514 IT Security Strategic Planning, Policy and Leadership and MGT414 CISSP Preparation Courses. He is also the principal systems security officer at BlueCross BlueShield of Tennessee. Mark holds ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lily652
50%
50%
Lily652,
User Rank: Moderator
12/11/2016 | 1:10:51 PM
prayer times

Fine post. Thanks, I ll follow the next one. Useful and interesting information. 

Joe Stanganelli
0%
100%
Joe Stanganelli,
User Rank: Ninja
11/28/2016 | 7:23:28 PM
Data protection
riThe fundamental issue here is that these two areas -- along with data compliance -- comprise a data-protection business unit that needs to be looked at and operated holistically from an overall cost-benefit analysis and risk-assessment perspective.  Better security begets better privacy (fewer breaches = more privacy), and better privacy begets better security (because if you collect and keep less information, that's less information available to be breached).
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
The Dark Reading Security Spending Survey
The Dark Reading Security Spending Survey
Enterprises are spending an unprecedented amount of money on IT security where does it all go? In this survey, Dark Reading polled senior IT management on security budgets and spending plans, and their priorities for the coming year. Download the report and find out what they had to say.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.