Endpoint Security
Guest Blog // Selected Security Content Provided By Intel
What's This?
03:50 PM
Tom Quillin
Tom Quillin
Guest Blogs
Connect Directly
E-Mail vvv

Why Is Privacy Important to Security Practitioners & Professionals?

David Hoffman, director of Intel's security policy and global privacy office, shares his ideas on how organizations can achieve data security, along with privacy protections that enhance business potential.

Too often we think of privacy and security as divergent forces -- pulling our focus in different directions. IT professionals know that privacy is one of the biggest issues surrounding the security of data, but they worry whether they are really doing enough to protect personal information and data belonging to users, customers and employees.

Today I will be interviewing a colleague of mine, David Hoffman, Director of Intel's Security Policy and Global Privacy Office. We will discuss how organizations can achieve robust data security, along with privacy protections that enhance business potential.

Quillin: Why is privacy important to security practitioners, security professionals?

Hoffman: People often see information security and privacy as very separate concerns, though there are large areas of interdependency between them, and there is a need for them to work together and reinforce each other. You can no longer just concern yourself with how you safeguard data using appropriate security measures without considering and respecting the needs of privacy of the individuals with whom that data is related.

Security is about protecting people and assets, either physical or digital. Privacy is a level of respect for an individual's desire to be left alone and/or have the ability to control the data that relates to them, so they are not negatively impacted by the use of that data in some form. In my opinion, organizations that are able to successfully align and connect these concepts in their practical implementation stand a better chance in establishing trust. Trust is what customers are looking for; it's a business enabler.

Quillin: OK, if it's important that privacy and security work together, how can we implement that relationship in practice?

Hoffman: One of the ways we do this at Intel is to use a framework called Privacy by Design, a foundational component used in the development of new products, services, and IT programs. Fundamentally, this means designing in privacy right from the very start, embedding it in, rather than bolting on solutions at the end during validation -- designing in versus bolting on.

Mapping the Privacy by Design framework into the Secure Development Lifecycle process (part of Intel's robust validation and quality procedures) allows us to provide designers with the right privacy information and resources at specific trigger points for each step of the project. This starts a very early education on the privacy needs for our architects and engineers.

Furthermore, we believe that organizations should act as "stewards" for individuals and their data, protecting their reasonable privacy interests, as well as the security of their personal data. The duty of the organization is to act in a transparent, responsible way and be accountable to that individual. We need to take the burden off the individual and help them be more effective in accomplishing better protection of their privacy.

Quillin: What are the bottom-line benefits when an organization builds privacy and security in at the foundational level?

Hoffman: It's the pragmatic and sincere way to build trust and win-win relationships with your customers and partners that will lead to concrete benefits for the business.

As individuals who are social by nature, we have the desire to use innovative products and services that often have little regard for our privacy needs. What's important to know here is that customers really do value their privacy. Research polls tell us that: Better protection is clearly their preference. This presents a real marketplace for competitive solutions that provide advantage using better privacy protection as the differentiator. We are beginning to see the early stages of this.

Not only should privacy protection be built in from the start, it also has to be communicated effectively to all stakeholders throughout the process. Failure to do so may incur financial implications. Take the recent example of inBloom, which was an effort to provide a more complete picture of student progress, so teachers can individualize instruction while saving time, effort, and precious resources. Despite an over $100 million investment from charitable foundations, including Carnegie and Gates, the decision was made to close down this strategic project to help improve education in the US. The fear around student data being sent out of district (for data analytics to help enhance student performance) caused pressure from parents and advocates, resulting in the project's ultimate demise. There is also some additional guidance on how embedding privacy into design can help avoid the potentially enormous costs of a data breach. It's a pay-me-now or pay-me-later equation.

Quillin: From a privacy perspective, what is the biggest concern we are facing today?

Hoffman: Organizations have to focus increasing attention on examining the data security and privacy protections of their supply chain as a whole. What do the third-party supplier contracts really look like: vendors, suppliers, cloud service providers, and other agents? Do we really understand all the data flows required in accomplishing the specified tasks? How are they managed, and how often are policies reviewed and audited? What are the consequences of any failures? The supply chain is only as strong as the weakest link. Many organizations are at only the early stages of looking at these questions, and some have not yet begun. I believe it will demand a lot of investigation and become one of our biggest challenges.

Quillin: What are your top recommendations that security professionals could do today?

Hoffman: Here are three things every organization should consider doing right now:

  1. Evaluate the burden you are putting on your customers when protecting their privacy. How can you help alleviate this? Take greater responsibility and become as transparent as you can. Be accountable for their personal data.
  2. Consider if you are making sufficient investment in your organization: IT security, budgets, processes, people, and technologies. Do you really have the appropriate safeguards in place for the data you are accountable for? What best-practices are you really following? If you need help initiating the conversation in your organization, I would encourage you to take a look at the new Cybersecurity Framework recently published by US NIST.
  3. Ensure that you have a robust process in place to manage your supply chain relationships. You are a steward for your customers' data, wherever it may be located or processed, and you must be accountable for how it is used.

Tom Quillin is the Director of Cyber Security for Technologies and Initiatives at Intel Corp. He is responsible for identifying security risks, as well as contributing to product planning that addresses future security challenges. He also manages Intel's policy positions on ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/26/2014 | 5:29:11 PM
Privacy and Security Complement
Although they are two separate focuses, there is no reason why Privacy can't complement/work together with InfoSec. If security safeguards are followed and properly in place, it will make it easier to maintain privacy regulations. The same is true in the reverse if people understand basic privacy principles it can help when security measures fail. 
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.