Why Is Privacy Important to Security Practitioners & Professionals?David Hoffman, director of Intel's security policy and global privacy office, shares his ideas on how organizations can achieve data security, along with privacy protections that enhance business potential.
Too often we think of privacy and security as divergent forces -- pulling our focus in different directions. IT professionals know that privacy is one of the biggest issues surrounding the security of data, but they worry whether they are really doing enough to protect personal information and data belonging to users, customers and employees.
Today I will be interviewing a colleague of mine, David Hoffman, Director of Intel's Security Policy and Global Privacy Office. We will discuss how organizations can achieve robust data security, along with privacy protections that enhance business potential.
Quillin: Why is privacy important to security practitioners, security professionals?
Hoffman: People often see information security and privacy as very separate concerns, though there are large areas of interdependency between them, and there is a need for them to work together and reinforce each other. You can no longer just concern yourself with how you safeguard data using appropriate security measures without considering and respecting the needs of privacy of the individuals with whom that data is related.
Security is about protecting people and assets, either physical or digital. Privacy is a level of respect for an individual's desire to be left alone and/or have the ability to control the data that relates to them, so they are not negatively impacted by the use of that data in some form. In my opinion, organizations that are able to successfully align and connect these concepts in their practical implementation stand a better chance in establishing trust. Trust is what customers are looking for; it's a business enabler.
Quillin: OK, if it's important that privacy and security work together, how can we implement that relationship in practice?
Hoffman: One of the ways we do this at Intel is to use a framework called Privacy by Design, a foundational component used in the development of new products, services, and IT programs. Fundamentally, this means designing in privacy right from the very start, embedding it in, rather than bolting on solutions at the end during validation -- designing in versus bolting on.
Mapping the Privacy by Design framework into the Secure Development Lifecycle process (part of Intel's robust validation and quality procedures) allows us to provide designers with the right privacy information and resources at specific trigger points for each step of the project. This starts a very early education on the privacy needs for our architects and engineers.
Furthermore, we believe that organizations should act as "stewards" for individuals and their data, protecting their reasonable privacy interests, as well as the security of their personal data. The duty of the organization is to act in a transparent, responsible way and be accountable to that individual. We need to take the burden off the individual and help them be more effective in accomplishing better protection of their privacy.
Quillin: What are the bottom-line benefits when an organization builds privacy and security in at the foundational level?
Hoffman: It's the pragmatic and sincere way to build trust and win-win relationships with your customers and partners that will lead to concrete benefits for the business.
As individuals who are social by nature, we have the desire to use innovative products and services that often have little regard for our privacy needs. What's important to know here is that customers really do value their privacy. Research polls tell us that: Better protection is clearly their preference. This presents a real marketplace for competitive solutions that provide advantage using better privacy protection as the differentiator. We are beginning to see the early stages of this.
Not only should privacy protection be built in from the start, it also has to be communicated effectively to all stakeholders throughout the process. Failure to do so may incur financial implications. Take the recent example of inBloom, which was an effort to provide a more complete picture of student progress, so teachers can individualize instruction while saving time, effort, and precious resources. Despite an over $100 million investment from charitable foundations, including Carnegie and Gates, the decision was made to close down this strategic project to help improve education in the US. The fear around student data being sent out of district (for data analytics to help enhance student performance) caused pressure from parents and advocates, resulting in the project's ultimate demise. There is also some additional guidance on how embedding privacy into design can help avoid the potentially enormous costs of a data breach. It's a pay-me-now or pay-me-later equation.
Quillin: From a privacy perspective, what is the biggest concern we are facing today?
Hoffman: Organizations have to focus increasing attention on examining the data security and privacy protections of their supply chain as a whole. What do the third-party supplier contracts really look like: vendors, suppliers, cloud service providers, and other agents? Do we really understand all the data flows required in accomplishing the specified tasks? How are they managed, and how often are policies reviewed and audited? What are the consequences of any failures? The supply chain is only as strong as the weakest link. Many organizations are at only the early stages of looking at these questions, and some have not yet begun. I believe it will demand a lot of investigation and become one of our biggest challenges.
Quillin: What are your top recommendations that security professionals could do today?
Hoffman: Here are three things every organization should consider doing right now:
Tom is responsible for identifying and addressing Intel product security risks as well as planning products that solve tomorrow's security challenges and also manages Intel's policy positions on security and privacy. View Full Bio
- Evaluate the burden you are putting on your customers when protecting their privacy. How can you help alleviate this? Take greater responsibility and become as transparent as you can. Be accountable for their personal data.
- Consider if you are making sufficient investment in your organization: IT security, budgets, processes, people, and technologies. Do you really have the appropriate safeguards in place for the data you are accountable for? What best-practices are you really following? If you need help initiating the conversation in your organization, I would encourage you to take a look at the new Cybersecurity Framework recently published by US NIST.
- Ensure that you have a robust process in place to manage your supply chain relationships. You are a steward for your customers' data, wherever it may be located or processed, and you must be accountable for how it is used.