The public and private sector approaches to data security are fundamentally different. Politics drive the public sector (it is the government, after all) just as profits steer decision making in the private. These different priorities, understandably, result in different security tactics.
The public sector needs to protect data at all costs, which leads to conservative security policies, while the private sector uses more aggressive policies because its primary aim is to maximize profitability. However, just because the two sectors do security differently doesn't mean they can't learn from each other. Organizations in each sector should be careful not to pigeonhole themselves into one strategy solely based on the guiding philosophies of their larger sectors.
When these motivations are applied in each sector generally to all matters -- not just to data security -- they can quickly become guiding philosophies that structure all decisions, rather than just priorities to keep in mind. Governments try to protect against any negative possibility, and businesses pursue profits to the expense of all else. It can be easy for these leanings to become automatic choices. When that happens, they get applied without nuance or consideration for how those policies will (or won't) further the intentions of the policy.
What each sector can learn from the other's priorities-turned-philosophical-tenet is an exercise in remembering nuance. Keeping differing priorities in mind forces public and private to jolt themselves out of automated routines. Through this exercise, they may find that other strategies -- strategies that might more closely align with the other sector -- better suits their objectives.
For instance, the public sector can re-imagine some of its policies with business practices in mind, thinking beyond the usual, more conservative strategies it employs. Instead of attempting to appease all constituencies all the time, they should attempt to increase efficiency and reduce waste to maximize value -- and maybe end up with more resources for more projects in the process. In terms of technology adoption, this shift may come in the form of initiatives similar to the attempts to consolidate government data centers.
Government agencies would be better served not just thinking of businesses as profit-driven entities. Businesses are also the masters of cost savings. These cost-cutting motivations could be applied to all agencies. For example, reducing waste and increasing efficiency on the HealthCare.gov website saves money (not to mention minimizes constituent ire) for the Department of Health and Human Services. These measures not only improve the experience for users, but they also save the agency time and money. Fewer resources being directed at managing the fallout of a frustrating user experience means those resources can be directed towards other projects such as data security.
For the private sector, this exercise would task companies to imagine what completely foolproof data security would look like without considering costs. Removing the specter of cost might spur new ideas or strategies. Of course, those ideas may not be cost-effective once they're evaluated after the fact, but the exercise does not require that all the ideas be implemented, only to find potential ideas that may not have been considered previously.
The premium invested into security pales in comparison to the cost of a breach. The Ponemon Institute calculates that the average cost of a US data breach in 2013 is at $5.4M. Not every company will suffer a breach, so probabilities and risks must be factored into the equation, but even then, most businesses are suffering losses due to lapses in security. To get a better sense of this scale, imagining perfect security allows a business to tally up all their losses due to breaches to consider exactly what their security is worth to them. Or, taking time to research additional security measures and tallying the costs to compare to losses may be a valuable perspective-granting exercise.
Finally, just because an organization falls into a particular sector, that doesn't mean its policies fit best with the policies of its sector. Not all public sector agencies look alike just as not all private sector entities look alike, and the line between public and private may not be completely clear. Some public agencies don't handle highly sensitive data and could apply security practices that are more closely associated with profitability. Alternatively, some private sector firms are in fields where data is highly regulated. For these firms, like those in the medical industry, their practices may need to align more closely with public sector protocols.
Data security is an issue every sector contends with, but regardless of sector, when it comes to security, the data should be at the center of the conversation on security. Instead of just applying cookie cutter solutions or being bound by the traditional mindsets of their sectors, each firm should consider an expansive, and possibly amalgamated, approach to their policies.