Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

5/23/2016
08:15 AM
Alan M Usas
Alan M Usas
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

What Europe Tells Us About The Future Of Data Privacy

Recent initiatives offer new strategies for balancing technology, security, and organizational policy goals. Here are three approaches worth considering.

Recent headlines underscore the complex, symbiotic relationship between security and policy. Apple vs. FBI, Europe’s pending new data protection rules, Facebook’s antitrust lawsuit in Germany – these are examples from recent news that are having a ripple effect across businesses and governments worldwide.

So what exactly is the relationship between security and policy?

Security policy establishes how an organization will meet their obligation for information confidentiality, integrity, and availability in ways that are consistent with their mission, culture, risk tolerance, and legal and regulatory requirements. The policy describes how the organization will achieve its security objectives in the context of its business practices and environment.

As business becomes increasingly digitized, it’s essential to take a strategic approach that embeds security in the network, architecture, endpoint, and convergence of applications as well as in the culture and practice of the organization. This approach requires leadership from the board, the C-suite, the information security group, and other business functions.   

Security is no longer just about protecting information

Today, it is crucial to safeguard data, IP, and critical infrastructure while building and maintaining reputation and the trust of customers and the public. According to the Center for Strategic and International Studies, cybercrime and espionage cost the world economy an estimated $445 billion annually and pose a significant threat to corporate and national infrastructure -- and we are just finding our way. For example, Apple’s skirmish with the FBI may be over but the struggle with enforcement agencies over data privacy is just beginning. Soon emerging technology will make it impossible for device manufacturers to comply with government requests for access to private information.

How can we expect to protect networks, comply with laws, insure against risk, and respond to crises without locking companies in a straightjacket of onerous and costly cybersecurity regulations? Several initiatives in Europe provide interesting ways of thinking about how policy and technology converge.

The European model

Europe's new data protection rules and framework for transferring customers' personal data across geographies could be an improvement with global ramifications for both corporations and governments. As the single data protection authority in the European Union, the General Data Protection Regulation (GDPR) offers companies a harmonized and consistent approach to data protection across Europe. With the provision to impose financial penalties for security incidents, the GDPR will have a powerful incentive for compliance. This regulation, due to be implemented in 2018, is untested and its potential pitfalls have not been fully examined. No doubt this approach will be closely followed.

In addition, European authorities are concerned about the collection of personal data by companies like Facebook and Google. These authorities have focused on the use and accessibility of data collected by companies large and small but the monetization of data by Facebook has drawn added scrutiny and antitrust investigations in Germany. This case will spur discussion and careful thought about the balance between data privacy and use.

How does an organization walk the line and balance data privacy and security with business objectives?  An effective approach requires the following key components:

 1. A strategic, integrated, and collaborative approach to cybersecurity. Technology and security experts and the business leaders must work together to understand and assess the benefits, risks, and implications of technology, legal, and policy developments.

2. Leaders across the organization must commit to building a smart, secure, and resilient organization. Leaders from the board and C-suite to the cybersecurity, technology, and business domains must understand the risks inherent in the business, and what trade-offs are appropriate.

3. A secure, resilient organization must address the risks posed by human behavior. Powerful technology, strong policies, and regulations are essential but they cannot guarantee security. To prepare for the inevitable, a robust approach to data privacy and security must consider how humans engage at work, how they use tools and data, and how they can be enlisted to help prevent and respond to a breach. 

Simply put, there is no perfect cybersecurity. A cyber incident should be considered inevitable. To build a secure, resilient organization, business and government leaders need a strategic approach that incorporates technology, law, and policy, and addresses economic, human, legal, organizational, and socio-political factors. It’s a tall order but one that leaders in cybersecurity are pursuing.

Related Content:

 

Alan M. Usas is adjunct professor in the Department of Computer Science and program director of the Executive Master in Cybersecurity at Brown University. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
5/23/2016 | 8:40:48 AM
A secure, resilient organization must address the risks posed by human behavior.
From my perspective this risk is paramount. You can promote user awareness and employ RBAC based strategies but users will always be one of the greatest sources of risk across an enterprise.
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.