Recent headlines underscore the complex, symbiotic relationship between security and policy. Apple vs. FBI, Europe’s pending new data protection rules, Facebook’s antitrust lawsuit in Germany – these are examples from recent news that are having a ripple effect across businesses and governments worldwide.
So what exactly is the relationship between security and policy?
Security policy establishes how an organization will meet their obligation for information confidentiality, integrity, and availability in ways that are consistent with their mission, culture, risk tolerance, and legal and regulatory requirements. The policy describes how the organization will achieve its security objectives in the context of its business practices and environment.
As business becomes increasingly digitized, it’s essential to take a strategic approach that embeds security in the network, architecture, endpoint, and convergence of applications as well as in the culture and practice of the organization. This approach requires leadership from the board, the C-suite, the information security group, and other business functions.
Security is no longer just about protecting information
Today, it is crucial to safeguard data, IP, and critical infrastructure while building and maintaining reputation and the trust of customers and the public. According to the Center for Strategic and International Studies, cybercrime and espionage cost the world economy an estimated $445 billion annually and pose a significant threat to corporate and national infrastructure -- and we are just finding our way. For example, Apple’s skirmish with the FBI may be over but the struggle with enforcement agencies over data privacy is just beginning. Soon emerging technology will make it impossible for device manufacturers to comply with government requests for access to private information.
How can we expect to protect networks, comply with laws, insure against risk, and respond to crises without locking companies in a straightjacket of onerous and costly cybersecurity regulations? Several initiatives in Europe provide interesting ways of thinking about how policy and technology converge.
The European model
Europe's new data protection rules and framework for transferring customers' personal data across geographies could be an improvement with global ramifications for both corporations and governments. As the single data protection authority in the European Union, the General Data Protection Regulation (GDPR) offers companies a harmonized and consistent approach to data protection across Europe. With the provision to impose financial penalties for security incidents, the GDPR will have a powerful incentive for compliance. This regulation, due to be implemented in 2018, is untested and its potential pitfalls have not been fully examined. No doubt this approach will be closely followed.
In addition, European authorities are concerned about the collection of personal data by companies like Facebook and Google. These authorities have focused on the use and accessibility of data collected by companies large and small but the monetization of data by Facebook has drawn added scrutiny and antitrust investigations in Germany. This case will spur discussion and careful thought about the balance between data privacy and use.
How does an organization walk the line and balance data privacy and security with business objectives? An effective approach requires the following key components:
1. A strategic, integrated, and collaborative approach to cybersecurity. Technology and security experts and the business leaders must work together to understand and assess the benefits, risks, and implications of technology, legal, and policy developments.
2. Leaders across the organization must commit to building a smart, secure, and resilient organization. Leaders from the board and C-suite to the cybersecurity, technology, and business domains must understand the risks inherent in the business, and what trade-offs are appropriate.
3. A secure, resilient organization must address the risks posed by human behavior. Powerful technology, strong policies, and regulations are essential but they cannot guarantee security. To prepare for the inevitable, a robust approach to data privacy and security must consider how humans engage at work, how they use tools and data, and how they can be enlisted to help prevent and respond to a breach.
Simply put, there is no perfect cybersecurity. A cyber incident should be considered inevitable. To build a secure, resilient organization, business and government leaders need a strategic approach that incorporates technology, law, and policy, and addresses economic, human, legal, organizational, and socio-political factors. It’s a tall order but one that leaders in cybersecurity are pursuing.
Alan M. Usas is adjunct professor in the Department of Computer Science and program director of the Executive Master in Cybersecurity at Brown University. View Full Bio