Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

11/28/2016
08:00 AM
Mark Williams
Mark Williams
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Time For Security & Privacy To Come Out Of Their Silos

By working separately, these two teams aren't operating as efficiently as they could and are missing huge opportunities.

Security and privacy teams have equally important jobs: to understand and identify any risks to an organization through their respective focuses. It's security's job to deal with the confidentiality, integrity, and availability of data. Privacy places boundaries around information and manages who can transmit, retain, and access it. The differences between the two are subtle but important.

Security is much more business-focused than privacy and includes identifying risks to the business when data isn't properly secured. In the event of a breach, it's up to security to look at the cost per record, fines, etc. Privacy is much more driven by regulations; it focuses on the litigation and liability aspects of what might happen after a breach. Privacy must identify and act on risks that are germane to the exposed data. For example, in the healthcare industry, there are required minimum standards for reporting information leaks. Organizations that don't meet these standards may be subject to significant fines.

Managing in a Silo
To address these differences, most organizations manage security and privacy as two separate functions, each with its own staff, leadership, and responsibilities.

In theory, this structure is fine; however, what happens when there is overlap? Consider, for example, security awareness training, which is the responsibility of security. Should security awareness training include reporting potential privacy disclosures? If so, this is in the domain of the privacy department, not security.

When security and privacy are broken into two reporting structures, the two organizations may have different goals. This can lead to some issues, including these:

  1. Inefficiencies may occur because different things will be done for the same or similar initiatives.
  2. Opportunities are likely to be missed when there is no common repository to share what each area is doing, finding, etc.
  3. Opinion shopping is likely to occur as savvy users look to steer a project to the program that will give it the answer they prefer.
  4. Control gaps can occur when the controls themselves differ because there are different goals. If we're not looking at the same controls because they don't refer to a specific program, such as a security-related control being viewed from the privacy program, we may miss an opportunity to identify the gap.

All of the above can result in increased liability for an organization. Although security and privacy can be very different initiatives, there are often more commonalities than differences. It's time we start working toward a way to take advantage of these commonalities.  

Work Together
Organizations can no longer afford to have security and privacy run in silos. Managing them as separate programs isn't the best use of data, and it isn't the best way for executive management to stay informed. One way to make better use of resources would be to bring security and privacy together. Such convergence mostly occurs in companies that run lean and mean, such as startups. While convergence may make sense for some companies, politically it's not always welcome because whole careers are built on creating a privacy officer and a security officer. Asking people to give up control over their area isn't always realistic.

A more acceptable way to break down silos is by sharing common goals and resources. This means sharing people, tools, reporting, and management techniques. As security and privacy departments share more, the gaps in coverage will lessen.

For example, by sharing a risk register tool, there is greater awareness of risks and what each area is doing in response. When information is shared, security can provide its outlook on a risk that privacy spotted, and vice versa.

Cross-training staff, getting them to work together on various projects, or even having someone from security or privacy join the other group for a particular period can provide much-needed understanding of the role of their peers. At the analyst level, there is an opportunity for someone from privacy to take an audit or incident-handling course, and security pros can attend privacy courses. The bigger win is when we look at management courses, such as a Security Leadership Essentials course or an IT Security Strategic Planning, Policy, and Leadership course or the 20 Critical Controls, which cross security and privacy boundaries. These types of courses, offered through SANS, help managers understand how best to use the tools in their arsenal, including people and processes, to improve the overall program that they're running. 

Champions for Change
Realizing the need for change and appointing a champion for it is difficult, but not impossible. For organizations that focus heavily on compliance, a third-party person such as a chief compliance officer is a good champion for driving cooperation between security and privacy programs. In other organizations, the chief information security officer and chief information privacy officer might lead the change together.

It's important to remember that champions aren't limited to upper-level management. Change should also start at the junior manager and analyst level. For example, if something is identified by security that has a privacy component, the analyst should reach out to the privacy officer to see if he or she wants to get involved.  

Whether an organization chooses to merge security and privacy into one program or keep them separate doesn’t matter. What matters is breaking down the silos and looking for ways to work together. The more we share, the more we grow.

Related Content:

Mark Williams is an instructor with the SANS Institute and teaches the MGT514 IT Security Strategic Planning, Policy and Leadership and MGT414 CISSP Preparation Courses. He is also the principal systems security officer at BlueCross BlueShield of Tennessee. Mark holds ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lily652
50%
50%
Lily652,
User Rank: Moderator
12/11/2016 | 1:10:51 PM
prayer times

Fine post. Thanks, I ll follow the next one. Useful and interesting information. 

Joe Stanganelli
0%
100%
Joe Stanganelli,
User Rank: Ninja
11/28/2016 | 7:23:28 PM
Data protection
riThe fundamental issue here is that these two areas -- along with data compliance -- comprise a data-protection business unit that needs to be looked at and operated holistically from an overall cost-benefit analysis and risk-assessment perspective.  Better security begets better privacy (fewer breaches = more privacy), and better privacy begets better security (because if you collect and keep less information, that's less information available to be breached).
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...