Security and privacy teams have equally important jobs: to understand and identify any risks to an organization through their respective focuses. It's security's job to deal with the confidentiality, integrity, and availability of data. Privacy places boundaries around information and manages who can transmit, retain, and access it. The differences between the two are subtle but important.
Security is much more business-focused than privacy and includes identifying risks to the business when data isn't properly secured. In the event of a breach, it's up to security to look at the cost per record, fines, etc. Privacy is much more driven by regulations; it focuses on the litigation and liability aspects of what might happen after a breach. Privacy must identify and act on risks that are germane to the exposed data. For example, in the healthcare industry, there are required minimum standards for reporting information leaks. Organizations that don't meet these standards may be subject to significant fines.
Managing in a Silo
To address these differences, most organizations manage security and privacy as two separate functions, each with its own staff, leadership, and responsibilities.
In theory, this structure is fine; however, what happens when there is overlap? Consider, for example, security awareness training, which is the responsibility of security. Should security awareness training include reporting potential privacy disclosures? If so, this is in the domain of the privacy department, not security.
When security and privacy are broken into two reporting structures, the two organizations may have different goals. This can lead to some issues, including these:
- Inefficiencies may occur because different things will be done for the same or similar initiatives.
- Opportunities are likely to be missed when there is no common repository to share what each area is doing, finding, etc.
- Opinion shopping is likely to occur as savvy users look to steer a project to the program that will give it the answer they prefer.
- Control gaps can occur when the controls themselves differ because there are different goals. If we're not looking at the same controls because they don't refer to a specific program, such as a security-related control being viewed from the privacy program, we may miss an opportunity to identify the gap.
All of the above can result in increased liability for an organization. Although security and privacy can be very different initiatives, there are often more commonalities than differences. It's time we start working toward a way to take advantage of these commonalities.
Organizations can no longer afford to have security and privacy run in silos. Managing them as separate programs isn't the best use of data, and it isn't the best way for executive management to stay informed. One way to make better use of resources would be to bring security and privacy together. Such convergence mostly occurs in companies that run lean and mean, such as startups. While convergence may make sense for some companies, politically it's not always welcome because whole careers are built on creating a privacy officer and a security officer. Asking people to give up control over their area isn't always realistic.
A more acceptable way to break down silos is by sharing common goals and resources. This means sharing people, tools, reporting, and management techniques. As security and privacy departments share more, the gaps in coverage will lessen.
For example, by sharing a risk register tool, there is greater awareness of risks and what each area is doing in response. When information is shared, security can provide its outlook on a risk that privacy spotted, and vice versa.
Cross-training staff, getting them to work together on various projects, or even having someone from security or privacy join the other group for a particular period can provide much-needed understanding of the role of their peers. At the analyst level, there is an opportunity for someone from privacy to take an audit or incident-handling course, and security pros can attend privacy courses. The bigger win is when we look at management courses, such as a Security Leadership Essentials course or an IT Security Strategic Planning, Policy, and Leadership course or the 20 Critical Controls, which cross security and privacy boundaries. These types of courses, offered through SANS, help managers understand how best to use the tools in their arsenal, including people and processes, to improve the overall program that they're running.
Champions for Change
Realizing the need for change and appointing a champion for it is difficult, but not impossible. For organizations that focus heavily on compliance, a third-party person such as a chief compliance officer is a good champion for driving cooperation between security and privacy programs. In other organizations, the chief information security officer and chief information privacy officer might lead the change together.
It's important to remember that champions aren't limited to upper-level management. Change should also start at the junior manager and analyst level. For example, if something is identified by security that has a privacy component, the analyst should reach out to the privacy officer to see if he or she wants to get involved.
Whether an organization chooses to merge security and privacy into one program or keep them separate doesn’t matter. What matters is breaking down the silos and looking for ways to work together. The more we share, the more we grow.