Privacy versus security: it’s a longstanding issue enterprises have been pitted against, made more visible by data privacy measures such as the European Union’s General Data Protection Regulation (GDPR).
But can privacy still be achieved – for consumers, clients, partners and employees – without forsaking high-level security controls? That, too, is a question that has plagued chief information security officers (CISO), the C-Suite and even boards. For some, it has taken GDPR-like mandates to reexamine controls, visibility and resiliency. Nestled in each there lies privacy concerns – and ones that are relatively open-ended.
A patchwork of data privacy regulations has drawn attention to the topic in recent years. For many, privacy and security are intertwined; for those with a poor security posture, the opposite is true.
Commenting on the fundamental relationship between the two, IT Security Senior Program Manager, Jamal Hartenstein, told the Cyber Security Hub: “The divergence between privacy and security will continue even though cyber remains so dynamic because legislators and regulators already have a hold on privacy… It is cyber security that remains nascent because technology can’t keep up with hackers and laws can’t keep up with technology.”
Hartenstein cited the separate function of privacy officers and IT security roles (largely still in effect). He said the former concern themselves with data classification and compliance, while CISOs monitor data-flows and technology, and “protect the enclave.”
Altogether, the senior program manager called for “cohesion” between the two, “at least until laws that regulate both move from patchwork to unified governance.”
Similarly, Enterprise Strategy Group (ESG) Analyst, Jack Poller, told the Cyber Security Hub: “The challenge (here) is that many people view security and privacy as opposite ends of a spectrum – maximizing privacy hinders security, and maximizing security necessarily violates privacy.”
Poller explained, however, that the understanding comes from nation-state security. “That privacy and security conflict with each other does not translate directly to the enterprise,” he said. “Unlike nation-states, most organizations can secure their data without needing private information about their employees or customers.”
Can It Be Documented?
The next hurdle in this discussion, though, is identification. How can an enterprise, agency or data collector delineate a person’s right to privacy while still administering requisite controls?
Hartenstein said, in short, it is difficult due to the aforementioned “patchwork” – and laws varying between states and the federal level.
He said that to better enforce security all around, an enterprise must first identify compliance exposure and risk exposure, the former involving exposure to regulations, the latter involving threat vector monitoring and assessments under guiding frameworks.
Poller pointed to the fundamental cyber security principle of “least privilege.”
“This principle should be extended to data collection – the organization should only collect that information that the organization needs to provide products or services,” he said.
Security vs. Obscurity
In dispensing this awareness around security, Poller said that security teams must understand that “there is no security through obscurity.”
That means enterprises must be open and up-front about their policies, documenting collected information, the need behind the collection, how that data is being stored and how the employee/user can remove/delete it upon request.
As such, these internal policies must be logged, accessible and even circulated to ensure acceptance. Enterprises should use these strategic plans for anyone responsible for collecting and storing data.
Writing’s on the Wall
In a recent piece for CNN, Robert Herjavec, Founder and CEO of the Herjavec Group, a cyber security services organization, said the “writing is on the wall” for additional data regulation in the U.S. – and thus more awareness around data collection and privacy concerns.
Herjavec wrote, “Facebook’s Cambridge Analytica controversy is forcing politicians on both sides of the Atlantic to take a hard look at data security laws.”
He then cited the importance, and scope, of GDPR. Because of it, Herjavec believes “the message is clear: Give the consumer control over their data and be transparent about any events that put the data in danger.”
The “Shark Tank” investor also said that it is a concern that goes beyond the CISO. He wrote that as a CEO, “These regulations have my attention.”
Privacy by Default
He then outlined various steps businesses can take to get ahead of the regulation curve. These suggestions are also applicable to the question of privacy – and fleshing it out in cyberspace.
He suggested enterprises assess compliance efforts, engage consulting services or third-party vendors where necessary, use an action plan to address gaps, review the security framework strategy and push for regular assessments and reporting.
He also suggested enterprises understand leveraged encryption tools, seek 24/7 visibility and anomalous behavior detection, and strive for “continuous improvement.”
Adhering to these tips both boosts security posture and displays an organization’s willingness to be open about their controls and methods for gathering/controlling data.
Like many areas of enterprise security, the notion of “continuous improvement” is useful, in suggesting that while security and privacy may be separated on a spectrum, cohesion is possible, as is a fundamental and inherent right to privacy.