Creating Risk-Aware Culture through Privacy by Design
Professionals working in privacy or security find their domains coming closer and closer together. Industry associations and their respective conferences – once focused solely on their own interests (for example, RSA for Security and IAPP for Privacy) – are now thoroughly interdisciplinary. The upcoming Privacy. Security. Risk. (PSR) 2015 conference, jointly run by IAPP and CSA Congress, is just the most recent example of the ways that security and privacy interests have aligned behind an increasingly unified approach to information protection.
Surely one of the drivers of this convergence is the Privacy by Design movement, which started in the 1990s and has since taken root in both the privacy and security communities. Privacy by Design is identified as a distinct school of thought with clear organizing principles (see here), while parallel “security by design” variants have evolved for designing security into applications. By 2013, Ann Cavoukian, founder of Privacy by Design, could claim with real authority that “the paradigms of privacy and security are converging…It is becoming widely recognized that privacy and security must both be embedded, by default, into the architecture, design and construction of information processes” (see here).
What I’d like to suggest, however, is that this convergence needs to go even further. While there is emerging consensus that both privacy and security should be “designed in” to new products, technologies and services, we won’t truly mitigate the risks until we weave privacy and security concerns together into the very fabric of our organizational cultures. It’s time for design thinking to break out of the privacy office and out of software engineering and into the culture at large. If we apply the “By Design” methodology into the ways that we educate and communicate to all employees about security and privacy issues, we can start to create the risk-aware cultures required by the modern information economy.
It Starts at the Top
Perhaps the single biggest thing we can do to make security and privacy protections an integral part of corporate culture is to build them into the core mission and values of the organization from the start. Too often, when I see companies communicating to their employees about information protection, they do so as if protecting information was an added obligation, something that you did after you had accomplished the key work of the organization. In some cases security and privacy considerations are depicted as penalties imposed on the organization by regulators or “outside pressures;” other times, application developers use “business demands” to crowd security and privacy requirements out of the conversation. Even when there is not an explicit negative tone that accompanies such communication, there is often an implicit dismissal or undervaluing of the concerns of privacy and security professionals. Whether explicit or implicit, this devaluing of privacy and security is ultimately driven from the top in most organizations – meaning that business leaders themselves will often tend to view privacy and security protections as a tax or a drag of growth, rather than as a driver of business value.
So, how do you start? It may seem too simple, but the right place to start is the Code of Conduct (or Mission Statement, or whatever core statement of values is used as the source of guidance for the company). There’s no better example of how such a document can help guide a company than Microsoft,* where “Managing & Protecting Information” is one of the key pillars in its Standards of Business Conduct and where one of the Core Values (“Passion”) includes the promise that “We strive to meet customer and partner expectations of quality, security, privacy, reliability and business integrity.” One could find any number of corporate codes that include such aspirational language, of course. The difference comes in how that language and those beliefs are operationalized into practice, and here again Microsoft provides a solid example. Not only is its Standards of Business Conduct training program – required of all employees – consistently a benchmark for quality corporate education, but it is also well regarded by employees, and, in my experience, very frequently referred to as a reference point to guide behavior. In short, it means something to employees and it guides their actions. Historically, the emphasis on such values has also flowed down into organization structures that place value on privacy and security; for evidence, look no further than the Trustworthy Computing Group, founded in the wake of a famous 2002 letter from Bill Gates and continuing today (albeit in different form) under CEO Satya Nadella. Whether TWC remains as a distinct group or not, the emphasis that it has placed on security and privacy has been felt both inside and outside the company. (Patch Tuesday got its start from this group.)
Values such as these need not be enshrined in a corporate code to be effective, however, as long as they are championed visibly and consistently by management. Charles Duhigg, in his 2012 book The Power of Habit, recalls the story of Alcoa CEO Paul O’Neill, who used a single-minded emphasis on workplace safety to inspire Alcoa employees, guide corporate decision making and ultimately lead the company to a dramatic and very profitable recovery. The lesson for security and privacy professionals should be that even unglamorous values like “protecting information” can be made essential to corporate functioning if they are championed by executives, embedded in operating procedures, measured regularly, aligned to core business goals, and above all communicated consistently to all employees as essential to the mission of the organization, as they were with Alcoa. There’s a lot more to this story; for more information, see “Zero information loss: A keystone habit to drive business success?”
My key assertion is that enshrining security and privacy-related objectives into corporate values from the start, and operationalizing these values as part of the core functioning of the business (and not just into the domain of the lawyers and the software engineers), helps make them proactive parts of the corporate culture, embedded into the design of the organization and accepted as the default modes of operation for all employees (the highlighted terms come straight from the 7 Foundational Principles of Privacy By Design.)
End-to-End Emphasis on Privacy and Security
I just wrote rather breezily about “operationalizing” the values of privacy and security, as if that were an easy task! It’s not, as those of you who have tried to increase the emphasis on these topics in any organization, let alone a large, globally dispersed organization, know all too well. Getting the word out to all employees about the role they play in ensuring privacy and security, and doing it in a positive, encouraging way, is one of the most difficult tasks faced by both privacy and security professionals. But it can be designed in from the start.
A successful approach begins with the attitude taken by security and privacy pros. Too often, I hear those charged with security and privacy education complain that their jobs would be easier if employees would just stop doing ill-advised things (like misclassifying information or clicking on phishing e-mails) or if they didn’t have to comply with pressures from sales and marketing. We can probably all sympathize with such complaints – after all, these mistakes and this pressure make our jobs vastly more complicated. But the truth is, employees won’t become active champions of information protection if they are treated like stupid children and the pressure for innovation won’t relent.
The onus is on us, then, to overcome these obstacles and take a positive-sum approach to making security- and privacy-based thinking a vital part of the organizational culture. That means finding ways to engage employees and management in understanding that privacy and security are vitally important, and can be fascinating and, yes, maybe even kind of fun. I’ve seen this done firsthand at Western Union,* where those in charge of both privacy and security programs have posed the essential dilemmas of their field as puzzles that employees have a vital role in solving. Using engaging onboarding sessions, interactive online training and a consistently positive and respectful tone toward their employees, they have invited employees and contractors of all sorts to actively engage in applying their knowledge to real business problems that involve security and privacy. (I should note that a positive-sum approach is not the same thing as emphasizing the positive, of course. No program can avoid communicating the negatives associated with being under attack from those who want to steal information, after all! But when it comes to employee education and communication, my experience with hundreds of companies who do this kind of work convinces me that emphasizing the positive actions and outcomes associated with information protection, and even conveying the thrill of rallying together to fight opponents, is preferable to a program that emphasizes sanctions and admonitions.)
Another critical component involved in building a risk-aware culture involves integrating messages about information protection into the full lifecycle of the business. Too often, I’ve seen companies act as if merely offering annual training on privacy and security is going to bring about the change that they desire. I don’t care how fun or powerful the executive video at the beginning of your training is, training is not enough. Those companies that I’ve seen really succeed at building information protection into their cultures have done so with highly visible and regular communications and activities that focus on key risks. These can take the form of fun videos that are sent out at regular intervals, posters on breakroom walls, positive messages that pervade the communications received from the C-suite on down through management. But they can also take the form of public, non-punitive simulated phishing campaigns that illustrate how hard it is to detect phishing campaigns, or very visible communication around the benefits of reporting potential privacy incidents before they lead to data breaches. Raising the visibility and transparency of your efforts to promote information protection is critical to the ultimate creation of culture within your organization.
A Risk-Aware Culture by Design
Embedding Privacy By Design-like principles into a small, focused team is itself a complicated and time-consuming job, so I don’t mean to suggest that using these same principles to foster risk-aware behavior in an entire employee population will happen overnight. It will take time. But making security and privacy central to business operations is one of the critical jobs facing professionals in this space today – and design thinking offers a great opportunity to create risk-aware cultures that can stand up to the pressures of an increasingly turbulent world.