The world has experienced a data explosion in recent years. In 2020 alone, 64.2 zettabytes of data were created or replicated, according to IDC. This is roughly equivalent to 500,000 times the amount of information in all the academic libraries in the United States. More importantly, much of the data created today relates to individuals, and that data is becoming more personal.
A decade ago, when a company collected personal information from you, you wittingly took a clear action to provide it to them – whether it was uploading a photo or filling out a form with basic information such as your phone number, mailing address or password. Now, companies obtain much more sensitive personal information –often without the average individual knowing, since it is created instead of collected.
This new personal information includes entertainment and shopping preferences, health status, sexual orientation, and political affiliation. These types of personal insights can be inferred and created by companies using advanced analytics against the digital crumbs left behind by unrelated online activity. With the advent of smart devices and unique biometric signatures, one now provides companies personal information just by how one walks around their own house, and even the breathing patterns and other motions that one makes in their own bed, whether asleep or awake. This enables individuals to be identified and tracked and creates a detailed record of their life that is stored by third parties likely unknown to the individual. Moreover, when combined with modern algorithms, the data can predict what individuals may do in the future, resulting in the third parties understanding individuals, and their collective behavior, better than people understand themselves.
While I don’t think I’ve ever met someone who has read a company’s privacy statement top to bottom and used it to inform their decision to do business (or not do business) with that company, I can say that individuals are increasingly aware of the trend toward creating versus collecting personal information. As a result, consumers are raising their standards when it comes to data privacy. PwC recently reported that 84% of consumers will take their business elsewhere if they don't trust how a company is handling their data. For companies to maintain customer trust, it is essential that they effectively protect the personal information they manage. They must also thoughtfully consider what personal information their business model and products should collect, create, or share with others in the first place.
Privacy and security become further inextricably linked as consumers’ expectations rise. With this understanding, how should businesses organize to fulfill the privacy and security promises that today’s customers expect? I believe that a converged operational model is the most effective and efficient approach for the majority of organizations to achieve these outcomes. After all, security and privacy programs have the common goal of protecting personal information, and best practices amongst each program to accomplish this are very similar and present opportunities for significant leverage.
The security and privacy Venn diagram
Traditional privacy and cybersecurity functions can be thought of as part of a Venn diagram. Certain privacy-protecting practices exist at the privacy-only edge of the diagram, such as having a legal basis for collecting personal data; sharing data practices in a transparent way; being fair in the use of the personal data; and respecting an individual’s right to access or delete their personal data. At the other edge, cybersecurity-only activities focus on many goals unrelated to personal information or privacy, such as protecting an organization’s valuable data that is not personally identifiable (for example, think product designs, strategy documents, corporate financials); and ensuring the availability of systems upon which critical organizational processes depend. However, in the center, there are a significant number of areas where security and privacy perform the same or similar functions with related goals, and often interact with the same stakeholders.
The center of the Venn diagram
Since the magic is in the middle of the Venn diagram I described, businesses should push to capitalize on the synergies between the privacy and security teams and consider converging the teams’ operations. Beyond their key functions, both teams have incredibly similar requirements and activities but are often pursuing them in a disparate manner. A converged privacy and security program has the potential to deliver positive returns to:
- Reduce the likelihood of litigation and regulatory fines
- More effectively and efficiently interface with internal stakeholders that the programs need to govern or influence to implement controls and achieve program objectives
- Speak clearly and concisely to customers with a unified voice on topics that most customers view as interdependent
- Unify and balance risk prioritization for privacy and security
- Save money by reducing duplicative manual processes
- Reduce operational drag by limiting delays in business decision making, as security and privacy teams often slow or gate launches of critical business initiatives
Let’s explore some of the specific areas where these benefits can be realized…
- Data governance
The first area of likely synergy is data governance, which is at the core of both programs. Processes and technologies are used to govern the creation, identification, classification, inventory, protection and deletion of data.
When privacy and security teams operate separately, both try to pursue governance activities in this space, often hitting organization data owners with duplicative or contradictory requirements and data calls. By creating a single information risk governance team to fulfill the requirements of both programs, you not only save money, but you also provide a more efficient and understandable interface. This supports the data owners across the organization that must interpret and adhere to the rules and implement related tools. Further, you can more easily leverage the strengths of each program to make a greater impact.
As a simple example, data deletion controls are a core focus and maturity pillar of most privacy programs yet are often overlooked by security teams despite strategic data deletion being one of the cheapest and most effective strategies for reducing information security risk.
Additionally, information inventory is one the toughest challenges for many organizations yet is critical to the success of each program. When separate, programs risk bifurcated strategies and implementation efforts, confusing stakeholders and wasting resources.
- Risk management
Most organizations today have requirements to assess and manage risk associated with new business and technology activities. For privacy and security teams, this typically means establishing risk assessment processes (often called “security reviews” or “privacy impact assessments”) that stakeholders must follow before executing their projects. A single risk assessment team can fulfill the requirements of both programs, avoiding duplicative processes that demand the time and attention stakeholders and present a single process that gathers the necessary information about a new business pursuit or technology. After assessing compliance and risks, you can present a single set of requirements and recommendations to enable a business activity to take place in a risk-managed manner, resulting in a more timely and cost efficient execution.
- Training and awareness
As with any strategic risk area that a company manages, both security and privacy efforts often require training for employees and other key stakeholders as well as awareness of the programs. Converged training and communications efforts can ensure employees and external strategic partners (including contractors, suppliers and resellers.) are aware of and adhere to important standards. A unified team can be prioritize, integrate and tailor solutions to ensure that precious stakeholder time is used to consume the most relevant information while being better understood with consistent terminology.
- Customer and regulator engagement
With most industries today digitally transforming, the security and privacy posture of companies and their products is becoming an increasing focus of customers. While privacy has more to do with transparency and the lawful basis behind the purpose, fairness and accuracy of personal data processing, security focuses on the technical implementation of securing data. But to customers and regulators, they are usually seen as different sides of the same coin. With so many synergies, customers and other external stakeholders often seek the same accountability assurances across security and privacy programs and expect to have a single conversation with companies about these issues.
Companies that have a strong privacy program but are unable to back it up with an equally compelling security position risk their credibility. Likewise, those with a strong security standing that don’t present a confident and prioritized approach to privacy are decreasing in relevance.
Only with a strong and unified position on their approach are companies best positioned to earn and maintain trust of their employees, customers, shareholders and regulators) – which can be a competitive advantage. And the best way to deliver joint strategy, planning and operations is to converge these functions.
- Product and application development
As discussed, most companies are digitizing their products by adding software capabilities and features that create or collect extensive information, much of this is personal. Even companies who aren’t digitizing their products still have corporate application development teams building mobile apps, data warehouses, websites and other tools that the organization relies on to operate. A standard practice for security programs has been to develop a Secure Development Lifecycle requirement. This tells developers the conditions for developing secure code as well as ensuring products and applications are free of vulnerabilities and other common security flaws. Privacy teams historically have levied similar requirements on the same teams, often focusing on compliance with certain privacy principles such as purpose specification, individual participation, and use and collection limitation. By converging the teams companies can produce a single set of requirements and a consistent experience for developers to ensure products and applications are developed in a trusted manner.
How to organize – lawyers or operators? Both!
Earlier I described the privacy and cybersecurity Venn diagram and the significant synergies that can be found in the center. However, in practice, it has been my observation that organizations often create two different organizations, and rarely do their processes integrate and work together as they should. Instead of a Venn diagram, you find two circles operating near each other around the same organizations, often rolling over the same stakeholders, but not operating in any optimized way.
Traditionally, privacy has been treated largely as a legal compliance function, focusing on interpreting evolving laws and regulations, and setting and updating internal policies to ensure compliance with those laws. Accordingly, privacy teams are often located in the legal department or corporate compliance functions and run by lawyers. There are two significant downsides to this approach. First, it is inherently reactive, as the laws frequently lag customer demand by many years. In a world where privacy influences customer loyalty and trust, companies are well-served to hear their customers on a real-time basis – and ideally anticipate customers’ expectations based on emerging trends. Second, policies must be implemented, which can be difficult to embed or enforce without technology operations acumen and experience, which is often lacking within legal departments.
I would argue that privacy functions should learn from the history of security. Security programs have been mostly compliance-oriented as laws evolved decades ago, requiring organizations to perform basic security practices. Early security programs were shaped and driven largely by a compliance mindset. Teams performed the bare minimum functions, often via policy writing and loose implementation to adhere to laws and regulations. As years passed, organizations realized it was in their best interest to go beyond legal mandates to adequately manage non-compliance areas of business risk, such as reputation and operations. Eventually, many companies recognized the importance of a strong security posture to gain customer trust, which has become a differentiating element of a competitive business strategy. Today, in large part, privacy is operating as a compliance program like security used to. But by learning from security’s operational maturity model and converging practices, privacy has the potential to accelerate its evolution into a strategic function that enables greater business outcomes.
Before pulling your privacy program out from your legal department, however, I would highlight that the legal and regulatory compliance component of these programs is foundational and requires deep legal expertise to navigate well. In fact, many security programs have strayed too far from this foundation, with modern teams sitting inside IT organizations and focused entirely on operations. Not assigning lawyers to these teams is an imprudent move when much of the cost of a cyber incident is often still tied to regulatory fines and litigation expenses. To make the most impact, these programs must be united, bringing together a mix of lawyers leading legal processes as well as operational and technical personnel to lead governance and implementation. At Dell Technologies, the Chief Privacy Officer is a lawyer who reports into the General Counsel’s office but also serves as a member of my direct staff. And each of my security programs have lawyers embedded in their teams, bringing the best of both worlds together in a converged manner.
With the explosion of highly sensitive personal data intensifying, the cyber threat landscape growing by the day and regulatory fines increasing exponentially, there is an urgent need for companies to ensure that their privacy and security teams are performing strongly and organized for maximum effectiveness. Having programs operate separately from one another is a recipe for inefficiencies or, worse, gaps, in an environment in which threat actors find success by identifying and exploiting the seams of organizational processes.
Beyond being a critical risk management function for companies globally, security and privacy are increasingly commercially relevant and serve as areas of market differentiation across many industries. Organizations which choose to prioritize and converge their security and privacy programs today will be placing themselves in an advantaged position to compete into the future.
- This article is part of a three-article series:
- Read Part 1 here: https://www.securitymagazine.com/articles/94939-when-security-and-resiliency-converge-a-csos-perspective-on-how-security-organizations-can-thrive
- Read Part 2 here: https://www.securitymagazine.com/articles/95344-when-product-security-and-cybersecurity-converge-a-csos-perspective-on-how-security-organizations-can-thrive