Reconciling the often disparate concerns of privacy and security is one of the persistent issues in this young industry. And it is a debate that is rapidly evolving – with some key implications for security professionals, J. Trevor Hughes and Jeff Northrop told Infosecurity at RSA Conference 2015.
CEO and CTO, respectively, of the International Association of Privacy Professionals, the pair are offering their projections at RSA on how the interaction between security and privacy professionals is set to develop, given the increasing burden of privacy on organizations.
“Privacy is very closely related to security,” explains Hughes. “Information security requires massive amounts of data at times to understand threats. Privacy needs to articulate uses and understand potential misuses of data, and that can run counter to information security’s interests.”
One of the problems, Northrop adds, is that the scale of data being collected by organizations, and the diverse purposes this data serves, makes assessing the problem with due concern for privacy a complicated task.
“It’s security’s obligation to know where data is,” he says. “But it is so prolific, they don’t even know where the structured data is – and the unstructured data is all over the place, in Excel sheets and emails. Keeping track of it and protecting it becomes a huge issue.”
Mature organizations with privacy officers are able to assist security departments in managing these concerns, but if an organization doesn’t have that maturity, it is incumbent on information security pros to take on those responsibilities, Northrop adds.
The problem, Hughes contends, is that security and privacy professionals – or, if you prefer, technologists and lawyers/policy-makers – effectively talk a different language.
“There’s not a lot of fluency between the two fields. It’s quite unique to be able to speak both languages with some degree of facility. For information privacy pros, when they say ‘reasonable’ or ‘appropriate’ that doesn’t code very well for information security professionals.”
This inherently creates a lot of tension, Hughes adds: “When an information security professional asks a question about risk, and a privacy professional says ‘it depends’, that is a tremendously frustrating answer for the security pro.”
To combat this language barrier, Northrop suggests that there is a rising need at enterprise level for subject matter experts in both fields who can communicate efficiently down the food chain. Expecting security pros who are already juggling lots of tasks to suddenly become privacy experts is unrealistic. Nonetheless, it is an inescapable reality that the job description is getting more complex.
“The need to be more sophisticated in a broader set of domains is increasing,” says Northrop. “But it’s good for a security professional’s career. I always argue that you can really help your organization by becoming fluent in [privacy] issues.”
“Privacy needs to go beyond compliance and address other concerns, like ethical concerns, expectation of customers and even ideas of what’s creepy or not creepy"
Up until now many organizations have adopted a tickbox, just-about-compliant approach when it comes to privacy. This mode of thinking, Hughes contends, is flawed, given that the law is increasingly “insufficient” to meet the privacy concerns that the marketplace now raises. Subtle differences in context so often determine what is and isn’t appropriate.
“Privacy needs to go beyond compliance and address other concerns, like ethical concerns, expectation of customers and even ideas of what’s creepy or not creepy – and it might sound odd to say that. But some argue that that idea actually should be a legal standard.”
The example Hughes offers is Uber’s controversial ‘God View’ capability: “There’s no law that said that ‘God View’ was a bad thing – it’s not outside compliance or illegal under any law but that doesn’t mean that it was not an absolutely stupid idea.”
Given the technological capabilities that now exist for data collection, analysis and profiling – and with the growing internet of things market – it seems this is a problem that is going to get worse before it gets better. Hughes accepts that there is a long way to go before an effective privacy/security harmony can be defined, but he believes that there are positive steps being made.
“More and more organizations recognize that they can’t just check some boxes around legal compliance. More and more organizations recognize that it’s not just about one person, the CPO or data protection officer; it’s actually an enterprise-wide concern. In a digital economy anyone who makes decisions about data will need to have a broad awareness of privacy.”
The “self-inflicted injuries” we see in the marketplace will decrease over time, Hughes believes, as organizations recognize the mandate that they have to raise the profile of privacy internally.
But as well as being a human issue, technology has a role to play, Northrop adds: “Inculcating an awareness of privacy throughout an organization, because so many people have access to sensitive data, is critical. But we also need tools that help with data management, that supply that audit trail in a rich way so that we can know how it was collected and which permissions are tied to it and the purposes it’s intended for.”
It’s a delicate balance that is more complex than ever – and the proper integration of privacy, Hughes summarizes, is fundamental to security’s success in the future.
“Information security will not survive without a better understanding of privacy. Organizations that do not have a better understanding of privacy will find that they are just stumbling over themselves in the marketplace.”
The IAPP is a not-for-profit professional association founded in 2000. It has 22,000 members in over 80 countries, runs conferences, and offers a suite of credentials for certification and training. Information on Hughes and Northrop’s speaking sessions at RSA 2015 can be found here and here.