Organizations struggle with information security, but privacy issues often bring a higher sense of urgency. One need look no further than the mad scramble for GDPR compliance over the past year and a half or so as proof. There is no single cause for the struggle, but there are many common causes I’ve noticed, including different drivers for security, separation of information security and privacy into separate initiatives, and a general misunderstanding of what the two disciplines actually are. The struggle stems from confusion, and confusion stems from complexity. Complexity has always been the enemy.
I believe the way we approach information security and privacy comes from the motivations that drive us to care about them. We seem to care about privacy more because of the value we place on it. We love our privacy. The value has encouraged many leaders to create a whole slew of laws and regulations, including medical and data-based regulations (paywall). GDPR is only one such regulation, but in the United States, we have many state and federal ones to deal with (Compilation of State & Federal Privacy Laws by Robert Ellis Smith cites over 800). I would argue that if organizations valued our privacy and personal information as much as we do, we wouldn’t need so many laws and regulations.
These laws and regulations have made privacy a legal issue, and the No. 1 driver I’ve seen for companies spending money on privacy is compliance. There’s a real fear of being found noncompliant and suffering the consequences that come with it.
The No. 1 driver among the hundreds of executives I’ve spoken to over the years for spending money on information is also compliance — followed closely by reputation and protection from civil liability. In the security industry, we’ve probably all heard, “Keep us out of the news,” and “Keep us out of court,” from our clients. Compliance is a driver for information security, too — but in my experience, not to the extent that it is with privacy.
What emerged from this landscape were two separate disciplines with two slightly different drivers. The farther we march down this path, the more confusing and inefficient things become. Arguably, the best example of separation and confusion is found in the health care industry. Information security and privacy weren’t considered formally by the health care industry until 1996, when the Health Insurance Portability and Accountability Act (HIPAA) came into existence. There were essentially two parts to HIPAA: the Privacy Rule and the Security Rule.
I saw a mad scramble for compliance with the Privacy Rule almost immediately, and patients soon received a ream of various legal forms and disclosures every time they visited the doctor. I didn’t see the Security Rule enforced the same way, if at all, until the mid-2000s. If compliance is the driver, it’s only natural to focus on the parts of the law or regulation that will be enforced. For those who took security seriously at the time, there wasn’t much guidance, so practitioners often leveraged frameworks and standards instead.
Privacy became defined by the law and regulation. Information security became defined by frameworks and standards. The fact that we often comply with the letter of the law versus the intent of the law can compound our problems with this approach. The intent is what may be enforced, but we won’t always be certain of the intent until enforcement occurs. Privacy becomes a catch-22. Security, on the other hand, becomes a process mapping to one or more standards and becomes rigid. Neither of these approaches are necessarily good for business.
Because privacy largely became a legal issue and information security became an IT issue, there are separate teams working on them. Legal teams interpret the laws, stay abreast of new developments and advise organizations on how to stay out of trouble. Information security largely became the CIO’s problem. Standards are chosen and budgets are allocated to favor technical solutions while often neglecting one of the greatest risks: people. Legal or privacy experts do their thing, and the CIOs do theirs.
1. What makes a privacy expert an expert? Is it mastery of the privacy laws, or is it mastery of privacy itself? This isn’t a trick question. What makes a privacy expert an expert is the mastery of privacy, not the law. Obviously, understanding the law is very important, but if we understood privacy better, we’d likely already be compliant with the law.
2. What makes an information security expert an expert? Is it mastery of security frameworks and standards, or is it the mastery of security itself? I believe the latter of the two is the correct answer.
If mastery of information security and privacy are the goals, we’d better define what they are.
Our basic definition of information security is just that: It’s basic. This definition, which I’ve written about before, is as follows:
Information security is managing risk to information confidentiality, integrity and availability using administrative, physical and technical controls.
Based on this definition, information security is not an IT issue. This definition isn’t novel, but it is fundamental. The problem to me isn’t that we don’t know the definition of information security; it’s that we don’t apply it well.
Now, what’s the definition of privacy?
Privacy is managing risk to the confidentiality of personally identifiable information using administrative, physical and technical controls.
So, the definition of privacy is actually a subset of our definition of information security. It’s more focused. The focus is confidentiality, and the application is to a specific type of information: personally identifiable information.
According to our definitions, privacy and information security cannot be separated. The two disciplines are unified. The unified approach can create simplicity, improve effectiveness and ensure compliance. The letter of the law is one thing, but the intent in many cases is to manage risk well. There are always a few nuances here and there, but the theory is if we manage risk well according to our definitions, we will be compliant — or very close to compliant.
Stop the struggle and mad scramble every time there’s a new law or regulation. It’s harder to run a business this way. Instead, master the craft, which means learning how to apply the basics found in our definitions — not just know them.