Written by Aaron Pritz
The average employee not working in an IS/Privacy role may hear the terms “Privacy” and “Security” and may think they are two similar capabilities with shared benefits.
Those who have worked within an organization may also believe that they should have an 80% mutual goal: to protect information. However, many organizations find that these are both fields with moving target expectations and much uncertainty. The practitioner often finds misalignment in goals that can cause dangerous and sometimes passionate conflict.
You can find numerous definitions of privacy and security in many reputable resources. In simple terms, I would define the two as:
Privacy: Making sure personally identifiable information is collected, used, and shared with necessity and purpose and only accessible via the appropriate people.
Security: Ensuring information is secure only to those needing access, available when needed, and free of any unauthorized manipulation.
So inevitably, the common thread of aligned goals is ensuring the right people have access, a term known in the industry as “least privilege” – which simply should mean that the least number of people have access which require it to do their jobs.
So – if protecting information is a common united goal, why are information security, privacy leaders, and professionals not always holding hands singing kumbaya? In some extreme cases, they aren’t communicating openly and even oppose each other’s agenda. The partnership (or lack thereof) can start to erode as information security groups start to pursue monitoring of potential human-driven activity involving theft of data (and usually not communicating it well).
If privacy and security align around preventing data/information loss, why is detecting data/information loss using certain techniques so controversial?
Detecting bad things sounds excellent and necessary to people who know that bad things are bad and should be punished. However, the feeling of being watched can be scary – even sometimes to those that believe they have nothing to hide. Fears can be stoked by fiction, fact, or current or historical events.
Fiction: In George Orwell’s 1984, “Big Brother” created an invasive police state where human behavior was monitored, and individuals had no sense of individual privacy and were forced to live in fear.
Fact in Historical Events: Many privacy professionals and historians draw correlations between European countries with the strictest privacy laws to be those most oppressed in World War II and subsequent governmental/state fallouts.
Current State Events: Governmental-driven intelligence programs and classified information revealed by individuals who are revered as both traitors and heroes (depending on your perspective and country of origin) can be interpreted as surveillance or “overreach,” as more and more evidence unveils that this may be true (for countries like US, China, and Russia to start)
The “fear of fear” and sense of personal intrusion are not irrational. Hearing legitimate stories of government overreach and corporate data mishandling should not be taken lightly. However, this has permeated businesses and information security capabilities with the same send of paranoia and assumed malevolence.
HOWEVER, this explainable conflict of interest ends up causing a stalemate of action towards the united goal of protecting information. This stalemate can simply be summed up as a fear of overreaching bad-guy-catching vs. the need to catch the bad guy.
So, if one can understand the fear of a police/Orwellian state but also relate to the fact that 90%+ of reported breaches deal with the loss of disclosure of personal information, why can’t the forces align to drive appropriate controls to protect, detect and respond to information theft?
Ultimately, it is due to a lack of stakeholders (and lawyers) uniting to prioritize critical principles necessary to work through all of the rhetoric that has led to some detection capabilities being viewed as an infringement of privacy.
This concern gets exacerbated when terms like SSL interception (“breaking encryption”) and full packet capture (“recording everything”) get tossed around without detail or scope, become misunderstood, and result in an unproductive spin towards inaction.
What do these two terms mean:
- SSL Interception: 70%+ of internet traffic is encrypted (envision a website that starts with HTTPS://…). If no one can see 70% of traffic internal and external to a company, there is no way to know if bad things are happening. SSL interception is merely a way to look into encrypted network traffic for bad things. In most cases, personal stuff like banking, health, and other personal website interactions are “whitelisted” or excluded from monitoring.
- Full Packet Capture means that things done on a corporate network get recorded/saved for threat detection analysis if needed or by threat analysis/detection tools.
So – going back to the unified goal that all companies need to do a better job protecting data/information, it becomes a bit silly to expect to protect information without being able to capture it, see it, and analyze it. A good analogy would be a gas station with a security camera system that cannot attach a lens to the camera or record any footage after the gas station has had numerous robberies and active threats of more robberies.
Ultimately, information security and privacy professionals need to home in on the core goal of protecting from unauthorized disclosure/compromise of information and figure out the most effective ways to accomplish this across all control perspectives (preventative, detective, or responsive.). With the world we live in and the near-weekly corporate breach news article, we need to bond together to focus on any and all measures to prevent incidents from occurring.
Obviously, companies need to prevent information theft detection from overreach or misuse of power, but if we don’t work towards a mutually benefiting solution of preventing, detecting, and responding to breaches, we will be in a progressive state or inaction and corporate incompetence.
I encourage all security and privacy professionals to band together and get back to basics of protecting information entrusted to the company and achieve mutually beneficial results of a prevent, detect and respond mission.
Here are some take-away tips to attain a Yin/Yang privacy/security organization
- Communicate: build partnerships and openly talk about goals and concerns and how IS and Privacy can help each other. Breakfast, coffee, lunch or dinner goes a long way to getting past the corporate mumbo jumbo.
- Evaluate desired controls to catch bad guys for preventing bad things from happening with personal information first. It may be tempting to go after the most sensitive intellectual property the company has first, but wouldn’t it be easier to prove out a controversial tech or approach on something your privacy office would care about?
- Find ways to minimize perceptions or accidental realities of corporate security overreach. For example, determine if you need to capture every packet of information for an infinite amount of time. Also think through how you can limit access to the least number of people possible, and only the security systems that directly need the data to catch the bad guy.
- Use clear, non-scary terms to describe technologies and explain the goals and tactics of a particular tool or approach in ways that anyone can understand. This will help prevent people from making up their own story of the evil things they believe the technology will do.
- Define and document approaches, simplified and understandable tactics and “rules of the road” in governance documents that leadership from all of the appropriate functions can align to and use to prevent misunderstandings.
These 5 tips may seem like basic fundamentals, but many IS teams and leaders get so engrossed in implementing technology and self-importance in their own missions. These leaders fail to execute on the critical relationships, understanding, and alignment required to move a company’s ability to catch bad guys/girls forward.