Cross-Functional Synergy: How Security can Help Support Privacy Requirements

In recent years, data privacy awareness has risen due to increased cyber threats, major data breaches, and consumer demand for control over personal data. One of the original cornerstones of privacy regulation is the Health Insurance Portability and Accountability Act (HIPAA), established in the United States. HIPAA mandates not just the protection of patient health information but also delineates the rights patients have concerning their information. This pivotal act encompasses components of both security, ensuring data is safeguarded from breaches and unauthorized access, and privacy, ensuring the confidentiality and proper use of personal data. 

This emphasis on security and privacy has resulted in some jurisdictions officially recognizing the need for robust data protection frameworks. The European Union's General Data Protection Regulation (GDPR) has set a benchmark for data protection standards, while California has advanced its own initiatives with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Other regions have similarly enacted state privacy laws reflecting an evolving understanding of personal data's value and vulnerabilities. 

A direct consequence of the growing recognition of data protection frameworks is the principle of "privacy by design," which emphasizes integrating privacy considerations into the development phase of products and services rather than as an afterthought. According to the ISACA Privacy in Practice report, organizations are increasingly recognizing the importance of how security can help support privacy requirements, with a notable uptick in security and privacy training. This ensures that best practices are not just reactive but also proactive in preserving the trust and rights of individuals.

The Significance of Privacy and Compliance: Addressing Resource Constraints 

While the benefits of practicing “privacy by design” are clear, the proactive approach requires resources to implement. Unfortunately, those resources may be hard to find. The survey by ISACA underscores a staffing deficit in both legal/Compliance and technical privacy realms. Specifically, 44% of survey participants feel that legal/Compliance teams lack adequate staffing, and this sentiment rises to 53% concerning technical privacy teams.

One of the hurdles to timely staffing is the scarcity of suitably skilled candidates. Shockingly, for around 20% of enterprises surveyed, fewer than a quarter of applicants for privacy-related roles met the desired qualifications, irrespective of whether the roles were technical or legal/Compliance-based. The predominant metric for gauging an applicant's suitability is their experience.

Is Working Together the Solution to Lack of Experience?

A significant 63% of those surveyed pinpointed a deficiency in familiarity with diverse technologies and applications as the most glaring skills gap among present-day privacy professionals. Alarmingly, about one in three respondents convene less than every three months. Given the swift-paced changes in the regulatory environment and ever-evolving business practices, there's a pressing need for more regular dialogues between Devops and Compliance teams. It's equally worrying that nearly 20% convene solely when fresh privacy regulations are enacted, leading to potentially delayed and reactionary privacy strategies.

For comprehensive privacy implementation, privacy teams need to work harder to foster cross-functional collaborations. As per the survey, the most frequent interactions for privacy teams are with information security (32%), legal and compliance (29%), and risk management (22%) teams.

The Relationship between Security and Privacy

Privacy and security are inextricably intertwined, and several Compliance frameworks have requirements that span both areas, such as monitoring, communication, and classification. These requirements are not just about ensuring data protection but also ensuring transparency, integrity, and proper management of personal data. Let’s dive into these examples:

Monitoring

Monitoring is a very important control to both Security and Privacy teams because it enables them to have confidence in the integrity of the organization’s activities. Below are two examples of Compliance frameworks incorporating monitoring:

• GDPR: One of the central tenets of the General Data Protection Regulation (GDPR) is the continuous monitoring of data processing activities to ensure data protection and to promptly detect breaches. Under the GDPR and privacy Compliance framework, controllers and processors are mandated to maintain a record of processing activities and must have in place robust procedures to notify the appropriate authorities and affected data subjects in case of a breach.
• CSA CCM: The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) emphasizes the importance of monitoring, which entails a consistent overview of user activities, especially for multi-cloud security. It's about maintaining visibility and control over data, which is crucial for both security and privacy.

Communication

Communication is a crucial element for both Security and Privacy teams because it ensures transparency and fosters trust in the organization's operations and intentions, balancing privacy and security. The following frameworks emphasize the importance of communication:

• CCPA: The California Consumer Privacy Act (CCPA) accentuates the significance of transparent communication with consumers regarding their data. Organizations must inform consumers about the types of personal data they collect, the purpose of its collection, and any third parties with whom the data might be shared. CCPA requires clear methods for submitting requests for information, such as a toll-free telephone number or website address.
• ISO 27002: ISO/IEC 27002, a standard for information security, underscores the importance of effective communication, especially regarding security policies, practices, and any breaches or potential vulnerabilities. Regular communication is vital to ensure all employees and relevant stakeholders understand and adhere to security protocols. Implementing ISO controls can also help fulfill CCPA requirements.

Classification

Categorizing the data being maintained streamlines its use for both Security and Privacy teams, whether it's for sharing classifications for privacy purposes or for security considerations. Here are two examples of frameworks outlining proper classification of data:

• NIST Privacy: The National Institute of Standards and Technology (NIST) privacy framework emphasizes the categorization of personal data. This helps in determining the sensitivity of the data, thus guiding its proper handling, storage, and transmission (see NIST Special Publications).
• CIS: The Center for Internet Security (CIS) has its benchmarks and best practices for securing systems. One of its key aspects is the classification of data, which is crucial for determining the level of security controls to be applied. Proper classification ensures that more stringent measures are applied to more sensitive data.

In essence, these overlapping requirements across different frameworks underscore how privacy and security work together: they are two sides of the same coin. Proper data management and protection necessitate a harmonious blend of both.

Harnessing Existing Security Controls for Enhanced Privacy

As the digital landscape continues to evolve, the lines between security and privacy have become increasingly blurred. Both disciplines share the primary objective of protecting data, yet they each bring a unique perspective on how to achieve this goal. Given the intricate connection between these fields, it's a strategic move for organizations to leverage their existing security controls to enhance their privacy measures.

Instead of viewing security and privacy as separate endeavors, organizations can realize efficiencies by recognizing how security can help support privacy requirements. By doing so, they can not only achieve Compliance with the myriad of privacy regulations worldwide but also foster a culture of trust and transparency with their stakeholders.

In an age where data is paramount, organizations cannot afford to silo their security and privacy efforts. Rather, by integrating these functions and leveraging the strengths of each, they position themselves to navigate the complexities of the modern data ecosystem effectively. Thus, by harnessing existing security controls for enhanced privacy, organizations can ensure they remain at the forefront of data protection, setting industry standards and best practices for others to follow.