There Is Meaning At The Intersection Of Privacy And Cybersecurity
The intersection of privacy and cyber security is where forwarding thinking companies operate. As cyber security and privacy continue to evolve, we are seeing an interesting shift in what organizations are focused on. The reason for the change is simple, gone are the days of credit card breaches where the credit card companies and banks argue about who is going to bear the responsibility of replacing cards. More and more the breaches that occur are exposing vast amounts of data that’s considered non-public information. Names, address, social security numbers, medical information, the list goes on. In addition, with things like big data analytics and behavioral advertising, we as citizens are being profiled and targeted in new ways and unfortunately the laws that exist in the U.S. are ill prepared to deal with the onslaught of risks that exist to personal data.
As always, in the broad scheme of things, purest or old school InfoSec professionals know, privacy and cyber security have always been connected because the underlying focus is the same. You have to know where your most sensitive information is located and protect it through administrative, technical, and physical controls. Administrative controls are those things like policies, procedures, contract requirements, regulatory requirements, etc. Technical controls are things like access control, firewalls, security monitoring solutions and physical controls are things like locks on doors, badges, etc. A company is always in search of the most reasonable mix of controls necessary to attest to their customers that they have visibility into most (preferably all) of their sensitive information, they know where it is located and stored, who has access to it, what they are sharing with others (third parties), and that they monitor for unauthorized activity.
So, who has the ball? Which team, the cyber/info security teams or the privacy team has the primary responsibility for developing and overseeing the entire information management program? I hear you saying it’s a team effort! But I know from personal experience that leadership by committee tends to lead to finger pointing. Should it be the CISO, CIO, General Counsel, CFO, CEO, or someone else? Your guess is as good as mine! However, an organization must make the decision on who has the responsibility for information management in its entirety and give that person the resources and necessary support to be successful.