Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/10/2019
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Unmixed Messages: Bringing Security & Privacy Awareness Together

Security and privacy share the same basic goals, so it just makes sense to combine efforts in those two areas. But that can be easier said than done.

Security and privacy get more attention today than ever before. As professionals in these domains, you are battered by the one-two punch of cyberattacks and an ever-changing regulatory landscape. But deploying technical controls and privacy policies won't be enough to protect your organization. You'll need to enlist your employees in the ongoing struggle to keep your data safe and your company in compliance. 

Luckily, when it comes to employee awareness, security and privacy share the same basic goals. Both want employees aligned with the mission to create a more secure, trustworthy, and risk-aware culture. So, it just makes sense to combine security and privacy efforts.

Unfortunately, uniting your efforts is easier said than done. To start, let's explore how resolving a handful of differences can clear the way for a merger of your security and privacy programs. 

Different Risks
Your mission is probably related to securing personal data. Privacy pros recognize the responsibility to designate secure places to store data, while security pros recognize their responsibility in building and guarding these secure places. A useful simplification, but one that's complicated by the divergence of risk domains. 

In general, security needs to stop external bad guys, such as cybercriminals and adversarial nation-states, from inflicting harm on your organization. Privacy professionals face a different threat: the mishandling of personal information during day-to-day operations. Even the best employees are fallible, and often privacy-related topics involve questions of ethics and judgment that can be genuinely complicated. 

To you, the privacy or security specialist, these distinctions are clear. But think about average employees. They don't care about the nuances of which domain or business unit owns which element of data protection … they care about and need the skills to quickly identify and overcome these risks no matter where they originate. The fewer fiddly distinctions, the better.

Different Bad Guys
We have lots of tropes we use as placeholders for external security threats, but most of them evoke a feeling of illicitness or criminality. As a result, security "good guys" tend to emulate law enforcement institutions and use an abundance of military language to describe their work. It's a simple and direct narrative: We're the good guys, protecting the innocent and virtuous organization from the bad guys. 

Privacy is different. There's no one bad guy. Instead, we're up against a complicated moral landscape where we're at risk of falling out of compliance with the law and losing the trust of employees and customers. Privacy doesn't have evil villains, just ill-informed decision-makers and good employees who make preventable mistakes.

If security pros are defenders against outside threats, privacy pros are mentors who must teach the complexities of staying within appropriate boundaries on the collection, use, and storage of data, despite enormous financial pressures to the contrary. 

It's no surprise that each group sometimes misunderstands the other. "Privacy purists" might judge security advocates to be living in a black-and-white world that is obsessed with technical solutions and an overly defensive posture. "Security strategists," on the other hand, could see privacy professionals as underestimating threats and being naively dependent on policy to accomplish what should be done with strict controls. 

And we wonder why the employees in the middle tune us out!

Unite and Thrive
The fact is that reaching employees through an awareness program is the best tool available to security and privacy professionals for achieving their common goal. You can begin uniting your training program by doing things like:

  • Presenting the business world as it really is, where the company both creates risk and is at risk from outsiders. 
  • Focusing on the similarities between the security and privacy disciplines, rather than emphasizing the differences in domains.
  • Framing both security and privacy best practices in terms of daily work tasks — whether it's creating passwords, identifying information that needs special handling, screening email, classifying and storing data, or connecting to networks from outside the workplace. It doesn't matter which of these are security and which privacy; all are important for protecting the interests of the company and the individual. 
  • Deploying regular and ongoing training, supported by a drumbeat of reinforcing communications. 

The result: reduced overlap, a pooling of resources, and a unified message that invites employees to build the knowledge and skills that they will need to help your organization thrive in a rapidly changing digital world. There are no mixed messages when security and privacy unite.

Related Content:

 

Tom Pendergast is MediaPRO's Chief Learning Officer. He believes that every person cares about protecting data, they just don't know it yet. That's why he's constantly trying to devise new and easy ways to help awareness program managers educate their employees. Whether it's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10164
PUBLISHED: 2019-06-26
PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL...
CVE-2019-11583
PUBLISHED: 2019-06-26
The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by "Epic Name".
CVE-2019-4234
PUBLISHED: 2019-06-26
IBM PureApplication System 2.2.3.0 through 2.2.5.3 weakness in the implementation of locking feature in pattern editor. An attacker by intercepting the subsequent requests can bypass business logic to modify the pattern to unlocked state. IBM X-Force ID: 159416.
CVE-2019-4235
PUBLISHED: 2019-06-26
IBM PureApplication System 2.2.3.0 through 2.2.5.3 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 159417.
CVE-2019-4241
PUBLISHED: 2019-06-26
IBM PureApplication System 2.2.3.0 through 2.2.5.3 could allow an authenticated user with local access to bypass authentication and obtain administrative access. IBM X-Force ID: 159467.