[BreachExchange] Understanding the Distinct and Dependent Roles of Data, Privacy and Cybersecurity Professionals Cyber Tactics

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 2 20:07:30 EDT 2017


http://www.securitymagazine.com/articles/88343-understanding-the-distinct-
and-dependent-roles-of-data-privacy-and-cybersecurity-professionals

Taking advantage of technology and digitization involves more than business
strategy. It requires strong data governance principles which, among other
things, must align the functional demands of an organization’s
cybersecurity, privacy and information management teams.

 Cybersecurity Professionals

For cybersecurity folks, it’s all about data confidentiality and the
integrity and availability of both data and systems. In terms of
confidentiality, cybersecurity professionals are concerned about all
sensitive electronic data, which extends beyond data about individuals to
include corporate secrets as well. How about destructive ransomware? Well,
that’s not a matter of data privacy; it’s a matter of data, period.
Cybersecurity objectives also concern far more than information, and
require that systems and devices remain resilient and reliable. Take, for
example, the life and death concerns about protecting critical
infrastructure control systems, or keeping hackers out of embedded medical
devices.

Privacy Professionals

Just as cybersecurity professionals have a broad mandate, so do privacy
professionals. In fact, the word “privacy” hardly captures the role. The
field of data privacy has grown from concerns primarily over secrecy and
seclusion into a larger set of issues better described as personal data
rights. While there remains a strong focus on protecting the
confidentiality of information that identifies people (which aligns with
cybersecurity, but extends beyond electronic records), data privacy experts
also consider the lawful basis for a company’s collecting and using
personal information in the first place. Privacy compliance also may
require a jurisdiction by jurisdiction review of data localization and data
transfer limitations (a big headache for multinational organizations);
responding to government requests for personal data; limitations on
automated decision making and profiling; data portability capabilities,
allowing individuals to obtain and reuse personal data across different
services; correction of inaccurate information; retention, archiving and
destruction schedules; privacy by design product features; and data breach
notifications.

Data Professionals

Chief Information Officers, and those with “data” in their titles, are sure
to focus on features, functionality and enhanced user experience. Yet, they
operate with significant external constraints as they embrace the latest
technologies and harness big data. Not only are they subject to a host of
security and privacy requirements, they often have intellectual property
rights responsibilities. They routinely struggle with faulty products,
misconfigurations and user error, as well as data that must be cleaned,
validated, de-duplicated and structured. They may be required to explain
how automated analysis works, and protect against unlawful algorithmic
bias. They must be mindful of the power of machines to easily re-identify
individuals by combining data sets that, for legal reasons, were previously
de-identified. Their programs may be subject to antitrust scrutiny
regarding the implications of data aggregation. Finally, they can’t break
the laws of math or physics.

Working Together

Next time your organization considers its data and technology strategy,
it’s best to ensure that data, privacy and cybersecurity professionals all
have a seat at the table. Sure, they often can represent one another’s
interests. But, equally often, they can’t.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171002/016c5ffd/attachment.html>


More information about the BreachExchange mailing list