Dr. Waël Hassan, chief editor of Transigram, is the founder of Ki Design, a consulting group specialized in big data solutions, privacy in design, cyber security, and privacy compliance.
As a consultant with a multidisciplinary background in computer science, law, and business, Dr. Waël Hassan is often engaged to support initiatives that require strong collaboration between management, privacy, and security teams within an organization. He has often been amazed by the prevalence and depth of tensions between security and privacy teams. He offers his thoughts here on why privacy and security need to work together, and how they can do it.
E: What does privacy mean in a corporate context and why is it becoming so intertwined with the activities of security professionals?
W: Privacy practice, as a field, is really new. Data privacy laws across North America are ten to fifteen years old, whereas information security has a legacy of thousands of years of military communications techniques. The distinction is important, because our laws are about privacy, not security: there are penalties for privacy violations, not for data breaches per se. Right now, information security innovations are commercially driven, while privacy is legislation driven. Security is mandated by corporate interests, while privacy is about the public interest.
Privacy has yet to define itself as a profession distinct from security – a lot of privacy specialists were trained as security professionals. Privacy hasn’t developed into a science yet. It is sometimes seen with skepticism because it’s difficult to measure, and because companies often don’t understand its benefits. Privacy is seen as something you have to do rather than something you want to do to protect your interests.
Yet even though privacy is a newer, smaller field, logically, security is a subset of privacy. Keeping information secure is a means to protect privacy, but security alone doesn’t ensure privacy. Access goes beyond security: who has the right to access data? Consent is another huge piece of privacy – and it’s the key area where the individual comes to the fore. Context is crucial to informed consent: Where did you get people’s data? What purposes is it allowed to be used for? The basic difference between security and privacy is that security is about an organization’s ability to control access to information; privacy is about respecting individuals’ decisions about their own information. There are many ways privacy can be breached without breaching security.
E: How do privacy and security professionals differ in their priorities, and how can organizations create a more collaborative process for the two to work together?
W: Privacy and security effectively have the same mandate, which is data protection, but they are often delegated to different departments or contractors. They are distinct professions with distinct backgrounds – security professionals usually have technical or mathematical backgrounds, while privacy professionals are more likely to have experience in social service, legal, and policy areas. Security and privacy share the goal of data protection, but they have different definitions of basic concepts like breaches and sensitive data. Unfortunately, their different perspectives often result in conflict, which prevents projects from being completed on time, on budget, or even at all.
Ideally, privacy and security should be part of the same team or department. Privacy and security professionals contribute different perspectives to the same mandate. A collaborative analysis of the projects and documents that they already work on separately could be invaluable. The leadership of a joint privacy and security team should have an understanding of both fields, as well as the business context of the enterprise.
E: Have you seen this done anywhere?
W: No. I’ve seen a few places where one person does both. As a consultant, I have often worked with both privacy and security departments. Sometimes, one of the two functions has managed to be put in charge of the other. In most places there is conflict between them and one of the two departments dominates decision-making.
E: What are the risks of failing to integrate privacy and security?
W: Disagreements between privacy and security about risk levels and approaches to risk mitigation are common. Privacy and security generally have different ideas about what to do. An overemphasis on privacy will kill your efficiency, whereas an overemphasis on security creates a risk of legal noncompliance.
For example, a lot of organizations are considering procuring cloud technology. From a security standpoint it has great benefits and seems very secure. But not knowing what the cloud provider does with your data is a huge privacy risk. They may have great encryption, but you don’t know what their privacy practices are. Most cloud providers are based in the U. S., where they have a greater obligation to share data with the government than Canadian companies do.
On the other hand, focusing too much on privacy can complicate interactions with clients. A common situation in healthcare and community services contexts is that individuals have to sign a consent form every time information about them is shared, while in reality, the way that electronic records are set up means that any professional within the organization can see their file.
E: What role do new technologies play in privacy and security issues? Do they help resolve problems or do they create new risks?
W: What we’re seeing right now, with the expansion of mobile apps, wearable devices, and the Internet of Things, is a simultaneous acceleration of protective technologies and of cyber threats. The threats are winning right now. We’re seeing studied, coordinated attacks on major data assets managed by corporations and governments. New technologies are an important part of the equation, but almost always, people are the weakest link. Hackers rarely target encryption; they usually depend on someone downloading unsafe apps or programs.
The race to develop and release new technologies is creating new opportunities for hacking and data theft. In workplaces with “bring your own device” policies, IT administrators try to incorporate a variety of new devices without understanding all of the risks they create. Not all of these are security risks; there are major privacy risks as well. With mobile devices and apps, people are more likely to be divulging their personal data, often for free, and often without their knowledge. A lot of apps are analyzing and selling personal data – demographics, locations, even fitness habits – to study consumer behaviour and find opportunities for profit.
In terms of technological developments in security and privacy, most security is automated, while most privacy is not. Privacy frameworks are still loose. But privacy tools are becoming available: most frequently these are automated tools to detect anomalies in access patterns that could indicate unauthorized uses and disclosures of information. Security is like getting a stronger lock for a house, while privacy is more like having camera inside to record evidence of unauthorized entries.
In some respects, new technologies are uncharted territory for privacy legislation. Privacy principles are universal in theory, but applying them to new situations can be challenging. It took years to create the first internet laws, and current laws don’t always apply easily to mobile devices.
E: What do you hope readers will take away from this interview?
W: How privacy and security can work together. Data protection has to be a corporate mandate, and privacy and security are both tools towards achieving it. It needs to be a priority that reports to the highest levels of management and has a seat at the table at board meetings. It should be included in reports to shareholders and stakeholders. It’s a part of corporate diligence, just like finance. If you don’t manage finances properly, you go bankrupt; if you don’t manage data protection you’ll also go bankrupt, for different reasons. Data is an incredibly valuable asset, and data protection can be a selling point.