Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/10/2019
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Unmixed Messages: Bringing Security & Privacy Awareness Together

Security and privacy share the same basic goals, so it just makes sense to combine efforts in those two areas. But that can be easier said than done.

Security and privacy get more attention today than ever before. As professionals in these domains, you are battered by the one-two punch of cyberattacks and an ever-changing regulatory landscape. But deploying technical controls and privacy policies won't be enough to protect your organization. You'll need to enlist your employees in the ongoing struggle to keep your data safe and your company in compliance. 

Luckily, when it comes to employee awareness, security and privacy share the same basic goals. Both want employees aligned with the mission to create a more secure, trustworthy, and risk-aware culture. So, it just makes sense to combine security and privacy efforts.

Unfortunately, uniting your efforts is easier said than done. To start, let's explore how resolving a handful of differences can clear the way for a merger of your security and privacy programs. 

Different Risks
Your mission is probably related to securing personal data. Privacy pros recognize the responsibility to designate secure places to store data, while security pros recognize their responsibility in building and guarding these secure places. A useful simplification, but one that's complicated by the divergence of risk domains. 

In general, security needs to stop external bad guys, such as cybercriminals and adversarial nation-states, from inflicting harm on your organization. Privacy professionals face a different threat: the mishandling of personal information during day-to-day operations. Even the best employees are fallible, and often privacy-related topics involve questions of ethics and judgment that can be genuinely complicated. 

To you, the privacy or security specialist, these distinctions are clear. But think about average employees. They don't care about the nuances of which domain or business unit owns which element of data protection … they care about and need the skills to quickly identify and overcome these risks no matter where they originate. The fewer fiddly distinctions, the better.

Different Bad Guys
We have lots of tropes we use as placeholders for external security threats, but most of them evoke a feeling of illicitness or criminality. As a result, security "good guys" tend to emulate law enforcement institutions and use an abundance of military language to describe their work. It's a simple and direct narrative: We're the good guys, protecting the innocent and virtuous organization from the bad guys. 

Privacy is different. There's no one bad guy. Instead, we're up against a complicated moral landscape where we're at risk of falling out of compliance with the law and losing the trust of employees and customers. Privacy doesn't have evil villains, just ill-informed decision-makers and good employees who make preventable mistakes.

If security pros are defenders against outside threats, privacy pros are mentors who must teach the complexities of staying within appropriate boundaries on the collection, use, and storage of data, despite enormous financial pressures to the contrary. 

It's no surprise that each group sometimes misunderstands the other. "Privacy purists" might judge security advocates to be living in a black-and-white world that is obsessed with technical solutions and an overly defensive posture. "Security strategists," on the other hand, could see privacy professionals as underestimating threats and being naively dependent on policy to accomplish what should be done with strict controls. 

And we wonder why the employees in the middle tune us out!

Unite and Thrive
The fact is that reaching employees through an awareness program is the best tool available to security and privacy professionals for achieving their common goal. You can begin uniting your training program by doing things like:

  • Presenting the business world as it really is, where the company both creates risk and is at risk from outsiders. 
  • Focusing on the similarities between the security and privacy disciplines, rather than emphasizing the differences in domains.
  • Framing both security and privacy best practices in terms of daily work tasks — whether it's creating passwords, identifying information that needs special handling, screening email, classifying and storing data, or connecting to networks from outside the workplace. It doesn't matter which of these are security and which privacy; all are important for protecting the interests of the company and the individual. 
  • Deploying regular and ongoing training, supported by a drumbeat of reinforcing communications. 

The result: reduced overlap, a pooling of resources, and a unified message that invites employees to build the knowledge and skills that they will need to help your organization thrive in a rapidly changing digital world. There are no mixed messages when security and privacy unite.

Related Content:

 

Tom Pendergast is MediaPRO's Chief Learning Officer. He believes that every person cares about protecting data, they just don't know it yet. That's why he's constantly trying to devise new and easy ways to help awareness program managers educate their employees. Whether it's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15160
PUBLISHED: 2019-08-19
The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elixir allows attackers to cause a denial of service (resource consumption) via an XML entity expansion attack with an inline DTD.
CVE-2019-15150
PUBLISHED: 2019-08-19
In the OAuth2 Client extension before 0.4 for MediaWiki, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function.
CVE-2017-18550
PUBLISHED: 2019-08-19
An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo structure.
CVE-2017-18551
PUBLISHED: 2019-08-19
An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated.
CVE-2017-18552
PUBLISHED: 2019-08-19
An issue was discovered in net/rds/af_rds.c in the Linux kernel before 4.11. There is an out of bounds write and read in the function rds_recv_track_latency.