Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/10/2019
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Unmixed Messages: Bringing Security & Privacy Awareness Together

Security and privacy share the same basic goals, so it just makes sense to combine efforts in those two areas. But that can be easier said than done.

Security and privacy get more attention today than ever before. As professionals in these domains, you are battered by the one-two punch of cyberattacks and an ever-changing regulatory landscape. But deploying technical controls and privacy policies won't be enough to protect your organization. You'll need to enlist your employees in the ongoing struggle to keep your data safe and your company in compliance. 

Luckily, when it comes to employee awareness, security and privacy share the same basic goals. Both want employees aligned with the mission to create a more secure, trustworthy, and risk-aware culture. So, it just makes sense to combine security and privacy efforts.

Unfortunately, uniting your efforts is easier said than done. To start, let's explore how resolving a handful of differences can clear the way for a merger of your security and privacy programs. 

Different Risks
Your mission is probably related to securing personal data. Privacy pros recognize the responsibility to designate secure places to store data, while security pros recognize their responsibility in building and guarding these secure places. A useful simplification, but one that's complicated by the divergence of risk domains. 

In general, security needs to stop external bad guys, such as cybercriminals and adversarial nation-states, from inflicting harm on your organization. Privacy professionals face a different threat: the mishandling of personal information during day-to-day operations. Even the best employees are fallible, and often privacy-related topics involve questions of ethics and judgment that can be genuinely complicated. 

To you, the privacy or security specialist, these distinctions are clear. But think about average employees. They don't care about the nuances of which domain or business unit owns which element of data protection … they care about and need the skills to quickly identify and overcome these risks no matter where they originate. The fewer fiddly distinctions, the better.

Different Bad Guys
We have lots of tropes we use as placeholders for external security threats, but most of them evoke a feeling of illicitness or criminality. As a result, security "good guys" tend to emulate law enforcement institutions and use an abundance of military language to describe their work. It's a simple and direct narrative: We're the good guys, protecting the innocent and virtuous organization from the bad guys. 

Privacy is different. There's no one bad guy. Instead, we're up against a complicated moral landscape where we're at risk of falling out of compliance with the law and losing the trust of employees and customers. Privacy doesn't have evil villains, just ill-informed decision-makers and good employees who make preventable mistakes.

If security pros are defenders against outside threats, privacy pros are mentors who must teach the complexities of staying within appropriate boundaries on the collection, use, and storage of data, despite enormous financial pressures to the contrary. 

It's no surprise that each group sometimes misunderstands the other. "Privacy purists" might judge security advocates to be living in a black-and-white world that is obsessed with technical solutions and an overly defensive posture. "Security strategists," on the other hand, could see privacy professionals as underestimating threats and being naively dependent on policy to accomplish what should be done with strict controls. 

And we wonder why the employees in the middle tune us out!

Unite and Thrive
The fact is that reaching employees through an awareness program is the best tool available to security and privacy professionals for achieving their common goal. You can begin uniting your training program by doing things like:

  • Presenting the business world as it really is, where the company both creates risk and is at risk from outsiders. 
  • Focusing on the similarities between the security and privacy disciplines, rather than emphasizing the differences in domains.
  • Framing both security and privacy best practices in terms of daily work tasks — whether it's creating passwords, identifying information that needs special handling, screening email, classifying and storing data, or connecting to networks from outside the workplace. It doesn't matter which of these are security and which privacy; all are important for protecting the interests of the company and the individual. 
  • Deploying regular and ongoing training, supported by a drumbeat of reinforcing communications. 

The result: reduced overlap, a pooling of resources, and a unified message that invites employees to build the knowledge and skills that they will need to help your organization thrive in a rapidly changing digital world. There are no mixed messages when security and privacy unite.

Related Content:

 

Tom Pendergast is MediaPRO's Chief Learning Officer. He believes that every person cares about protecting data, they just don't know it yet. That's why he's constantly trying to devise new and easy ways to help awareness program managers educate their employees. Whether it's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...