Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/10/2019
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Unmixed Messages: Bringing Security & Privacy Awareness Together

Security and privacy share the same basic goals, so it just makes sense to combine efforts in those two areas. But that can be easier said than done.

Security and privacy get more attention today than ever before. As professionals in these domains, you are battered by the one-two punch of cyberattacks and an ever-changing regulatory landscape. But deploying technical controls and privacy policies won't be enough to protect your organization. You'll need to enlist your employees in the ongoing struggle to keep your data safe and your company in compliance. 

Luckily, when it comes to employee awareness, security and privacy share the same basic goals. Both want employees aligned with the mission to create a more secure, trustworthy, and risk-aware culture. So, it just makes sense to combine security and privacy efforts.

Unfortunately, uniting your efforts is easier said than done. To start, let's explore how resolving a handful of differences can clear the way for a merger of your security and privacy programs. 

Different Risks
Your mission is probably related to securing personal data. Privacy pros recognize the responsibility to designate secure places to store data, while security pros recognize their responsibility in building and guarding these secure places. A useful simplification, but one that's complicated by the divergence of risk domains. 

In general, security needs to stop external bad guys, such as cybercriminals and adversarial nation-states, from inflicting harm on your organization. Privacy professionals face a different threat: the mishandling of personal information during day-to-day operations. Even the best employees are fallible, and often privacy-related topics involve questions of ethics and judgment that can be genuinely complicated. 

To you, the privacy or security specialist, these distinctions are clear. But think about average employees. They don't care about the nuances of which domain or business unit owns which element of data protection … they care about and need the skills to quickly identify and overcome these risks no matter where they originate. The fewer fiddly distinctions, the better.

Different Bad Guys
We have lots of tropes we use as placeholders for external security threats, but most of them evoke a feeling of illicitness or criminality. As a result, security "good guys" tend to emulate law enforcement institutions and use an abundance of military language to describe their work. It's a simple and direct narrative: We're the good guys, protecting the innocent and virtuous organization from the bad guys. 

Privacy is different. There's no one bad guy. Instead, we're up against a complicated moral landscape where we're at risk of falling out of compliance with the law and losing the trust of employees and customers. Privacy doesn't have evil villains, just ill-informed decision-makers and good employees who make preventable mistakes.

If security pros are defenders against outside threats, privacy pros are mentors who must teach the complexities of staying within appropriate boundaries on the collection, use, and storage of data, despite enormous financial pressures to the contrary. 

It's no surprise that each group sometimes misunderstands the other. "Privacy purists" might judge security advocates to be living in a black-and-white world that is obsessed with technical solutions and an overly defensive posture. "Security strategists," on the other hand, could see privacy professionals as underestimating threats and being naively dependent on policy to accomplish what should be done with strict controls. 

And we wonder why the employees in the middle tune us out!

Unite and Thrive
The fact is that reaching employees through an awareness program is the best tool available to security and privacy professionals for achieving their common goal. You can begin uniting your training program by doing things like:

  • Presenting the business world as it really is, where the company both creates risk and is at risk from outsiders. 
  • Focusing on the similarities between the security and privacy disciplines, rather than emphasizing the differences in domains.
  • Framing both security and privacy best practices in terms of daily work tasks — whether it's creating passwords, identifying information that needs special handling, screening email, classifying and storing data, or connecting to networks from outside the workplace. It doesn't matter which of these are security and which privacy; all are important for protecting the interests of the company and the individual. 
  • Deploying regular and ongoing training, supported by a drumbeat of reinforcing communications. 

The result: reduced overlap, a pooling of resources, and a unified message that invites employees to build the knowledge and skills that they will need to help your organization thrive in a rapidly changing digital world. There are no mixed messages when security and privacy unite.

Related Content:

 

Tom Pendergast is MediaPRO's Chief Learning Officer. He believes that every person cares about protecting data, they just don't know it yet. That's why he's constantly trying to devise new and easy ways to help awareness program managers educate their employees. Whether it's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.