As more of our lives and work become digitized, an inherent overlap continues to grow between data privacy and cyber security programs. Think of two similarly sized circles: in the past, data privacy and cyber security may have overlapped on the edges, but today, their centers are almost on top of each other. In this article, we begin to look at the data privacy / cyber security relationship, as undoubtedly, the issues are connected, and we can see this trend in industry reactions, publications, and standards.
For example, in 2020, the U.S. National Institute of Standards and Technology (NIST) released the Privacy Framework (PF) and soon after created a crosswalk of controls against the Cyber Security Framework (CSF). In Europe, the General Data Protection Regulation (GDPR) has played a prominent role in pushing data privacy compliance since 2018, influencing cyber security decisions. And today, more non-European Union (EU) jurisdictions are deploying their own federal and regional legislative and regulatory controls, especially those related to personally identifiable information (PII), personal health information (PHI), and consumer protections.
With these trends in motion, do methods exist for data privacy and cyber security initiatives to work together and lower overall risk to the organization? Yes, there are, and we will outline some areas in which the two initiatives can work together. Specifically, we focus on identifying overlap areas and steps that can be taken to create an effective program, all designed to better protect data and reduce cyber risk.
Cyber security controls are generally voluntary, unless external forces demand compliance (e.g., regulatory controls, certification to do business, requirement to notify, etc.). But data privacy tends to be mandatory, through legislation and well-defined regulation. For example:
But a paradox exists: today’s digital demands, coupled with data privacy legislative and regulatory requirements, require cyber security protections. Think about it like this:
The overlap is therefore immense, though support and implementation of controls, may be very different depending on which perspective you are viewing the problem from.
The consequences of failing to comply with data privacy laws are known – fines, civil litigation, market share loss, and shattered confidence and trust. Therefore, as consequences are clear and tangible from a data privacy perspective, enhancements to your cyber security program may garner more support if your information security, data privacy, and risk management leaders can clearly demonstrate the overlap between these separate, but closely related, programs.
It is the clarity of consequences – specifically from the data privacy perspective – that become the motivating factor for improvement. So how can these functions work together?
Two data-related questions must be answered to build a strong program:
Depending on the size and complexity of your organization, (e.g., where you operate, what business you are in, what external forces influence your data handling, etc.) answers to these questions may not be clear cut. Here are some quick tips to navigate through each issue:
After completing these tasks, you could, in fact, end up opting for the most stringent requirements, which is not a bad approach, because you at least went through the exercise to ensure no blind spots exist. The additional upside of using the most stringent requirements is that the jurisdictional mapping analysis likely positioned you well for maximum coverage, where only tweaks are required by jurisdiction.
Moreover, this exercise can also identify data you do not need to retain. Sometimes, your best risk minimization option is to not collect data or destroy data in hand.
An additional – and important – issue to keep in mind is the reliability of your analysis. Data uniformity plays a significant role in generating major outputs and maintaining smooth operations (e.g., everyday business, processing and securing data, and facilitating incident response). Therefore, any operation(s) that does not seek data normalization will have difficulty producing the best results. Ask yourself these questions:
There is a saying in the computer science world: garbage in, garbage out. This is the exact situation you want to avoid, because doing so puts you into the position of making decisions. Not only are your data privacy efforts put at risk, but you build inefficiencies into your incident response processes, and, candidly, could be making bad business operation decisions.
Assuming you have come this far in your data privacy journey, the last pieces of the puzzle are program maintenance and preparation for the breach. Mature organizations will build in processes that can automatically pull data privacy requirements. From a breach perspective, predetermined escalation matrices, triage paths, and communication flow charts will have been developed and tested to build muscle memory. These are the bedrock principles of strong data privacy and cyber security programs.
In an upcoming two-part mini-series on cyber hygiene, we will examine how a good cyber security program can stem from good data privacy practices. The keys to success in the immediate future will rest in your people, specifically: leadership’s ability to demonstrate why security matters to everyday users, going beyond how to act securely, and adapting to changing workplace environments.
We would like to thank George Platsis and Ron J. Yearwood Jr., CISSP, CISM, CIPM, for providing insight and expertise that greatly assisted this research.
George Platsis, CCISO, is a Senior Director providing Digital Investigations and Discovery services under J.S. Held’s Global Investigations practice. George has designed and delivered solutions, and led teams, focused on improving breach readiness, designing enterprise-wide and business-unit specific incident response programs, and crafting information estate hardening solutions for a series of Fortune 100 clients in the healthcare, media, financial services, manufacturing, defense, and commercial electronics industries. As part of the Cyber Security practice, George has a lead role in developing and delivering proactive incident response and resilience engagements. He has extensive experience in engineering enterprise-level incident response programs, breach readiness evaluation, business continuity, and disaster recovery. He also leverages past experiences from reactive incident response engagements, complex investigations, and work experience in the security, emergency management, pandemic planning, and bioweapon research fields.
George can be reached at [email protected] or +1 321 346 6441.
This paper examines the inherent risks surrounding the protection of client electronic data on cloud-based platforms that have arisen with the proliferation of the at-home work setting. It also explains why it’s important for users...
Morgan Stanley, Goldman Sachs, and Citigroup have invested more than $2 billion in crypto and blockchain companies since August 2021. Fidelity now offers Bitcoin as part of their 401k plans. Blackrock enabled its Aladdin platform...
This paper discusses the benefits of using Continuous Active Learning (CAL), which is a more cost-effective, timesaving, and flexible form of Technology Assisted Review (TAR). For investigators and attorneys, CAL provides them with an ability...