The convergence of cybersecurity and data privacy
Across industries, discussions surrounding privacy and cybersecurity are no longer two separate conversations, and the frequency of that conversation is only increasing. While cyberattacks frequently make splashy headlines, privacy violations that accompany these intrusions are not as widely acknowledged or reported. In part, that’s because most people don’t understand what privacy is, why it’s important, and how it’s tied to security.
At its most basic level, privacy has historically been defined as the right to be left alone. As businesses and societies become increasingly digital, the concept of data privacy has come to mean control of how personal information is used by businesses that collect it. As personal information is passed from user to business to third parties, the ensuing mix of data can be so muddy that it can be challenging to determine who owns the data and how it should be treated, much less who is accountable for protecting it.
Historically, much of the governance around how personal information must be safeguarded has been from a technical perspective, driven by the need to maintain the confidentiality, integrity, and availability of information systems. Today, it’s imperative to add another dimension: data privacy laws. These include the California Privacy Rights Act (CPRA), the Colorado Privacy Act, the Virginia Consumer Data Protection Act, and the Utah Consumer Privacy Act (UCPA), as well as dozens of other proposed laws under consideration in U.S. statehouses. In the EU, compliance with the General Data Protection Regulation (GDPR) requires a slew of technically advanced processes and technologies to safeguard citizen data.
But in the coming years, an increased emphasis will be put on privacy and security maturity as a business differentiator – not just a cost center. Organizations must keep in mind that once data is collected and resides on an enterprise system, a connection between data privacy and cybersecurity is formed. After that, it is the business who is held accountable for designing cybersecurity controls and programs that protect personal information from theft, unauthorized access, and damage, and ultimately keeping the trust of the users.
One explanation is that many organizations don’t understand the purpose and components of data privacy. In part, that’s because privacy tends to be heavy on “legalese,” whereas cybersecurity is a more practical and tactical discipline that has been practiced for years.
To safeguard information, businesses must first understand what data is in their ecosystem. Data should be protected by security controls designed to limit access to information and make sure employees do not misuse personal data or systems in ways that could result in breaches. Businesses must also safeguard consumer data from theft or tampering by external actors.
Beyond that first step, businesses can understand and protect personal data by taking the following steps:
- Understand your critical business processes.
- Map the data use and data flow across the different organizational units.
- Design and implement an effective data governance program.
- Classify data to identify and understand all information in your environment.
- Create policies for data collection, storage, use, sharing, and sale.
- Use proper access controls to limit access to data.
- Review and verify the security and privacy controls of third parties that have access to your data, applications, and networks.
- Create and test an incident response plan.
- Disclose how your organization uses personal information.
- Develop easy-to-understand privacy guidelines to inform the organization on how information in your ecosystem should be treated.
- Know the regulatory requirements in the jurisdictions in which your company operates.
- Appoint a chief information security officer (CISO) or a chief data officer (CDO) to oversee security and privacy.
InsightNew SEC cybersecurity guidelines: Next steps for public companiesBhavesh Vadhani, Scott CorzineNew rules require public companies to elevate their cybersecurity risk management and disclosure practices. Read key changes, deadlines, and action items.
InsightFederal agencies face complex cyber compliance – but relief is underwayBhavesh Vadhani, Bill Hughes, Adonye ChamberlainWith a new national cybersecurity strategy expected to create a baseline cybersecurity standard, read how to get a head start in the meantime.
InsightPractical Infrastructure: A blueprint for program management successRoman CastilloVideo series explores program management guidance for state, local, trial agency execs and administrators.
InsightToday’s boards need cyber expertise more than everCyber risk is fundamentally unlike every other risk that companies face, and boards should add expertise accordingly. Read why – and how to get started.
InsightZero Trust 2.0: Strengthening security for a shifting threat landscapeAdonye Chamberlain, Bhavesh Vadhani, Bill HughesA new federal maturity model offers insights for entities of all kinds looking to protect their users, devices, and networks. Learn more.