I often find myself talking about the relationship between data privacy and information security. As you
can imagine, these are some heated - and fun - conversations. Security has been around longer and is
fairly well understood, while privacy is younger and notoriously hard to define. For some, one
discipline might seem like a subset of the other. For others, they are distinct areas without direct
connection or influence on one another. For me, they are strongly connected, with overlapping
objectives, processes and systems. I see privacy as security’s younger sibling.
As a privacy person who has worked with a wide variety of organizations, each new privacy challenge
reminds me of how much we can and should learn from security. Like an older sibling, security has its
own tendencies, motivations, and mannerisms, and there is a critical opportunity for privacy, as the
younger, to learn from our older, more experienced sibling. I say this as a little brother who should
have learned more from his older siblings. In the spirit of continual improvement, let’s take that
lesson and apply it to some of the many privacy challenges facing us today.
Learning from our older sibling, we can prevent privacy teams from
falling into the same traps that many security teams have experienced. These traps span the
entire organizational lifecycle and speak to the continuing obligations of building and maintaining an
effective privacy practice that endures as your business evolves. I have identified four areas where
privacy can learn from security, and outlined how to use that knowledge to inform our approach to
prevent the same pain from recurring.
- Introduce: Generating awareness and agency in the role of privacy
- Embrace: Communicating (and selling) the value of privacy in your organization
- Implement: Integrating privacy processes with critical path operations
- Protect: Aligning your organization’s values to privacy decisions
Introduce: Generating awareness and agency in the role of privacy
“What they don’t know won’t hurt them.” When you’re keeping a secret to maintain a storyline in the
movies, sure, maybe that can work. But for leaders and business owners, what you don’t know can (and
more than likely will) hurt you. Ignorance is a poor defense, and certainly not one on which you should
rely heavily. Instead, the first critical element in building functional maturity is in developing
mutual awareness of the risks at hand. Not only will this create common ground for formulating future
solutions, but it also aids in garnering buy-in from functional leaders across the organization. Where
leaders understand the importance of an issue and the role they play in its success, more fruitful
partnerships and collaborative initiatives will grow.
Many security teams started largely as standalone functions, tasked with magically achieving security
for an entire organization. It’s a simple idea, really: Hire security professionals and they will take
care of the problem. However, organizations have developed intriguing roadmaps for security, but failed
to socialize those plans due to a lack of partnership and buy-in from functions across the business
The exact same risk exists for data privacy functions. Without buy-in and a commitment to prioritization
from your partners in functions like Marketing, Talent Acquisition, Human Resources, Product
Development, and more, even the best privacy strategy will be doomed to fail in the long run. The most
successful information security functions learned this lesson and embedded functional collaboration and
partnership as a key element of any initiative, guaranteeing commitment and developing more inclusive
solutions along the way.
Embrace: Communicating (and selling) the value of privacy in your
Like most information security functions, data privacy is often seen as a cost center – no revenue
generation and no value outside of compliance management. This kind of perspective, especially where it
exists in an executive leadership team, means a never-ending, uphill battle for funding, focus, and
sadly, legitimacy. “Just go check the box.” I’ve heard it more times than I care to admit, but it’s an
important symptom of a much larger issue.
Like security, data privacy can be both a key differentiator for your products/services, as well as an
enabler for future product and service development. Well defined security and privacy processes both
contribute to greater data literacy, more informed data stewardship, and significantly more availability
of data-related resources across an enterprise. In fact, Cisco’s 2022 Data Privacy Benchmark Study found
that on average, leaders reported an estimated return on investment of 1.8 times spending for data
privacy investments (down just slightly from 1.9 in 2021). These returns are more than just compliance
gains and risk mitigation, but speak to a broader alignment of privacy best practices to core business
objectives and operational approach on a global scale.
For there to be a return on investment, of course, there first needs to be an investment. Getting that
investment means employing campaigns across your organization to leverage a general awareness of privacy
challenges and to share a clear vision of each individual’s critical role in practicing privacy.
Privacy has to be preserved or protected - once it's lost, it's largely gone, but while we have it, we
have to fight to protect it. Success can be the difference between limiting potential data subject
exposure in the event of a data breach and a much larger, more public incident that can follow
organizations for years to come.
Implement: Integrating privacy processes with critical path
If you take a look at the steady stream of privacy advertisements and service offering descriptions,
you’ll see no shortage of “privacy by design” being invoked as a silver bullet. Despite being theorized
more than a decade ago, the inclusion of “privacy by design” in regulations like the General Data
Protection Regulation (GDPR) has resulted in a rebirth and amplification of the term.
Regardless of whether “privacy by design” is a new concept to you or a well-developed one, its
criticality cannot be overstated. From my experience in developing internal and external privacy
controls in a variety of industries, one of the most important attributes of any privacy control is the
degree to which it is embedded in the critical path of your product or service delivery process.
Privacy, like security, cannot be optional, cannot be an afterthought, and cannot be bolted on at the
end. To ensure that your business and the individuals whose information you process both get the
greatest benefit from privacy measures, it must be a non-negotiable element that is consistently
performed from the beginning. Otherwise, it will be far more likely to be disregarded or delayed,
waiting instead for deployment to be out of the way and for a magical, more convenient time that may
never come to pass.
Protect: Aligning your organization’s values to privacy decisions
Finally, one of the most effective ways of ensuring that privacy controls are stewarded and maintained
with the same degree of care and focus as information security is to drive direct and tangible alignment
of privacy controls with your organization’s value system.
For example, let’s say that your business operates on a central value of serving and respecting the
communities in which you work with the same degree of care as your employees and stakeholders. You would
be well served to then identify how privacy protections can be a form of respect for your consumer base
and broader communities by instilling the same protections you expect for yourselves to those
individuals, simply as a point of added value instead of necessity. To that end, don’t wait for laws to
require it, but use it as a competitive advantage that can benefit both your business and your data
subjects. This alignment will also aid in the continued messaging of your initiatives to your executive
leadership teams, as well as long-term sustainability of these practices as your organization scales and
Thanks Older Sibling!
While privacy can often feel like an opaque, obscenely complex space with no right answer, it’s
important to recognize that we’ve been here before. The fights that we are battling in the privacy space
are more akin to those fought in the security space for years. So, when in doubt, look to your partners
in information security and consider how you can learn from their journey to further and ease your own.
You never know – someday, your business and the protection of your consumer base may depend on it.
Thanks to Maritza Johnson and Jessica Traynor.