Jared Maslin
February 2022
All in the Family: Privacy is Security's Younger Sibling

I often find myself talking about the relationship between data privacy and information security. As you can imagine, these are some heated - and fun - conversations. Security has been around longer and is fairly well understood, while privacy is younger and notoriously hard to define. For some, one discipline might seem like a subset of the other. For others, they are distinct areas without direct connection or influence on one another. For me, they are strongly connected, with overlapping objectives, processes and systems. I see privacy as security’s younger sibling.

As a privacy person who has worked with a wide variety of organizations, each new privacy challenge reminds me of how much we can and should learn from security. Like an older sibling, security has its own tendencies, motivations, and mannerisms, and there is a critical opportunity for privacy, as the younger, to learn from our older, more experienced sibling. I say this as a little brother who should have learned more from his older siblings. In the spirit of continual improvement, let’s take that lesson and apply it to some of the many privacy challenges facing us today.

Learning from our older sibling, we can prevent privacy teams from falling into the same traps that many security teams have experienced. These traps span the entire organizational lifecycle and speak to the continuing obligations of building and maintaining an effective privacy practice that endures as your business evolves. I have identified four areas where privacy can learn from security, and outlined how to use that knowledge to inform our approach to prevent the same pain from recurring.

  1. Introduce: Generating awareness and agency in the role of privacy
  2. Embrace: Communicating (and selling) the value of privacy in your organization
  3. Implement: Integrating privacy processes with critical path operations
  4. Protect: Aligning your organization’s values to privacy decisions

Introduce: Generating awareness and agency in the role of privacy

“What they don’t know won’t hurt them.” When you’re keeping a secret to maintain a storyline in the movies, sure, maybe that can work. But for leaders and business owners, what you don’t know can (and more than likely will) hurt you. Ignorance is a poor defense, and certainly not one on which you should rely heavily. Instead, the first critical element in building functional maturity is in developing mutual awareness of the risks at hand. Not only will this create common ground for formulating future solutions, but it also aids in garnering buy-in from functional leaders across the organization. Where leaders understand the importance of an issue and the role they play in its success, more fruitful partnerships and collaborative initiatives will grow.

Many security teams started largely as standalone functions, tasked with magically achieving security for an entire organization. It’s a simple idea, really: Hire security professionals and they will take care of the problem. However, organizations have developed intriguing roadmaps for security, but failed to socialize those plans due to a lack of partnership and buy-in from functions across the business landscape.

The exact same risk exists for data privacy functions. Without buy-in and a commitment to prioritization from your partners in functions like Marketing, Talent Acquisition, Human Resources, Product Development, and more, even the best privacy strategy will be doomed to fail in the long run. The most successful information security functions learned this lesson and embedded functional collaboration and partnership as a key element of any initiative, guaranteeing commitment and developing more inclusive solutions along the way.

Embrace: Communicating (and selling) the value of privacy in your organization

Like most information security functions, data privacy is often seen as a cost center – no revenue generation and no value outside of compliance management. This kind of perspective, especially where it exists in an executive leadership team, means a never-ending, uphill battle for funding, focus, and sadly, legitimacy. “Just go check the box.” I’ve heard it more times than I care to admit, but it’s an important symptom of a much larger issue.

Like security, data privacy can be both a key differentiator for your products/services, as well as an enabler for future product and service development. Well defined security and privacy processes both contribute to greater data literacy, more informed data stewardship, and significantly more availability of data-related resources across an enterprise. In fact, Cisco’s 2022 Data Privacy Benchmark Study found that on average, leaders reported an estimated return on investment of 1.8 times spending for data privacy investments (down just slightly from 1.9 in 2021). These returns are more than just compliance gains and risk mitigation, but speak to a broader alignment of privacy best practices to core business objectives and operational approach on a global scale.

For there to be a return on investment, of course, there first needs to be an investment. Getting that investment means employing campaigns across your organization to leverage a general awareness of privacy challenges and to share a clear vision of each individual’s critical role in practicing privacy. ​​Privacy has to be preserved or protected - once it's lost, it's largely gone, but while we have it, we have to fight to protect it. Success can be the difference between limiting potential data subject exposure in the event of a data breach and a much larger, more public incident that can follow organizations for years to come.

Implement: Integrating privacy processes with critical path operations

If you take a look at the steady stream of privacy advertisements and service offering descriptions, you’ll see no shortage of “privacy by design” being invoked as a silver bullet. Despite being theorized more than a decade ago, the inclusion of “privacy by design” in regulations like the General Data Protection Regulation (GDPR) has resulted in a rebirth and amplification of the term.

Regardless of whether “privacy by design” is a new concept to you or a well-developed one, its criticality cannot be overstated. From my experience in developing internal and external privacy controls in a variety of industries, one of the most important attributes of any privacy control is the degree to which it is embedded in the critical path of your product or service delivery process.

Privacy, like security, cannot be optional, cannot be an afterthought, and cannot be bolted on at the end. To ensure that your business and the individuals whose information you process both get the greatest benefit from privacy measures, it must be a non-negotiable element that is consistently performed from the beginning. Otherwise, it will be far more likely to be disregarded or delayed, waiting instead for deployment to be out of the way and for a magical, more convenient time that may never come to pass.

Protect: Aligning your organization’s values to privacy decisions

Finally, one of the most effective ways of ensuring that privacy controls are stewarded and maintained with the same degree of care and focus as information security is to drive direct and tangible alignment of privacy controls with your organization’s value system.

For example, let’s say that your business operates on a central value of serving and respecting the communities in which you work with the same degree of care as your employees and stakeholders. You would be well served to then identify how privacy protections can be a form of respect for your consumer base and broader communities by instilling the same protections you expect for yourselves to those individuals, simply as a point of added value instead of necessity. To that end, don’t wait for laws to require it, but use it as a competitive advantage that can benefit both your business and your data subjects. This alignment will also aid in the continued messaging of your initiatives to your executive leadership teams, as well as long-term sustainability of these practices as your organization scales and expands globally.

Thanks Older Sibling!

While privacy can often feel like an opaque, obscenely complex space with no right answer, it’s important to recognize that we’ve been here before. The fights that we are battling in the privacy space are more akin to those fought in the security space for years. So, when in doubt, look to your partners in information security and consider how you can learn from their journey to further and ease your own. You never know – someday, your business and the protection of your consumer base may depend on it.

Thanks to Maritza Johnson and Jessica Traynor.