Privacy versus Security is a trust versus zero trust game! CyberOne says, there can be no privacy without security. So, trust starts with zero trust, obviously…
In a time where privacy has been elevated to a Royal topic, I spent the day/week/month perusing articles about privacy to see what, if any, common themes arose. By far the all-pervading subject of choice can be boiled down to a single, one-syllable, mighty word…
A principal objective for B2C and B2B customers, “Trust” is the pot of gold at the end of the privacy rainbow. Without trust, consumers are lost and companies will not share or fulfill valuable data requirements. Meanwhile, outside of the privacy circles, where the SolarWinds blow, the government is moving hastily towards a “Zero Trust” security posture. Are they really opposites?
At CyberOne, we freely bandy the phrase “ there is no privacy without security”. In the world of Privacy, Trust and Zero Trust might just mean the same thing!
As a consumer-human, or company that has or uses personal information, you may be surprised/skeptical/afraid (opt-in or opt-out accordingly – that’s a privacy joke!) to hear this… Have no fear, or, actually have fear, and from fear there will come no fear, if this is done right! Fear is healthy. It prompts caution, which is the path to security. For example, if you have read the latest from Mr. Snowden, or know anything about the seemingly constant attacks on privacy data, you’re probably not reading this on your phone and, COVID aside, you may be forgiven for pulling your curtains, sliding your webcam cover shut and communicating in sign language to your partner while playing very loud music.
According to both NIST and Pew Research, an estimated 80% of Americans still believe that the risk of companies collecting data about them far outweighs the cost of doing business with them. This presentation by NIST exposes many of our fears related to Privacy and the growing, if not ever-present lack of trust in corporations. As such, that TRUST is such a high-value, but perhaps unachievable commodity is, in itself, worth discussion.
Why is it so important and what does it mean for companies and consumers to establish trust?
Perhaps this is obvious, but, after all, for all the fearmongering, justified or other, about our personal information being stolen, the myriad of ways to steal it, and the documented lack of trust, the question is interesting because, for the most part, consumers offer up personal information with relative abandon and disregard, to corporations who use it to, among other things, sell you stuff to stop your personal information from being stolen. The Influencer phenomenon was built upon sharing information. We may not trust, but sharing takes precedent, it would seem. Forbes started tracking this phenomenon more than 10 years ago. Imagine how this Forbes article would read today? Nonetheless, if the NIST data is true, while consumers are open to the new “world wide web” order, they may be permanently teetering on the edge which puts the Golden Eggs of retention, loyalty at risk. As such, to the good, business has largely come aboard the privacy train, even if for some, it is being driven by acquisition and retention strategies rather than solid ethics.
Governments, equally, are finding it in the common interest to protect personal information. Privacy regulations cover more geographic regions than you might know, from GDPR (the European General Data Protection Regulation), BGDPR (Brazilian General Data Protection Regulation, APEC Privacy Framework (Asia-Pacific Economic Cooperation), even China. Here, in the US, too, many states have their own privacy regulation, perhaps the most recognized being CCPA – CPRA, but by no means the only one. (US states with Privacy laws). Penalties for misuse of data are potentially very severe. It’s potentially a “do-good” source of revenue for state actors.
So, why are we still living in fear? Let’s go back to that stolen CyberOne adage… You can’t have privacy without security. Simply put “privacy is NOT security”.
Compliance with the legal aspects of various privacy laws, be it GDPR, the now British (BGDPR) and Brazilian (LGDP) versions of GDPR, CCPA – CPRA, ODP, APEC, and so on… are all well and good, but largely they are just enabling a set of choices from the consumer. If you want to learn more about the various laws, including one of the first laws to connect privacy and liability with security, see the supplement at the end of this article.
The marriage of privacy and security is where trust begins…
Why? Because it goes, one giant leap further to tell the consumer that companies are committed to protecting the data, no matter how it is collected, stored, transferred, and even destroyed. Compliance says we are obeying the law. Security not only says we are protecting your data, it speaks to implementation. If companies want to build consumer trust, they need to demonstrate more than compliance – they need to be secure, not just say they are. For example, the company Ring built a billion-dollar business not on the ability to see who is at your door and decide if you want to open it (privacy), but the ability to shout at them through the doorbell, and call the cops.
Trust is about security. Trust comes from Zero Trust! Security is the zero-trust constant. Security means, among other things, verify, so effectively, from a security position, zero trust takes any level of assumption out of trust. If a company can achieve this for its customer, company, or consumer, then the other Golden Eggs of loyalty and retention should follow. So, while you may already think that privacy is connected to your sales strategy, data shows that security, rather, should be part of your acquisition and retention strategies.
So, now I need to add a budget for Security?
To simply state that companies must overlay security with privacy ignores the most common question for SMB’s. Where is the budget? Indeed, what does this mean for SMB’s with limited budgets or hyper-growth startups with investors “hyper-focused” on revenue? How easy is it to pivot from none or some security and privacy to a position where these requirements can be met and maintained?
Our experience in the world of SMB’s tells us that many companies out there have very limited budgets – sound familiar? Are you trying to manage security and privacy with a skeleton crew (1-2) and spreadsheet? The modernization of your S & P program is vital and will be a budget-wise solution, too. These programs cannot be managed effectively on spreadsheets, for one, because they require continuous monitoring, and generally, because the readiness factor – the need to evaluate control strength and implementation, collect evidence and verify, prioritize, manage and mitigate risk, is all-consuming, and leaves little to no time for proactive risk analysis beyond the task of risk management. In a tool, you can eliminate many of the redundancies and painful elements, like chasing evidence, of security and privacy and, a good tool will tell you, at any and all times, whether you are secure and in compliance, which will save costs.
If the higher purpose of risk and compliance management is i) to ensure security ii) prevent risk iii) assure compliance, and, above all, to apply risk to become a more agile company, which is indeed one of our deliverables at CyberOne, these are not achievable from a spreadsheet. These are entirely achievable with automation and integration. While tools rarely replace people (successfully), the right solution will create efficiencies and target processes that enable people to prioritize effectively. To that end, here are some final tips:
- Choose a solution that integrates your internal control framework with your policies, your requirements (regulations or standards) and enables you to create “crosswalks” that allow many-to-one mapping efficiencies for control references and evidence items.
- Look for continuous monitoring to ensure you are always in compliance, which can be critical to fluidity in your sales pipeline. Look for integrated risk management that connects your Risk Register (proactive – possible) and Findings (active – actual risk) and your entire risk environment to your control family to allow both proactive and reactive mitigation.
- Finally, API integration with your business systems and your intelligence platforms, all of this, will help reduce the level of employee engagement necessary to maintain repetitive processes and enable a more risk-aware, analytics focused risk program, as well as lower the level of non-practitioner engagement in the functional bureaucracy of risk management.
- Enable your risk team (of one) to focus on supplying intelligence, and applying intelligent risk, and, enable your nonpractitioners to engage with the risk program only where it is meaningful to their work.
CyberOne Security’s modern GRC automation platform supports continuous risk and compliance management that enables business. With CyberOne, you can establish comprehensive security and privacy on a single pane of glass with complete assurance that you are protecting your business, your data, your customer, your revenue, and your reputation.
Happy Privacy AND Security day, week, month year, y’all!
Supplement: The Privacy Landscape from a Regulatory and Standards Perspective
Let’s take a brief look at the regulatory landscape: If regulation has been abundant, agreement on how to protect privacy is less clear and all-important trust is not a factor. Regulations start in US States (CCPA, ODP, NYPA, etc.) and reach most countries (LGDP), continents (GDPR, APEC), archipelagos, and even a few dictator-nations (those last examples may not be entirely true!). You can read a good comparison of US privacy laws from IAPP here. Here are some of the basic differences:
To Opt-In or To Opt-out? ( or, Shakespeare meets privacy…)
GDPR requires businesses to request consent. It defines consent as “freely given, specific, informed and unambiguous” In other words, consumers must “opt in” to any use of their data. Consumers most commonly experience this today in the form “subscribe to” requests, or “Cookie banners” – sadly, not the chocolate chip, macadamia nut variety. GDPR implementation is relatively rigorous, but compliance is also rather vague and largely remains untested by its governing body. GDPR gives lots of guidance on what needs to be done to protect privacy, but it is lacking in the “how”.
CCPA- soon to be CPRA, however, takes a largely “opt out” approach to consumer privacy, effectively requiring consumers to indicate that they do not want to subscribe. Similarly, CCPA takes a more legalese approach to privacy, outlining “must do’s” with little guidance for “how to”.
Setting the Standard
If privacy is not a legal requirement, but you do wish to learn more about approaches, both NIST and ISO have published privacy standards to help you build out controls. You can read about these here:
Security and Privacy…
That brings us to Ohio! Another interesting privacy law is the Ohio Data Protection Act (ODP). This is somewhat under the radar as it is limited to the great state of Ohio, but is a potentially rather important regulation from a legal precedent standpoint. Ohio was the first state to include “safe harbor” for companies, and, in our view, this could be a vital step towards building trust. Where GDPR and CCPA took largely punitive approaches to enforcement of their laws, ODP provides businesses with an incentive to implement and maintain an effective cybersecurity program, providing companies with “safe harbor” or immunity from prosecution if able to demonstrate compliance with a recognized security standard (NIST 800-171, 800-53, FedRamp, CIS, or ISO).
Now, there’s a lot more we can say about the different approaches to privacy