Last Updated on December 3, 2021
New privacy laws are leading more and more companies to build out privacy programs on top of their cybersecurity controls. Though traditionally separate in terms of corporate roles and governance, mounting regulatory pressure seems to be spawning a trend towards merging the cybersecurity and privacy disciplines.
But Jason Powell, GRC and Privacy Consultant at Pivot Point Security, argues eloquently for keeping them separate on a recent episode of The Virtual CISO Podcast. Sharing the discussion is host John Verry, Pivot Point Security CISO and Managing Partner.
How much do security and privacy really overlap?
Security and privacy functions obviously interrelate. For example, security controls may also protect privacy. And many data breaches have major privacy implications. But what does that really mean on a functional level?
“So often, we tack privacy onto security,” Jason asserts. “But I think they’re really two entirely separate disciplines.”
“There’s a portion where they’re joined and they overlap, and it makes sense not to reinvent the wheel,” acknowledges Jason. “But I’m going to go out and say something that may be very controversial to somebody who is a pure security practitioner. And that is, I believe that 90% of your security requirements can be met without PII specific controls. I also believe that 90% of your EU style privacy requirements can be met without traditional CIA [confidentiality, integrity, availability] resource involvement. That’s a very controversial thing to say. But I believe it wholeheartedly.”
Security and privacy require very different skill sets
When you look at the skills involved in security versus privacy, Jason’s argument gathers momentum.
“I like to break things down by what’s involved in each discipline at a very, very high level,” explains Jason. “I think of security as being about 80% technology and about 20% business. And I think most of my peers would agree that’s probably pretty close.”
“When I look at privacy, I think of privacy as about 10% technology, about 60% business, and about 30% law,” contends Jason. “That’s a very, very different skillset when you compare the two. I liken them to two very important disciplines that can be adjacent and even share some resources and concerns, but that really require separate and distinct types of program development and separate and distinct key stakeholders.”
“So, I think I agree with you,” John replies. “I think privacy consumes security. I mean, in order for us to achieve privacy, we need to consume some level of that security. But very often the security practices that are there to support privacy would have been there in some logical context independent of our privacy requirement.”
If you’re coming to grips with a privacy strategy for your organization, you’ll want to hear all of this provocative podcast with privacy (and security) expert Jason Powell: https://www.pivotpointsecurity.com/podcasts/ep66-jason-powell-private-practices-how-to-prioritize-privacy-in-your-organization/
Ready to dive further into how a privacy program could impact your business? You’ll appreciate this related post: https://www.pivotpointsecurity.com/blog/how-privacy-is-driving-the-need-for-information-governance/