BOSTON — Cybersecurity professionals are increasingly being asked to take on data privacy responsibilities as part of their job function, research from the Information Systems Security Association and analyst firm Enterprise Strategy Group revealed.
The study surveyed 267 cybersecurity professionals, mostly from North America, and 40% of respondents claimed data privacy is a “significantly” new responsibility being added to their job role, while 45% said they believe it is “somewhat” their responsibility.
But 44% of respondents asserted that they haven’t been given the right level of training or clear direction on data privacy.
ISSA president Candy Alexander believes this new development is “scary” because cybersecurity professionals are taking on new data privacy responsibilities without often understanding what it means.
“The majority of us are recognizing that we now have privacy as part of our responsibility, without fully understanding the impact that it has on us,” Alexander told SecureWorld Boston conference attendees this week. “Because businesses don’t understand our roles, they think that privacy and security go hand in hand, so [they are saying,] ‘here take this on.'”
While data privacy is highly related to data security, it is not the same discipline, Gartner analyst Avivah Litan said. Cybersecurity professionals are typically not trained in data privacy, she added.
“My take is that companies and employers need to train their security staff on what data privacy means and how it differs from data security,” Litan said in an email interview. “Optimally, this should be done by a seasoned data privacy professional in the organization. They should clarify for the security staff what their responsibilities are regarding data privacy and to whom in the organization the security staff are responsible to, for implementing their work program in this area.”
Cybersecurity professionals need to support data privacy staff in their mission, Litan said, including compliance with data privacy regulations and rules, protecting customer, employee and other constituents’ sensitive personal and private data from being sold and resold, and used without explicit customer consent.
Candy AlexanderPresident, ISSA
“Data can be secure, but not private; hence the confusion,” she said.
Marty Puranik, CEO of cloud computing and hosting services provider Atlantic.Net, said he believes data privacy is a broad term and thus companies need to define what it means when delegating such responsibilities to cybersecurity professionals.
“It could be up to the IT professional to investigate and suggest specifics on what would be in the scope of things to be covered,” Puranik said via email.
It is important for cybersecurity professionals to seek out training, peers or mentors that may specialize in the field, he added.
With data privacy regulations like GDPR in full effect and the California Consumer Privacy Act in the works, Alexander reinforced the need for conversations between cybersecurity professionals and data privacy professionals.
“We need to become better aligned and understand what the intersection is, and when do we as cybersecurity professionals hand over the reins to them and they to us,” she said.
Sam Curry, chief security officer at cybersecurity company Cybereason, believes security is about confidentiality, integrity and availability of information and services, while privacy is about data autonomy and where the boundaries of information control lie.
“They absolutely affect each other,” Curry said in an email interview. “In the Venn set, they overlap; but the better analogy is flip sides of a coin perhaps. Today, the roles and data privacy interplay are being figured out, but the CISO is at least a deeply interested party on privacy if not the owner and should be a champion and advocate for privacy rights until companies figure the formula out.”
Security experts agreed that CISOs and other senior executives put in charge of data privacy should engage with their peers and also customers.
“Reach out to your customers and talk to them — perhaps even put a customer privacy council together,” Curry said. “Create an internal privacy event and bring in peers who also touch it to assess risk, opportunities and how it fits with culture and values. Imagine your company as privacy advocates or leaders and set a goal for 2019 that leans into protecting privacy internally, championing it in the community or driving meaningful projects.”