In dispensing this awareness around security, Poller said that security teams must understand that “there is no security through obscurity.” “This principle should be extended to data collection – the organization should only collect that information that the organization needs to provide products or services,” he said. Poller pointed to the fundamental cyber security principle of “least privilege.” He said that to better enforce security all around, an enterprise must first identify compliance exposure and risk exposure, the former involving exposure to regulations, the latter involving threat vector monitoring and assessments under guiding frameworks. See Related: ' Tone From The Top': Cyber Security & Digital Transformation ![]() Hartenstein said, in short, it is difficult due to the aforementioned “patchwork” – and laws varying between states and the federal level. How can an enterprise, agency or data collector delineate a person’s right to privacy while still administering requisite controls? The next hurdle in this discussion, though, is identification. “Unlike nation-states, most organizations can secure their data without needing private information about their employees or customers.” Can It Be Documented? “That privacy and security conflict with each other does not translate directly to the enterprise,” he said. Poller explained, however, that the understanding comes from nation-state security. Similarly, Enterprise Strategy Group (ESG) Analyst, Jack Poller, told the Cyber Security Hub: “The challenge (here) is that many people view security and privacy as opposite ends of a spectrum – maximizing privacy hinders security, and maximizing security necessarily violates privacy.” He said the former concern themselves with data classification and compliance, while CISOs monitor data-flows and technology, and “protect the enclave.”Īltogether, the senior program manager called for “cohesion” between the two, “at least until laws that regulate both move from patchwork to unified governance.” Hartenstein cited the separate function of privacy officers and IT security roles (largely still in effect). ‘Divergence’Ĭommenting on the fundamental relationship between the two, IT Security Senior Program Manager, Jamal Hartenstein, told the Cyber Security Hub: “The divergence between privacy and security will continue even though cyber remains so dynamic because legislators and regulators already have a hold on privacy… It is cyber security that remains nascent because technology can’t keep up with hackers and laws can’t keep up with technology.” ![]() For many, privacy and security are intertwined for those with a poor security posture, the opposite is true. Nestled in each there lies privacy concerns – and ones that are relatively open-ended.Ī patchwork of data privacy regulations has drawn attention to the topic in recent years. For some, it has taken GDPR-like mandates to reexamine controls, visibility and resiliency. Privacy versus security: it’s a longstanding issue enterprises have been pitted against, made more visible by data privacy measures such as the European Union’s General Data Protection Regulation (GDPR).īut can privacy still be achieved – for consumers, clients, partners and employees – without forsaking high-level security controls? That, too, is a question that has plagued chief information security officers (CISO), the C-Suite and even boards.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |