Privacy Professional ≠ Infosec Professional

We’ve experience over 30 million records breached already this year in the US alone. That’s an incredible number. Sloppy security is usually the culprit and this is well known and documented as evidenced by executives all around the world are throwing money at the problem.

However, there is a kissing-cousin to this problem that seems to be getting the governments attention but doesn’t have the apparent visibility in the board room: Privacy rights violations.

Google’s missteps with Buzz landed them a n order from the FTC to audit their privacy practices for the next 20 years. Facebook dodged a bullet recently by settling with the FTC over their privacy violations as well. The big story this week has been the revelations of CarrierIQ.

These are only a small sample of the privacy violations that could have easily been avoided if someone was just paying attention to privacy rights when these projects were conceived. A lack of attention to these type of issues are costing companies millions of dollars and garnering plenty of negative public attention.

The big question is why aren’t these otherwise smart companies paying attention? My bet is that it’s because the business side of operations is relying on the information security professionals to make privacy decisions. The IT department are generally not the right folks for the job.

At their heart, the fields of privacy and information security both share the goal of minimizing the risk of data loss or misuse, and it is this kissing-cousin closeness in definition where the confusion starts. However, often time vocabularies, policies and regulations from each discipline conflict and confuse each other.

As it stands today information security has clear rules and regulations to follow. It’s a well understood professional discipline and regarded as important at the board level. Privacy isn’t there, yet. Privacy pros face laws and regulations that sometimes don’t make sense and often vary widely depending on culture norms of locale.

For those that have seen both disciplines in action the differences are clear enough, but I find myself so often failing to clearly explain the difference to others that I’ve developed an analogy. Think of the field of information security like the US National Guard. There job is to protect the homeland, including it’s people and assets, from the outsiders (foreign invaders). Privacy professionals turn that good guy versus bad guy analogy around. They are protecting the outsiders (customers, patients, etc. — anyone whose personal information they hold) from the homeland (marketing, customer service, human resources — anyone who might misuse the data).

The differences are subtle but understanding that the value of each profession is distinct can save a company from making costly mistakes. Bottom line: Understand there is a significant difference between security and privacy and make sure the right people are on board on a project from the beginning because it could save you a ton of time and money down the road.

 
0
Kudos
 
0
Kudos

Now read this

Privacy and Our Humanity

I’ve come to the realization that all of the issues surrounding privacy, whether they be political, legal or cultural, are nothing more than a response to fear. This realization is changing my point of view. I’m no longer viewing privacy... Continue →