This article was originally written by Michael Legary - Director of Privacy, Security & Compliance at Permission Click
The realities of privacy and security are changing faster than ever and our organizations are poorly equipped to handle the next wave of change.
I had a chance this week to discuss some of the major issues the industry has failed to address and highlight some of the insight executives and practitioners responsible for the culture of privacy and security risk management are using to pivot their assurance programs.
From international enterprises to venture capital funded startups, I talked to executives and practitioners about what they feel are some of the ugly truths they face inside of their organizations and what are some of the things that seem to be working to solve the issues. I condensed everything into a presentation I presented for this first time this week (which you can check out here) and have broken down the key insights below.
Ugly Truth: No one cares
Okay, so we start off a little dramatic, but the reality is that a number of Privacy and Security practitioners need to fight this feeling on a regular basis. The reality is a little more defined.
- The business often doesn’t understand how legislation, regulation and industry compliance should fit into the priorities of the organization
- The board doesn’t often doesn’t know what questions to ask. Often Privacy and Security topics are so foreign or feel too operational, the board does not discuss them on a regular basis
- Management is seldom accountable for a defined performance metric for the assurance of critical attributes such as Privacy, Security, Resiliency.
Improving the situation: Facilitate the establishment of context, goals and priorities.
Assurance Practitioners, especially executives accountable for Privacy and Security Programs must build and maintain a respected understanding of the business.
- Needs you need to influence, mentor and motivate your business peers to embed the right balance of Privacy and Security into the culture of the business
- Ensure the board and executive is committed to the value that your assurance program will bring, by getting buy-in regarding the ways Privacy and Security enable the business and enhance service delivery
- Privacy and Security practitioners need to expand and gather new experiences in order to be seen as a respected senior business peer who is known to make the right calls for the business
The Ugly Truth: No one knows where anything is
For many, the cloud is a convenient excuse to put everything somewhere, yet never to understand, document and monitor where somewhere may actually be.
- Cloud and related solutions have created a potentially large, yet unknown amount of data exposure in the average organization. There is no way of putting the genie back in the bottle, once the data is out, it could be out for good.
- Economics & competitiveness pushes businesses towards more shared infrastructure, creating unknown and often critical bottlenecks in privacy and security process and well as BCP/DRP plans
- The flexible workforce prevents data from being truly isolated, yet legal and cultural standards for protection, segmentation and recovery feel constantly in flux.
Round out your Security programs with an assurance architecture
- Trust Architecture & Contract Management are becoming central aspects of an assurance program for any size of business. Use SABSA and TOGAF to implement new business level artifacts that guide Privacy and Security.
- Traditional assessments (BIA,TRA,VA, etc.) should be used to drive architected solutions which include active monitoring of application & data topologies.
- Employee contracts, expectations and processes need to adapt to prevent the long term loss and impacts that the media likes to publish. Practitioners need to forge relationships with Legal and HR to deepen their understanding of Employment Law and the limits of appropriate Human Resources management
The Ugly Truth: No one wants to understand
Again, a tad dramatic, but it’s got your attention. Understanding risk, communicating things in perspective and with relevance is hard. Hard enough many rather not do it, because it doesn’t feel like a priority or there is a fear of being unable to defend your thoughts in a room of peers and external practitioners.
- The scope and depth of risk management is often poorly defined and maintained
- Systems risk and process risk are seldom managed or reported on as a whole, creating unnaturally high or low reported risk levels
- The relationship gap between privacy, security and the business appears to be growing
Improving the situtation: Understand the business, find the data and articulate risk
- Work with the business to have privacy and security integrated into the overarching risk register of the business, not as a silo alone, but as an aligned aspect of each area of risk
- Use methods such as FAIR to integrate technical issues into the risk conversation of the business, ensuring everyone speaks the same language
- Understand what governance means to your organization. Check out OCEG and get deeper about governance training.
The Ugly Truth: No one is doing anything about it
This one is a play on words. Practitioners are working hard, too hard; it is time to work smarter. For many, the burden of legislation, regulation and industry best practice has created privacy and security programs with tremendous amounts of breadth and depth in the documentation department, but don’t have a good handle on the priorities of the business.
- Many programs put too much effort into detective and reactive. We’ve built the policies, developed the processes, installed the SIEM, hooked the logging and hired the SOC team, but now, we’re fighting more fires than ever before and the business wants to expand the scope of what detection can do
- Design and architecture is considering privacy and security as they design solutions, but often the business drivers which would align and justify an appropriate level of controls is missing and assurance practitioners are involved only after the designs have been developed at the physical levels impacting the ability to be effective and creating unnecessary friction
- Ten to twenty years of having an enterprise privacy and security program in place, has lead to over engineering of every solution. No one feels comfortable defining and accountable party and allowing them to develop a solution that they can defend in meeting the needs of the company, but is still lean and minimal. The concept of a “Secure MVP” isn’t allowed to exist in many organizations
Build a security program Minimal Viable Product (MVP)
- Focus the design of a solution on the minimum viable components of a program. You can architect in tremendous detail and show all the traceability in the world, but come up with an acceptable way of creating solutions with a basic implementation maturity to enhance the flexibility and speed of solution implementations
- Get priority elements / controls mocked up, linked to accountable parties and get buy-in fast. An MVP may not do all the things the audience wants, but it does the minimum. We want to work with people in the organization who can confirm we meet the letter of the law, the essence of the compliance requirement and are appropriate for our risk appetite, but no more than that day one. We can always come back and improve as needs change.
- Link increased capabilities and maturity with new performance goals, measured value and cost structures. To develop this concept of continuous improvement, we need to measure value and performance on a regular basis. Take the concepts from above and tweak what your measuring and communicating about your strategies and programs.
The Ugly Truth: The future is coming and we’re not ready
Needless to say, the future will continue to bring new challenges and risks, new opportunities for business and service provision, but what is the security industry doing right now to improve the situation?
I’ll leave the last topic in the video for those who are interested to check out below.