Why Privacy and Security Teams Should Collaborate
The perfect bite. If you’re not familiar with the term, it’s the stuff that foodie dreams are made of—that ideal combination of flavors and textures, all the components in a meal operating in harmony.
The thing about the perfect bite, though, is that it’s not random. It happens when ingredients work together—sometimes unexpectedly or unintentionally to the eater—to deliver an optimal experience. How an apple is diced can matter just as much as what type of cheese it’s paired with.
It’s about planning. It’s about collaboration.
Collaboration is the key in so many areas of life, and in business. In our increasingly online economy, critical areas of operations like privacy and security are less and less separate—these days, they go together like watermelon and feta, pears and brie, or apples and, well, anything.
What’s the difference between data privacy and data security?
Data privacy focuses on:
- What data is being collected, who it’s being shared with, and how it’s used
- Individual privacy rights
- Compliance with privacy laws and regulations
- Ensuring data transparency and notices about privacy practices
- Upholding individual rights
Data security, on the other hand, is more focused on:
- Policies and procedures for protecting data from unauthorized individuals
- Protection against cyberattacks from bad actors
Organizations are collecting increasing amounts of data as they seek to create better services and customer experiences. And in this context, a whopping 64% of consumers are concerned that companies aren’t doing enough to protect their data.
Private information won’t remain private if it isn’t protected properly, but there are steps organizations can take to build consumer trust.
Six ways data privacy and security teams can work together
Chief Privacy Officers (CPO) and Chief Information Security Officers (CISO) have an opportunity to work together toward a common purpose. Both of these roles are tasked with looking after data, which means that they both can benefit from collaborative data governance. At the same time, privacy and security are different things—different ingredients, if you will—but both are important to the risk management and data governance programs within their organizations.
Let’s look at six ways that privacy and security teams can work together to tackle some of the shared challenges of data governance.
1. Knowing what you have (so you can protect it)
Data inventories are generally one of the first and easiest shared goals to identify. And let’s be honest—unlike dicing apples or slicing cheese, identifying and protecting data are not trivial, low-stakes tasks.
The term “data inventory” may sound like a static record, but when it comes to data governance, organizations must have a living record of systems, business processes, and data. In today’s dynamic digital environment, combining efforts is the best way for privacy and security teams to maintain a living data record.
This record not only identifies sensitive data, but also classifies it according to its level of sensitivity—a helpful distinction for both teams.
Teams should also work closely to develop a shared data classification model, which organizes data into relevant groups based on shared characteristics, such as sensitivity and risks it presents.
2. Demonstrating compliance
When privacy and security teams have a shared data inventory, they can more easily collaborate on data mapping. Data mapping helps the privacy team to demonstrate compliance with regulations and offers the security team a complete picture of the data they need to protect.
Now, how about protecting this data? Establishing standards for data controls including encryption, backups, retention, and destruction processes is a shared task that addresses both teams’ concerns.
Finally, CISOs can help CPOs understand data protection beyond legal requirements. CPOs need CISOs to help educate them on operational aspects of data protection and organizational capabilities and constraints.
This way, privacy officers can raise concerns when something doesn’t feel quite right.
3. Managing access to sensitive data
Confidentiality is a key principle in information security. Managing access to data is one way to protect confidentiality, but it can be challenging. One study found that 15% of sensitive files at organizations could be accessed by any employee, with no regard to “need-to-know”.
When it comes to managing access, most organizations have defined standards and procedures that are set by the security team. However, a requirement of privacy regulations is that personal data is accessed only by those who require the information—the heart of “need-to-know.” Privacy teams must demonstrate that access is managed effectively. This is where collaboration happens.
Together, the privacy and security teams should identify access requirements and relevant data storage locations. The security and privacy teams will both need to understand the current access management procedures to make sure they meet their shared goals.
4. Effectively managing data breaches
Almost half of U.S. companies were hit by a data breach last year, according to the Identity Theft Resource Center (ITRC). No organization expects to experience a data breach, but they do need to have a plan in place for that possibility.
If a data breach occurs, the security team is usually the first to know. However, the privacy team must be involved early and often. This includes during the analysis phase so that they can determine if the breach involves (or may potentially involve) PII or other sensitive data. When breaches of this nature occur, the privacy team needs to be part of the response and notification efforts, since many regulations require organizations to adhere to strict timelines.
By proactively working together to outline the response process and plan ways to meet regulation timelines, privacy and security teams can ensure they are maintaining compliance, even when faced with an actual incident.
5. Cross-populating steering committees
Everyone loves redundant meetings, right?
Okay, maybe not. So why not increase efficiency by having both the privacy and security programs represented on each other’s steering committees and governance efforts?
If possible, some organizations may want to consider combining multiple steering committees into a broader information protection committee that represents the goals of both teams.
This can help reduce overlap and redundancy while effectively helping both parties meet their goals.
6. Identify impactful projects to collaborate on
Once you get privacy and security working in tandem with one another, take that collaboration global. (And by “global,” we really mean “business-wide”)
All areas of your business operations benefit from privacy and security insights. Risk assessments? They need privacy and security to [[fill in]]. Contracts? They need privacy and security to contracts that reflect regulatory requirements and include provisions that protect your business' best interests from a privacy/security standpoint. Marketing? Privacy and security can help ensure that data collection follows best practices, or that marketing projects don’t pose security risks.
When privacy and security team up to support an entire organization, they can provide more value, increase organizational buy-in, and ultimately ensure that privacy and security needs are woven into the fiber of business operations.
Working together to provide training and awareness
With data breaches costing companies an average of over $3 million, organizations can’t afford to ignore training on proper data handling and responsibilities for their employees. Although information security and privacy regulatory requirements vary from state to state, they share many common grounds and benefits.
Rather than attempting to tackle this separately, privacy and security teams can and should work together to develop a comprehensive training plan that addresses both security and privacy considerations.
Start collaborating with Red Clover Advisors!
With the proliferation of data in today’s digital world, security teams can’t be the only ones worrying about security and privacy teams can’t be the only ones worrying about privacy. Collaboration can be difficult in a culture of siloed departments, but with coordination and planning, it can break down barriers and help your business develop better operational practices and build trust with customers and stakeholders.
The experts at Red Clover Advisors can help your organization identify the best ways for your privacy and security teams to collaborate on shared goals. This may mean helping teams develop a common language when it comes to data governance or helping organizations understand the spectrum of data governance, which includes both privacy and information security.
Schedule a call and let Red Clover be your guide.