Security and Privacy: Twins of Different Mothers

Published: May 14, 2008

Viewpoint

By Tom Gemmell
Principal Privacy Program Manager, Microsoft Corporation

See other Viewpoint articles.

Born of the necessity to protect the property rights of rightful owners and custodians and to intelligently manage the risks associated with those rights, security and privacy practitioners have to help each other successfully manage the risks associated with collecting, holding, and using private and sensitive information about employees, customers, partners, and others. This article discusses how security and privacy professionals can get beneficial results by closely aligning their work.

Situation & Assertion

A growing number of security attacks are targeting personal and sensitive information even while the efforts security and privacy professionals make to protect that information are diluted by an ever-increasing breadth of threats. At the same time, regulators continue to apply pressure for privacy compliance, and consumers are voicing concerns over the privacy of their information. To combat these threats to personal data, companies need to develop a proactive, strategic approach that drives greater collaboration and intra-organizational planning among security, privacy, and business leaders. Specifically, security and privacy professionals can investigate information-security and data-governance improvements through “people” dimensions to augment and complement “process” and “technology” improvement activities. Ideally, all three dimensions would be in deliberate alignment, but this discussion focuses on people because recent research indicates they may not be getting the attention they deserve.

In October 2007, the Ponemon Institute, LLC independently published a study1 to understand the perceptions of information stakeholders on how privacy and data protection risks are being managed in their organizations. More than 3,600 information security, privacy, compliance, and marketing executives from a variety of industries across the public and private sectors in the United States, United Kingdom, and Germany participated in the study.

Highlights of the findings from that study are as follows:

  • The three organizational groups (privacy, security, and collectors/users) closest to the protection and use of personal information are not working as closely as they could to manage private and sensitive information risks.

  • There are significant benefits to organizations that take a holistic (people-process-technology) approach to the management of privacy risks.

In addition, a key finding in Deloitte’s 2007 Privacy and Data Protection Survey2 raises serious concerns and questions regarding the long-term success of the privacy function in meeting privacy objectives, and points to the lack of common primary and/or secondary reporting structures for both security and privacy professionals as the presenting symptom.

It’s apparent that many organizations have significant people-oriented changes that could offer large potential returns.

Going back to the October 2007 Ponemon study, the significant findings provide ample guidance toward opportunities for security-privacy collaborations. Here are the most applicable findings:

  • Collaboration among security and privacy practitioners in an organization seems to reduce the risk of a compromise or breach of personal information. Organizations with poor collaboration between security and privacy professionals were more than twice as likely to have suffered a data breach in the past two years as organizations with good collaboration.

  • People who collect and use data don’t often consult with security and privacy professionals. Although 78 percent of security and privacy professionals believe they are regularly consulted by marketing colleagues on the collection and use of data, only 30 percent of marketers said they actually did consult them.

  • Security and privacy professionals believe negligence in data use and sharing is the biggest threat to data protection practices. Fifty percent of privacy and compliance professionals and 35 percent of information security professionals cited negligence and mistakes in data use and sharing as the top risk.

  • Privacy and security practitioners are aligned in their perceptions that companies are at risk if data protection practices are lax.

  • Avoiding threats is the top business driver for security professionals, and regulatory compliance is the top driver for privacy and compliance professionals.

  • Who has the most influence over the company’s data protection practices? Each group sees itself as being most important to determining data protection practices in its organizations. Among groups, 33 percent see themselves as most influential, while less than 16 percent of information security professionals see privacy and compliance as being most influential.

  • Organizations in which there is a lack of effective collaboration and a higher incidence of data breach have a strong desire to formally combine privacy and security roles. Fifty-two percent of those polled who reported a reasonable level of collaboration between security and privacy professionals were supportive of formally combining their responsibilities under common management. Conversely, where collaboration was reported as poor, more than 80 percent of respondents indicated a strong desire to formally combine the roles.

We’ll take a closer look at what might be done to remedy each of these. Fortunately, Microsoft published its fourth version of the Microsoft Operations Framework (MOF) in April 2008. MOF devotes a lot of attention to people related topics within its Team Model for Operations. Interestingly for a process heavy topic, it recommends initial improvements that emphasize people rather than technology or process:

“Traditionally, organizations start improvement efforts by working on implementing or improving their use of technology or their processes. Starting with people improvement instead—by focusing on accountabilities, roles, and responsibilities—is easier to understand and less abstract than process, which means it can be adopted more easily. When people understand what to do and how to do it, improving process and technology becomes much easier.”

Fortunately, the MOF Team Model provides specific guidance for teams working toward shared goals. (e.g. security and privacy teams working to ensure information security and risk management):

  • Separate plan-driven and interrupt-driven work: Plan-driven or proactive work should be predictable, in terms of what gets done, how much time is spent getting it done, and when it gets done. However, if that sort of work gets mixed with reactive work, the predictability gets lost.

  • Put the right people in the right roles: Once the role type has defined the work to be done, it makes sense to look for people who have an aptitude and personality type that lend themselves to that sort of work. For example, Operations Accountability has an Operator Role Type associated with it, with responsibility for work that has predictable results. It makes sense to staff that role type with someone who enjoys standardized, predictable work, and who does well at following instructions.

  • Encourage advocacy: Advocacy offers a way to represent different points of view, and it helps ensure coverage for all types of work that need to be to be done. Advocacy encourages good decisions and effective and efficient processes.

  • Start with accountability: The accountable person has the power to ensure that required work gets done and is ultimately held responsible for the work that occurs.

  • Make responsibilities clear to the owner: The responsible person needs to have a clear understanding of what has to be done.

  • Combine accountabilities and role types where appropriate: Some accountabilities and role types can be combined for scaling purposes, and some cannot. (For example, it would be inadvisable to combine the role types Test and Development or the Solutions Accountability with Operations Accountability.)

  • Ensure constant coverage in operations: Because of the critical nature of Operations work, it is important to assign work in a way that ensures constant coverage in that area. Generally speaking, it is a good idea to assign resources to Operations first, to Support second, and to Solutions third.

Suggestions & Remedies

We’ll use these guidelines to look for clues on what might be done to remedy each of the findings in the Ponemon study. Taking each of the findings separately, here are tactics for improving security-privacy collaboration.

  • Collaboration among security and privacy practitioners in an organization seems to reduce the risk of a compromise or breach of personal information.

    Much of the work that security and privacy professionals deal with can be separated into interrupt and planned groups. Interrupt work, such as that associated with incident and problem management, can be managed through a common remediation and escalation method. Both groups are thereby working in closer association by virtue of sharing a common system and community of experts. There are also possible productivity gains flowing from a reduction of systems to be administered. Planned work, such as proactive programs to improve overall practices (of which training is an example), will also benefit by joint ownership. Collectors and users of sensitive data can be trained on information security and privacy policies and practices. This can help the business better understand the roles of security and privacy as protectors of the organization’s assets and mission.

  • People who collect and use data don’t often consult with security and privacy professionals.

    While not a surprising finding, this is something that security and privacy professionals can help each other with in a variety of ways. For example, security and privacy practices often involve the designation of “champs” embedded within data collection and usage groups that are responsible for field- and ground-level practices. At Microsoft, these champs have specific performance commitments and resource allocations to assure the functional group is appropriately managing security and privacy policies. As internal functional group experts, champs have the potential to address privacy and security topics, and, importantly, to provide input and guidance to the security and privacy experts on emerging challenges and potential practice improvements. The guidance here is to connect champs to a community of combined security and privacy professionals to ensure that they get the best support possible and that practice professionals have visibility into issues and topics that drive collaborative engagements.

    This is also clearly an area in which training can make a difference. Too often, data handlers in functional groups simply don’t know what their responsibilities are. Train them. And since many of the responsibilities associated with security and privacy policy are quite similar, it can help to combine basic training and offer data handlers a single inquiry and escalation path when they need to reach professionals.

    The privacy training program at Microsoft has been the subject of a “best practices” case study by Forrester Research and can be modeled from its publication.3

  • Security and privacy professionals believe negligence in data use and sharing is the biggest threat to data protection practices. Preserving or enhancing an organization’s reputation and trust is important, especially for professionals who collect and use data.

    While considering this and several of the other findings, indications are that there is vast opportunity to work effectively with business groups. Indeed, because the priorities of business groups are to preserve or enhance reputation or trust even while seeing the risk that arises from negligence and mistakes, they can be expected to respond appropriately to the rationale that it is harder to regain lost trust than it is to protect trust as a matter of routine. Borrowing again from the MOF Team Model, this can be taken further: Attach responsibility and accountability to the business roles for expanding their scope of priorities to include best practices that keep trust intact by protecting the data held for customers.

  • Who has the most influence over the company’s data protection practices?

    Perhaps it is human nature that we view the world through our own lenses. While it is encouraging, since it indicates a willingness to take responsibility, that each functional group views itself as the most influential over data protection practices, progress might involve each group understanding why the others hold their views. The outcome should aid in cleaning up accountabilities, separating and combining plan-driven and interrupt-driven work, clarification of responsibilities, definition and accountability for controls, and more.

  • Organizations in which there is a lack of effective collaboration and a higher incidence of data breach have a strong desire to formally combine privacy and security roles.

    Guidance from the MOF Team Model is to start with accountability. Microsoft itself provides an interesting case to help illustrate the potential for reducing breach risks. A little more than five years ago the company joined privacy and security organizations under common executive management in concert with the launch of the Trustworthy Computing Initiative. Since that time, Microsoft has implemented the Security Development Lifecycle and the associated Microsoft Privacy Standard for Development; company-wide, role-based training; a worldwide privacy champs community; and it has created an abundance of new privacy and security enhancing technologies, products, and solutions.

Summary: Planning for Security-Privacy Collaboration

A method for identifying common ground to build collaborations between privacy and security professionals can be a simple data lifecycle. In the lifecycle illustrated below, information flow through an organization can be characterized over time—and by how it is accessed by multiple applications and people for various purposes—to clarify the various areas in which the organization should deploy technologies to protect private information. Security and/or privacy professionals will be chartered with these deployments while the model serves to represent that, as a whole, the over-arching purpose represents one very large and complex ecosystem of people-process-technology interdependencies.

We’ve learned that security and privacy professionals can work together—discovering together and collaborating with each other to better serve their organizations and their customers by protecting private and sensitive information.

Figure 1
  1. “Microsoft Study on Data Protection and Role Collaboration within Organizations,” Microsoft Trustworthy Computing Group

  2. http://www.deloitte.com/dtt/cda/doc/content/us_risk_s%26P_2007%20Privacy10Dec2007final.pdf

  3. Case Study: Microsoft Customizes Multilevel Privacy Training for Its Employees, Jennifer Albornoz Mulligain, Forrester Research, August 22, 2007

Show: