Why the Data Privacy and Information Security role cannot be separate

The growing amount of data, and the complexities of protecting it, are forcing organisations in Singapore and the region to re-evaluate how they approach issues of privacy and skillsets as well as organisational frameworks that are necessary to cope as they go digital.

 

Old school management processes and professional skills and the way that these skills are leveraged and deployed may not be optimal for many organisations today. Information security experts need to be aware that the challenges they face are constantly evolving.

Gone are the days when legal counsel and data protection officers can be relied on to stand apart as the sole gatekeepers of information. A new breed of information security professionals at the top tier of the organisation now have to be intimately familiar with the privacy and data landscape and the ramifications of new legislation and regulation.

A question frequently being asked now is whether traditional information security and data privacy functions are up to this task and whether they should continue to remain as separate silos – or whether a new approach is required.

The shifting landscape requires a new type of information security and data protection professional – one that can take a more holistic view of the issues that surround security, operational imperatives and data privacy.

Compliance with new and constantly evolving legislation and regulation will be problematic for organisations which do not have a forward thinking attitude towards data protection and privacy.

Relying on legal counsel and the traditional skillsets of information security officers is also not going to protect them from penalties from emerging regulation and laws.

Just how important data management has become is apparent when one considers just how much of it is out there. Companies and consumers are expected to generate around 180 zettabytes (ZB) by 2025 according to IDC and harnessing the power of that data can mean the difference between an organisation’s success or failure.

Organisations that deal in large amounts of data are now under enormous pressure to ensure privacy and protection of the data that they manage, as well as securing that data from harm. Both of these issues have become core organisational challenges.

These twin challenges mean that data privacy and information security are increasingly intertwined, so the question begs to be asked – why are these two functions different pillars and areas of responsibility in most organisations?

It makes sense for a new breed combining both the Chief Security and Privacy Officer – or for these functions to be amalgamated.

Information security policies and processes cover confidentiality, integrity and availability as well as serving to protect data, systems and networks. 

Privacy, however, is different. Privacy concerns revolve around a collection of principles and rules that govern how individual information, as well as the information on legal entities and groups is protected. It follows that good security and privacy practices depend on each other. 

Privacy is simply not possible without technology safeguards.  So why are the two functions often divorced from each other in day to day operational activity and strategic planning?

Although the gatekeepers of the two functions interact on a regular basis due to compliance and good governance requirements the intersection is very rarely optimised. In the face of increasing risk associated with data breach and the ever widening influence of the ‘Internet of Things’ and associated privacy concerns is it not time for companies to explore a unified function? In fact merging the two functions would go a long way toward a new paradigm in data security and privacy.

 

Merging of the two previously separate domains may enable organisations to create a culture of trust and assurance around data. The result could be fewer privacy related incidents as well as products and services which are engineered from the ground up to be both security and privacy-centric.

The way forward requires a new function – that of the abovementioned Chief Security Privacy Officer (CSPO), an executive who would be open to learning and driving a convergence of privacy and security roles and responsibilities from the very top of the organisation – and reporting directly to the CEO. 

Both cybersecurity and privacy have to deal with the risks induced by the digital revolution that most companies are undergoing. These changes have provided new classes of risks. At the same time, cyber security and information privacy responsibilities fit very well together.

Information-security practitioners often don’t understand the human side of privacy as they have been geared to think of their universe in a very measured way. Information security, on the other hand, is a human problem – not a technological one. It is by understanding the culture of the organisation and finding ways to get everyone focused and motivated to keep information assets safe that we build an effective cyber security program.

The reason for combining both functions into one role is clear. Typical cybersecurity professionals come from a strong technical background; and typical data privacy officers come from a legal background. There is nothing wrong with this, except that by retaining both their expertise, they tend to have difficulties in communicating effectively with the senior leadership, or the board.

What is needed are cybersecurity and privacy experts who can elevate the discussion to a business context, and be clearly understood, and supported, by non-experts.

A new function would provide two sides of a same coin. This requires a professional who can open up, look at the risks, understand what could go wrong and realise the impact on the organisation. He can prioritise and elevate the communication outside of his sphere of expertise, and make sure he is understood by non-practitioners.

There can be little argument against the fact that the privacy and security landscape is becoming ever more challenging. The real question is whether or not an organisation can afford to keep the functions of CISO and CPO separate in the face of the rapid convergence of the two roles. Increasingly industry opinion seems to indicate that a change in approach and mindset is required.

Lim Wei Chieh is the lead organizer for Data Privacy Asia (www.dataprivacyasia.com) conference, which sits at the intersection of data protection, privacy and cyber security and serves as the focal point for Asia’s professionals to learn, network and collaborate.