8 Ways to Think About the Relationship Between Security and Privacy

Privacy and security are critical to the design, installation and operational requirements of physical and cyber systems. Over the last 15 or so years, security and cybersecurity have moved from being a begrudgingly funded expense line item to a key resiliency issue for the C-Suite and boards. The same story is evolving around privacy. Privacy has gone from a legal and compliance issue to something critical to people and organizations. 

This focus is driven by the increase in laws around the globe and the increased frequency and reaction to both surveillance capitalism and improper surveillance. Recent laws include the General Data Protection Regulation (GDPR) as well as many privacy and surveillance laws in the United States, Canada, South America, Africa and Asia-Pacific regions. The United States also has a long and growing body of federal, state and local privacy and surveillance legislation for information security and right to privacy. In addition, there are global information technology frameworks and standards such as ISO, NIST and others that now include privacy.

Often you find segmentation in organizations around privacy (lawyers) and security (IT and physical security), which hinders an understanding of the compatibility and interdependency of privacy and security. Embedding security and privacy in day-to-day operations will benefit all and should include the following considerations:

• Remember that privacy versus security is a false dichotomy. Privacy and security complement and strengthen each other in many ways.
• Involve people. This always improves security and privacy, and transfers and decentralizes risk. It also requires an investment in people and security and privacy services.
• Embed security, privacy and usability at the design stage.
• Perform the appropriate risk assessments for identity, surveillance, security and privacy across the business, operational, legal, technical and social goals of an organization and its ecosystem. Privacy isn’t possible without an appropriate level of security.
• Be transparent. Transparency improves both security and privacy. For any cryptographic system to be trusted it must be made public for peer review and selected among a range of candidates. Examples of how transparency improves the strength of security include public revocation lists and public validation endpoints.
• Incorporate reciprocity and proportionality. Reciprocity enables control and interaction with your privacy and personal information as opposed to a catch-all “I Agree” button. Proportionality is a balance of power at the point where a person might agree to something, usually with a legal entity.
• Create a privacy point of contact, landing page and understand your public privacy profile. Empower an individual to be the lead on privacy and work across that organization and business ecosystem.
• Establish a privacy code of practice. This gap is often filled by industry associations that establish codes of ethics, conduct and practice.

The interdependence between security and privacy is critical to how we design and use security systems. With security and privacy appropriately incorporated into day-to-day operations, organizations will be able to more effectively manage risks as well as protect the users of those systems according to evolving legal requirements.