Security and privacy often butt heads within enterprises. Why is this, and what can CISOs do to help facilitate...
better collaboration, communication and cooperation between the privacy and information security professionals in their organization?
Information security deals with access to and confidentiality of data. Privacy deals with laws, compliance and risk. Both are critical in the protection of information assets, but both are very different in extent.
However, they are not in opposition; they complement each other. Some depict privacy and information security as vinegar and oil, but if they work together, they make a pleasant vinaigrette.
SANS defines information security as "the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption."
Privacy deals with data. Information security deals with the protection of such data. They cannot exist without each other. It is not enough to know what and where critical data exists. There needs to be a way to apply the proper level of protection commensurate with the risks associated with its value to the organization.
What links privacy and information security are risk and compliance.
Chief privacy officers (CPOs) are responsible for performing a Privacy Impact Assessment (PIA). The PIA states which personally identifiable information is collected and explains how that information is maintained, how it will be protected and how it will be shared.
Peaceful cooperation between privacy and information security depends on collaboration among C-levels. The CISO should seek out the CPO and use the PIA to deploy that level of protection to ensure it meets the risk and compliance levels defined in the PIA.
The CISO should also work with the CPO to provide the board of directors or executive management with a joint presentation on how the information security program has determined and deployed protection of information assets. This gives the program credibility and management support, resulting from a pragmatic and realistic view of information security.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Learn how to use an incident response policy to collaborate better
Find out why HIPAA doesn't do enough for privacy and security
Check out the differences between an active board and a passive board
Dig Deeper on Business Management: Security Support and Executive Communications
Related Q&A from Mike O. Villegas
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading
Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.