Oct 1, 2021, 13:12 PM
Riaan De Villiers
To start Cybersecurity Awareness Month, Ross Saunders discusses privacy and cybersecurity.
Privacy and cybersecurity
Ross Saunders is a leading privacy advocate in South Africa. With a background in IT administration, software development, and Governance, Risk & Compliance (GRC), he assists in a wide range of disciplines surrounding compliance, cybersecurity, and privacy.
Throughout the world, data protection legislation is becoming commonplace. Privacy has become a key driver for some of the largest organisations in the world and is on the tip of everyone’s tongues when it comes to data handling. Privacy, in terms of data protection, often takes the form of the legal requirements such as documentation, policies, and procedures needed for handling data – effectively answering the ‘why’ and ‘what’ of protection. The flip side of this same coin is security, the ‘how’ of data protection.
The intersection of privacy and security should not be understated. A key part of most data protection legislation is security safeguards, taking into account the “state of technology”. This accounting for the “state of technology” allows a company to comply with their security requirements in a modern manner, avoiding a prescription in legislation of mechanisms that could soon be out of date, given how quickly technology (and security practice) progresses.
Within the security space, we have the CIA triad: confidentiality, integrity, and availability. These three components are key for legal compliance too. A breach of confidentiality is the most obvious one, that of information being leaked out to a third-party, followed by a breach of integrity, where data could be damaged or destroyed. Often overlooked, is that of availability; if you have an interruption of service that ends up materially affecting users or consumers, that is indeed seen as a reportable breach.
For these reasons, negligence on the state of your cybersecurity (or physical security, for that matter), can be seen to increase your liability in terms of the law and civil action, as well as your risks of attack and downtime. In turn, it’s vital that your privacy strategy addresses security, and that your security implementation considers privacy.
All too often, companies will define their strategy in an aspirational sense, and then claim that their security matches this. Now, there’s nothing wrong with being aspirational, but when you rely on your aspirations as being your current state, you enter incredibly dangerous water. Whatever your strategy, you must be able to demonstrate and practically apply security now, while still being aspirational for a future state.
The reason this is important in the intersection of privacy and security, is that part of the “Accountability” principle found in most legislations is most readily demonstrated by your operations matching your policy and stated strategy. If you claim to have certain security measures in place, an information regulator can inspect this and use this information as a factor in their judgment of any claims. Effectively, when your operations do not match your documented claims, you run afoul of the obligations you set yourself.
With this in mind, you need to ensure that your strategy is achievable. You need to involve both sides of the data protection coin, including security and privacy stakeholders in the same meetings that define your strategy. While collisions can occur in these intersections, there needs to be a balance as to what is legally required, and what is practically achievable.
Often the ideal legal compliance will not be achievable in practice or within budget, and often the most convenient or seamless solution from a technical perspective will not be within risk appetite or compliance obligations. Having these discussions take place up front helps avoid a messy wreckage down the line.