We recently held a panel discussion with Peak’s Gary Myers, FreeAgent’s Richard Grey, Trace’s Sorcha Lorimer, and our own Guillaume Montard to pose the question: “How do you bridge the gap between security and privacy teams?”
If you weren’t able to join us, here’s a rundown of the key takeaways that came up during the chat. You can also find an archive of the discussion at the end of this post if you’d love to watch it in its entirety.
Automate if you can
Every industry looks to automation as a solution to problems with known requirements. That isn’t always an option when it comes to privacy. As privacy requires legal interpretation and ethical perspectives, sometimes you need a human touch.
“Privacy, it’s quite a soft skill to make sure that we’re doing the right things. From a security perspective, we can absolutely automate a whole heap of things.” — Richard Grey
The pipeline is a great place to automate as much as you can. Runtime application protection, static code analysis, and any best-practice health checks can help automate the security side. We’re slowly seeing privacy “checks” enter into the development pipeline, but that is still a challenge.
This leads us into our next takeaway.
The gray area is the hard part
Where security is black and white—you protect the data, or you don’t—privacy can be much harder. There’s the ethical expectations, there’s the spirit of the law vs the letter of the law, etc.
“I think where DevSecOps can come into play when it’s about privacy is to be able to have those questions come up as quickly as possible at the beginning of the lifecycle.” — Guillaume Montard
The unfortunate reality is these privacy concerns come up far too late, sometimes years later. The “move fast and break things” mentality of modern startups permeates into privacy and often means the unspoken “fix things” step comes far too late. The ability to surface those gray area questions early and often—particularly when designing features—is a key way to avoid this problem.
Privacy enhancing technologies can be really valuable
Synthetic data is a powerful tool for balancing the utility of data while ensuring privacy. Regarding its usage:
“Minimizing a lot of the risks by [using synthetic data] and adhering to the best principles of things like GDPR, et cetera, in the process is something that’s absolutely applicable and something we’re doing practically and taking seriously.” — Gary Myers
The risk with looking to new technology to solve problems can sometimes prolong the solution.
“The issue with thinking that a new technique will solve every problem, is that sometimes you hide the real problem, and it creates more complexity to really understand what to do exactly.” — Guillaume Montard
Tools can be useful, but sometimes simplicity wins.
Richard described a great example of drawing a simple picture of the data flows in an organization to make it easier to understand.
“That picture spoke a thousand words within our company of people knowing what was happening. It’s a tool we can all do with a piece of paper, and that’s worked really, really well for us—and of course it didn’t cost anything.” — Richard Grey
Keeping these foundational documents simple and in plain language helps them move throughout teams and helps anyone in the organization better understand the concepts.
In addition, so many of the tools needed to meet privacy expectations are also the tools needed for security. Both require data flow maps, need to know where their data goes, and who has access, so why not unite those efforts rather than silo them? The tool isn’t the problem, but the separation is.
The world is watching
Customers and industries are savvier than ever before. Laws, breaches, and exploits that used to be something only known or aware of within the security industry are making their way to greater audiences. We’re even seeing government bodies pay attention to infosec news.
“It’s becoming a mainstay in our regular news, and we have things like the FTC saying specifically ‘if you haven’t dealt with log4j we’re coming after you’…InfoSec isn’t just our little world anymore.” — Gary Myers
This casual awareness from the outside makes internal training and collaboration even more important. The more eyes on internal systems, the better.
It all comes down to culture
Where does the accountability lie? Ultimately, it’s the leadership team. Privacy and Security may be “everyone’s responsibility” as we like to say, but the leadership team is accountable for making that happen. Through culture, values, and training.
“Either the leadership of the company thinks it’s very important, and they impose certain language and potentially KPIs that could infuse the [mindset] into the entire organization to make it clear and understandable, or they say ‘well, this is just something for legal. Let the legal people come to us when they need.'” — Guillaume Montard
To put even further emphasis on the point:
“All of the decisions and actions and everything that happens are as a result of the motivations and drives of the people. So, set the values of the organization and set it in the DNA of the organization that ‘this is what we do and this is why we do it’ and people understand that ‘why’ and understand that motivation. That’s where you get a more holistic approach. It doesn’t come any other way.” — Gary Myers
—
You can view the full discussion here:
Thanks so much to the panelist for sharing their insights. Want to find out about our next event? Follow us on Twitter or LinkedIn to stay up to date.