Why It’s Time to Rethink Your Ideas on Privacy Controls
As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Richard Bird, the Chief Product Officer at SecZetta, shares some insights on why it’s time for companies to rethink their views on privacy controls.
Think about your personal life. How much privacy do you expect to have? And how much privacy do you have? It’s a hard truth to accept, but privacy doesn’t really exist in the digital universe for individuals. Despite the time, effort, and money poured into keeping people’s information “private,” privacy controls can often be a source of wasted resources for most businesses.
The expectation of privacy is a myth. The whole notion of privacy and privacy controls resulted from companies’ irresponsible management of customer data and information. Where would we be if corporations had properly handled customer data from the outset?
Privacy’s Priorities are Misaligned
Aside from privacy controls not being an efficient use of resources, there are other things organizations need to come to terms with when it comes to their privacy strategy:
- Privacy is compliance-driven to a fault.
- Government mandates are reactionary and unachievable.
- Privacy is a business problem, not a security one.
Let’s drill down into these further.
Privacy is Compliance-Driven (But There’s a Disconnect Between Privacy and Security)
Privacy programs and security controls have never been well connected. Instead of taking appropriate steps to ensure customer data is well protected, many organizations try to achieve “privacy” (quotation marks intentional) only to satisfy attorneys who seek to check a box in compliance assessment categories. In the meantime, there’s no progress on the industry side. Information security businesses and organizations aren’t building appropriate solutions or controls that guarantee privacy. This has created a massive disconnect among stakeholders within the privacy and security spheres.
Compliance-driven organizations are nothing new to most security professionals. When it comes to third parties, most organizations feel that completing regular audits provides adequate protection against looming cyber threats. But, again, compliance doesn’t equal security. Compliance-related exercises are just one pillar of a comprehensive, thoughtful, and well-executed security program.
Government Mandates are Reactionary and Unachievable.
Government regulations are seldom forward-thinking. Instead, they tend to be reactionary measures put in place after something terrible happens. Governments have issued privacy mandates in response to corporate mishandling of data, not necessarily because it’s the right thing to do or the best way to regulate privacy concerns, but to signal that they’re taking action. As a result, these regulations often create unrealistic expectations that companies can’t meet.
Think about how much time and money is spent on General Data Protection Regulation (GDPR) compliance—or the even less stringent US equivalent, the California Consumer Privacy Act (CCPA)—for people to either opt-in, accept, or deny all cookies for information most businesses already have. What’s the point? In this case, it seems more about regulatory compliance than truly protecting people’s personal information.
Privacy is a Business Problem, Not a Security Problem
Security professionals are often tasked with responsibilities related to an organization’s privacy program. However, the volume of consumer data businesses have collected over the years poses a disproportionate risk to security teams given the sensitive nature of personal, financial, or health-related data. On the other hand, consumer data is inherently more valuable to businesses, as it can provide audience and market insights and inform organizational decision-making. As a result, privacy is much more of a business problem than a security one.
For businesses to address this responsibility, they must start taking accountability for the health and welfare of each customer relationship. Take Apple, for example. Apple’s new operating system handles data privacy in a revolutionary yet practical way. The privacy settings are highly customizable, enabling users to provide or deny their consent for tracking across the device. By doing this, Apple rapidly expanded individuals’ choices and prioritized their customer relationships.
The Conversation Needs to Shift from Privacy to Choice
Once you’ve accepted these truths, it’s easy to see what needs to happen next: the conversation must shift from the idea of privacy to the reality of choice. Rather than taking measures to secure large volumes of sensitive consumer data and risk unfortunate mishandlings or data breaches, companies should be giving individuals the right to determine what data they want to share and with whom they want to share it.
When an organization puts too much attention on measures like increased privacy controls and isn’t focused on building a solid identity and access management program, it is at greater risk for data breaches, cyber-attacks, and other potential harm. Here are three critical cybersecurity practices on which organizations should be focusing their time and attention:
1) Refocus on Fundamentals
Too many organizations are distracted by new technologies, concepts, and conversations. Their security practice is falling to the wayside, without a clear strategy to ensure cybersecurity fundamentals align with their current business practices. This results in the persistence of programs designed to support outdated business and IT environments and perpetuate a false sense of security.
Organizations need to hyper-focus on cybersecurity fundamentals like identity programs. Today’s workforce evolution and migration to the cloud call for new risk-based identity programs that manage access at the identity level for employees third-party non-employees like supply chains, partners, contractors, and bots and devices.
2) Take a Holistic Approach
Rather than focusing efforts on compliance-influenced activities, organizations should build their security and risk management approach based on their program, user, and customer needs. As digital transformations advance, so too must privacy controls, security programs, and risk management strategies, including for third parties.
Organizations that take a holistic approach to risk management through a purpose-built, scalable, and automated solution will find they’re no longer just checking a compliance box. Instead, they will be enabling a more consistent and agile risk management program to protect themselves from cyber risk.
3) Mitigate Third-Party Risk with Automation
We’ve established that the expectation of privacy is a myth. But here’s what’s not: the third-party connection to many of this year’s most significant cyber events. Businesses increasingly rely on third parties to drive meaningful innovation and customer value. However, most organizations lack a consistent and repeatable way to centrally track and manage their relationships with third-party, non-employees and the access to enterprise assets they require. Further complicating this challenge is the certainty that organizations expand their attack surface and expose themselves to increased cyber risk by utilizing third parties.
Organizations need to automate best practices for managing the dynamic relationships required by their third-party resources and redefine the lines between identity and risk management. Only in this way will they be able to truly mitigate risk and safeguard valuable consumer data from malicious actors.
- Why It’s Time to Rethink Your Ideas on Privacy Controls - March 22, 2022