The Untapped Power of Privacy in Cybersecurity - Part 1 of 3
Is Your Cybersecurity Strategy Missing Half the Picture?
One team, One Dream
It's a little-known secret that security and privacy teams are chasing the same goal, often without realizing it:
Protect valuable data from compromise
Why is integrating privacy controls into cybersecurity not just an option, but a necessity? This common blind spot for security teams puts sensitive data at risk, even in organizations that have sophisticated security controls.
Privacy teams have recognized the benefits of incorporating data security controls into every privacy program. But, many security programs have yet to widely implement modern privacy controls. Let’s dive into why that is happening and what to do about it.
Part 1 of 3
This is the first part of a three-part blog series where we explore this reality, pulling the thread on how the integration of privacy and security isn’t always great today, but how it could be.
It can be more than just a dotted line on an org chart—it can be your enterprise’s edge against new threats. And, a differentiator in a competitive business environment.
How did we get here?
Why do privacy teams recognize the value of security so much more than security teams recognize the value of privacy? There are two explanations:
- Reporting Structures: Driven by the security requirements in data protection laws, privacy teams are often in a reporting line with CISOs. 87% of CISOs report that “Governance, Risk, and Compliance” report into them, and 20% count the Chief Privacy Officer among their direct reports. This has given security leaders significant influence over privacy programs. We couldn’t find a single example of a security team that reports into a privacy leader, so privacy has never had any formal authority over security roadmaps.
- Asymmetrical Forcing Functions: Privacy teams were historically oriented toward legal and compliance functions. In order to manage compliance with data protection laws they had to become proficient with security practices. Meanwhile, security teams haven’t had a forcing function that required them to deeply understand privacy.
But privacy and security functions have become much more similar over the last ten years. As a result of more stringent local and global data protection laws like GDPR, privacy teams have been forced to become much more technical and operational, even spawning dedicated privacy engineering functions.
And security teams face new legal and regulatory cybersecurity rulemaking from the SEC, which require CISOs to manage complex legal and compliance requirements.
So it’s time for security teams to incorporate best practices from privacy to better secure sensitive data.
Security + Privacy = Data Protection
Security teams and privacy teams both build and operate programs to protect companies’ valuable sensitive data. But despite their shared overarching goals, they focus on different sets of risks.
Security teams focus on thwarting external threats. Privacy teams focus on mitigating insider risk.
Securing the Perimeter
Security teams create a strong perimeter around data assets. If we analogize an organization’s sensitive data to pallets of cash in a bank, the security team builds the vault, the armored transport trucks, and the security cameras. These protections monitor and limit access to the valuable asset.
To protect the perimeter of sensitive data assets, security teams rely on tools like identity and access management, encryption of data at rest and in motion, network security, and application security. These tools protect data by preserving secrecy and confidentiality to prevent disclosure to unauthorized systems and users.
Countering Insider Threats
Privacy teams focus on compliant and low-risk use of the data within the secure perimeter to protect against insider risks. Using the bank analogy: the privacy team sets policies on cash handling limits. And, performs regular audits to find theft or loss.
To protect against misuse of data within an organization’s perimeter, privacy teams rely on tools like consent management, data minimization, anonymization, and data use monitoring. These tools protect data by detecting and limiting the risky use of data by authorized users.
Don’t worry! If you’re not familiar with these tools, we’ll tackle the most relevant ones for security teams in this post.
Because these approaches are designed to protect data against the risks created by authorized users, they’re uniquely well-suited to tackle the kinds of insider security threats that are hard to mitigate with traditional perimeter-based security approaches.
In a recent survey of CISOs whose organizations experienced a material data loss event, 34% of these events were caused by a negligent insider, and 33% were caused by a malicious insider. Building systems that are robust against attacks from inside the security perimeter is an increasingly important job for security teams.
This difficult set of risks has made it a necessity to incorporate privacy tools and techniques into security programs to address the full spectrum of a company’s data protection needs.
Applying Privacy Tools to Insider Security Threats
There are two privacy-centric tools that can significantly reduce both malicious and negligent insider security risks:
- Data Minimization - Just as security has “shifted left,” privacy has developed a similar focus on preventing privacy issues as early as possible in the data lifecycle. The ultimate “shift left” principle in privacy is data minimization, which requires organizations to collect and use no more data than is strictly necessary to provide their services. If you never collect or store a piece of sensitive data, it can’t be leaked, stolen, or otherwise compromised. Incorporating data minimization questions into vendor security reviews, security-focused checkpoints in the software development lifecycle, and data access processes will reduce the surface area for insider risk.
But be warned: data minimization comes with painful tradeoffs. Convincing your teammates to forego data they think might be valuable in the future is tough.
- Data Anonymization - Even with very strong cultural emphasis on data minimization, your organization isn’t going to stop collecting sensitive data. That means that there will always be data in need of protection inside of your organization. Anonymization helps minimize the security risks associated with using that data, particularly for AI, machine learning, analytics, and research use cases.
Anonymization makes it very unlikely to identify individual users in your sensitive data sets. This renders the data no longer personal data, meaning that even when a malicious or negligent insider exfiltrates anonymous data, they can’t cause a breach of personal data! Traditionally, it has been borderline impossible to rigorously anonymize data at scale, but new techniques – including synthetic data – have emerged to unlock this as a core security capability.
Don't let insider threats put your sensitive data at risk
Incorporate anonymization into your security strategy. Get in touch to learn more on how to make this integration seamless and effective.
Subsalt brings the promise of synthetic data for anonymization to the enterprise, replacing legacy manual processes and techniques.
Subsalt's primary function is to meet the strict legal and technical requirements for anonymization. This entails ensuring the synthetic data carries minimal risk of re-identification and giving the assurances needed to meet the necessary data protection standards.
Subsalt's query engine generates synthetic data tailored to specific use cases on demand. This unique query-time automation ensures that users get the best data for their needs without any synthetic data technical know-how.
Coming Up
In our next post, we will delve deeper into how organizations can anonymize their data effectively at scale and how this capability can be integrated into technical and organizational security controls.
In the last post in the series, we’ll showcase real-world examples where privacy innovations could have averted security disasters, offering practical insights for cybersecurity practitioners.