Integrative Thinking - The Cross-Pollination of Privacy and Security

Written By Sharon Bauer

As an executive of an organization, it is your job to steer the ship in the right direction. However, when different functions see a shiny object through their own kaleidoscope, they steer the ship in different directions in pursuit of the trophy. This ultimately causes the ship to spin, rather than move forward fast. At that point, it is nearly impossible for the captain to course correct.

Kaleidoscope Effect: Steering In Circles

Tunnel vision – we’re all guilty of it and sometimes it works in our favour. Sometimes we just need to focus, to get it done, reach that target, and meet that objective. However, when it becomes the norm across an organization, the view is narrowed.

 Within organizations, business functions have very specific objectives to achieve, and they are measured on their success. For example, the security function is tasked with protecting data and assets, while the privacy function is tasked with handling data responsibly and in compliance with legislation.

 As each function is provided with specific instructions and is expected to achieve successful results, it creates a cozy spot in its own silo to help it better focus on its goals. In doing so, the function eliminates noise or information that is a distraction or doesn’t serve its main objective. This dismissive behaviour may include information that is valuable to the business at large. Consequently, the siloed function’s perspective is skewed, lacking context in the greater ecosystem in which it functions. Furthermore, the business unintentionally creates puzzle builders of CEOs and decision-makers who cannot see the forest for the trees.

 Like the example outlined above, functions move in different directions causing the business to spin rather than move towards its destination. This siloed governance is not only wasteful but also a major disservice to the business. When business functions ignore the world around them, the results they achieve are mediocre, creative solutions are stifled, and conflict begins to arise. We often see this with the privacy and security function. One of the most obvious examples is when a privacy breach occurs that involves a security breach. Rather than responding in a coordinated effort, the siloed response is anything but efficient, conflict arises, and the business is put at risk.  

Integrative Thinking: A Path Forward

When functions form an alliance and begin to move together in the same direction, they broaden their point of focus and start to consider factors outside of their tunnel vision. They no longer dismiss information they once thought was irrelevant to their mission and goal. They realize their surrounding environment vis-à-vis other functions that work alongside them has a direct impact on their success or at least the success of the business, which indirectly impacts them.

For example, consider Governance, Risk, and Compliance, also known as GRC. Whereas once they were treated as their own respective functions, namely, governance, risk management, and compliance, organizations recognized the interdependencies between them and began to manage the three functions in a coordinated and integrated manner rather than in isolation. Keeping the functions within their silos would lead to inefficiencies, inconsistencies, and missed opportunities.

Since functions have unique operating systems and outputs, it is common to see hesitation amongst functions to amalgamate. It is important to emphasize that integrative thinking is not about settling for one side over the other. It is not a zero-sum game. Integrative thinking is the ability to hold opposing ideas in the mind and identify the advantages that each side has to offer. It is taking those identified advantages and creating a new innovative solution (i.e. it is not A vs B, it is the creation of C).

When it comes to privacy and security, NIST already identified the need to have the two functions collaborate:

… the information security program and the privacy program have a shared responsibility for managing the security risks for the PII in the system. Due to this overlap in responsibilities, the controls that organizations select to manage these security risks will generally be the same regardless of their designation as security or privacy controls in control baselines or program or system plans. 

Due to permutations in the relationship between information security and privacy program objectives and risk management, there is a need for close collaboration between programs to select and implement the appropriate controls for information systems processing PII. Organizations consider how to promote and institutionalize collaboration between the two programs to ensure that the objectives of both disciplines are met and risks are appropriately managed.  (NIST SP 800-53, REV.5, Security and Privacy Controls for Information Systems and Organizations).

When it comes to privacy and security, businesses will benefit from a consolidated approach to integrating Governance, Privacy, and Security (GPS) - a third entity that is altogether different than privacy on its own and security on its own. It is the cross-pollination of protecting sensitive data on the one hand and maintaining user privacy on the other hand to create an interconnected element of a comprehensive data protection strategy. The shared goal is to protect the company, to protect data, and to protect individuals.

Sharon Bauer
Previous

Wonder Twin Powers: The (Super)Power of Addressing Privacy and Security Together
Next

I Know You Are But What Am I?