Tuesday, April 30, 2013

Stakeholder/Privacy/Security Oh My


To continue with the theme I presented last time in which I discussed the differences between privacy (first pillar) and security (second pillar), I want to add a third pillar, that of the stakeholder. 

It seems obvious that he/she should also be included in any discussion along these lines. And yet stakeholders can only add complexity to the equation.  But before I begin, here are a couple of notes. I received a number of comments concerning the previous post. Some people commented about the fact that any discussion should include other interested groups as well. And as you will see, that is exactly what I will be doing here.   Yet I would be remiss unless I addressed another issue that was also brought up. 

What I 'd like to do, and only you, the reader, will be able to determine if I am successful, is to highlight the 'human' factor in this equation. As we move more and more to depending on, exploring, and exploiting the technology we use/rely on, we have had to develop tools to manage and control the reliance on the same technology. We have tools to check the code for security holes. We have tools to make sure we develop compliance processes. We have tools to help the auditors to verify systems, etc. 

Yet the one aspect that is forgotten in this mix is the human factor. He/she is the coder, the report writer, the auditor who verifies the results. etc. No system is fool proof and no human is perfect, except you the reader.   So why bring this up? I do so because some of the comments I received include the following: 'a security/privacy system that is put in place will address the wide divide between humans and technology/compliance'.

In response to this I say that tools are important, but we must realize that the tools are not the entire solution to this quandary. We need to understand entire eco system so we can successfully address the issues of Security, Privacy, Regulation, and Compliance. That being both the technology we use, and the tools we use to control/enhance it. 

So let's begin My objective in the previous blog was to highlight some of the inherent issues that prevail within the privacy/security domain. Here I want to explore the added complexity by adding the involvement of the stakeholder to this process.  Let define some terms. A stakeholder is the 'outsider'. The person who ultimately gains from the process being discussed. For a lack of a better way of definition, the owner/holder of the data in question. This can be a VP of the product line, the director of the stores, the sales manager etc. He/she is the one who can say, without question, 'the buck stops here". 

Generally speaking he just wants good end results. Most stakeholders see the added cost of implementing a well defined privacy policy/practice in place as an overhead that needs to be controlled. 

They want to make sure their data is safe but ask them if they think the added cost of security systems in place is, for example, worthwhile to prevent internal development personnel from having access to the real data, they would balk. (Note this is a generic over simplified statement, but I use it to make a point). To address this issue I point to a number of organizations that rely on non disclosure agreements (NDA)  the only protection to address the above mentioned issue. This is 'cheap' to implement and easy to maintain. Yet I hope you, the reader, understands that this solution is like having your teenager promise they will clean up the room. A good idea but without any other incentive probably doomed to failure.

The problem here is that we all have different views on the same situation. We come with different experiences, responsibilities, education. While the stakeholder is ultimately the person responsible (For further info along these lines read about the SOX act that was passed in the US), she/he may not know how a truly good governance regulation compliance (GRC) process is created. And in fact he might not even know why the company needs one in the first place.

So taking the analogy I used in my previous post(how security personnel and privacy professionals look at a 'square' and see it differently), the stakeholder is the owner of the 'square'. He holds the square but has no idea how it is constructed but only knows how the square is used, IE. not how the WEB application works. Only that a customer can sign in and order the widget.  So what can we to do? The answer I suggest is fairly simple. Education. 

The privacy officer must educate the interested parties. These parties include the stakeholders, the IT personnel Given that there is a privacy officer already in place means that the first step has been taken. The people who work on security need to educate everyone on what needs to done and what it takes to get it done.

The security personnel need to interpret the requirements and educate the parties on how this is implemented. Why does it extend the software development cycle. So in other words by educating the parties they can justify the time and materials that will be needed to produce eco systems that achieve the goals set out by all the interested parties within a manageable framework.

So to help the reader, I am suggesting a couple of different resources that can be used to help. 

1) A short piece on how to explain HIPAA to the layman (Stakeholder). It also provides some additional reading that may be of interest.


2) A very interesting website that targets NON lawyers with information concerning privacy. There are a lot of very good additional links that can be of some help. Please note that this site deals mostly with US laws.


3) Another good resource for educational purpose is the Electronic Privacy Information Center website. Once again, mostly US information.


4) On the consumer side of the debate, a list of resources can be found at 


5) And finally, two studies that come out yearly. 

       A) One is the Telus security group yearly that looks at the state of Canadian companies security. It has 5 recommendations as well as pointers on how to try to make security more prevalent in the workplace. Registration is required.


        B) The other one is the Verizon security's 2013 Data Breach Investigation Report. This report is a yearly report that encompasses expertise and information from various international organizations responsible for the reporting and investigation of data breaches. If you do not look at any  other resources listed here, then this is the one to read.


Please note the opinion of the individual authors/websites are their own, and I do not advocate, agree or dis-agree with the opinion expressed.
And this is just a sample of various resources that are available to help with the issues described above. But ultimately it is up to the individual to make sure they adhere to the best practices within their industry and Country.

Till next time

View Robert Galambos CIPP/C CIPP/IT VA3BXG's profile on LinkedIn

No comments:

Post a Comment