Security/Privacy Personnel, should they be the same?

-->

I have been on the peripheral of the discussion about Privacy and Security for awhile. The debate is concerning how Privacy personnel are not familiar with IT security process. And I believe its time to take the bull by the tail and face the situation, so to speak.

My thesis is that there needs to be a concerted effort to develop  a liaison group involving people that feel comfortable in both areas of Privacy and IT Security. These people should understand how data is used within the IT, and what expectations Privacy places on the organization.

SO let’s explore

In the vast majority of enterprises, (those that have a IT department and also are concerned by privacy, as all companies should be) there are Privacy officers that deal solely in the Privacy realm (Privacy policy, governance etc) and the IT personnel whose function it  is to enhance/maintain/deploy process to Secure the network assets from the 'bad guy'

But before we delve into this much further, let’s explore some of the foundations of these two organizations.

Privacy requirements come from various requirements, regulations, laws. They are formulated/created, either by gov't or professional organizations. Examples include: the PCI DSS, SOX, GLBA, PIPEDA,  EU Directive, to name but a few.

These regulations/laws, for the most part are drafted by lawyers, civil servants, professional committees. I transgress with a quick joke. What is a camel? A horse designed by a committee.
The point is that, as written, these regulations are not written for the 'common man'.  They deal with the legal aspects of privacy and as such, written in 'legalize'. So to be able to interpret them, create processes to address them, and ensure compliance with the same, it requires individuals that can understand those same rules. That is, one with expertise in the legal and/or regulator profession.

Security comes from the technical world, the idea of what kind of security appliances are needed to monitor/secure the systems/network/infrastructure that are in place within the organization. The understanding of networking protocols, threats and vulnerabilities etc. needs someone who understands the technical complicated the Security realm

So far so good.

We also understand that to have Privacy, one must have Security, or otherwise the organization’s public reputation, never mind its ability to function under gov't rules  and industry regulation oversight may be in jeopardy. (IE data breaches etc).

However, how many Privacy officers know anything about a 'DMZ' or DLP appliance (to name but two Technical Security phases/gobbledygook). That is the Security guy’s responsibility, right?

How many security personnel understand the ramifications of a stolen laptop with an encrypted disk, with PII from Customers in the US, or if the PII is from those customers that are located within the EU. That is the privacy department issue?

So that is the dilemma. Each department’s needs to 'use' the other’s expertise. But is there is no common language? One group doesn't know what it does not know and the other assumes that everything is addressed. This scenario is a problem waiting to happen.

So let’s take an example. But please note that the following example is only being used to highlight my point. It is an over simplification of the issues.

A new network is being developed to support an application that is being rolled out shortly. This application contains PII/PHI information. In one of the meetings the CPO makes it clear that this type of information needs to be protected/secured.  The Security guys go to the back room and incant some magic spells over a rack of computers/servers (sorry I could not help myself) and POOF, out comes a Security policy/procedure etc. plan for the roll out.

The plan contains the proper role based security rules(RBAC), checks, logs etc. The Security guys go out for a drink to celebrate the culmination of designing a 'fool proof' Security envelope (as  if there was such a thing).

The Privacy person figures out that the proposed process meets the needs and regulations and goes home with a smile on his/her face. The only people who are authorized to see the information will have the ability to view the PII/PHI info.

However, did anyone look at how support is going to done for this application? The Privacy professional is not a techie and does not know what the 'normal' infrastructure for support/maintenance development for an application is. And why should he/she? Right?


WRONG

The CPO has no idea that during the development and support phases of the project, that copies of the real data may be created to provide a more realistic test bed  for QA/ regression testing.(see my previous blog entry for a  further discussion concerning this issue).

Did anyone look at the possibility that there may be data leakage within the test/regression system? (PII info that can be emailed in the clear from a developer workstation)?  Did the person responsible for Privacy understand the need for a possible Security hardware deployment within the test environment to prevent data leakage. And where should that hardware be deployed?  How do third parties access the data for testing? Should they be able to see the test (or Production data)? Should this be considered with a BCP (business contingency planning) document?

The people responsible for Security understand the basic Security 'triad' (CIA. Confidentiality, Integrity and Availability) and have created a process that addresses these requirements. In this case the Security personnel, and may be the network administrator, have designed a comprehensive plan to secure the network where the new application will live on.

But what do they understand about issues like: if a disk drive goes missing, even if it is encrypted, they may still need to notify gov't authorities (EU directive)? And this must be detailed in any contingency planning.

Do they know that they need to talk to the Privacy department to look at how test data is used and abused?

The above mentioned questions are rather over simplified. And of course during the normal working day, the Security department and the Privacy department would talk to each other. BUT

The old adage is very relevant here. 'I don't know what I don't know' or in the case of the Security personnel they don’t know enough of the Privacy realm to make sure everything is addressed. And the Privacy officer does not know how the data is used, to the point that she/he would not know to look into areas that are not obvious IE Test Bed, Third party issues etc..

So what is the answer? Cross train personnel. (Easier said then done).

Have the security department take a course like the CIPP, offered by the International Association of Privacy Professionals. This will allow for the same individuals some insight into the issues pertaining to privacy.
 
Have the Privacy personnel take a certification course like the SECURITY+ offered by CompTIA. However this may be more problematic because there is an assumption that the person taking this course (or one that is similar) has some basic knowledge in networking and IT in general.

Failing that, Have the people in the CPO office at least try to get the basis of Security down, so the next time the two groups meet they can at least talk a common language. And this would help in reducing the chance of something being missed, and projects coming in on time.

Robert Galambos's Updated Resume

Robert Galambos Mobile: 416-876-2979 · Email: rgalambos@gmail.com
Career Profile: Over seventeen years of experience as presales engineer and consultant in the software industry, combining high-level sales and marketing knowledge with deep operational experience, technical savvy and cross-functional communication abilities. Extensive experience supporting sales initiatives, managing customer relationships, handling customer service calls and consultations, and maximizing client ROI on software solutions.
Areas of Strength
Data Privacy Client Relations Market Analysis Industry Research Security	Client & C-Level Presentations Executive Communications Staff Training & Development Data Optimization & Management Oracle/SQLServer/DB2	Solution Selling Customer Service Product Demonstrations Technical Consulting DB2/IMS/VSAM
Professional Experience

COMPUWARE                                                                                                                    1996 to 2013

Leading provider of IT software, services and best practices to deliver peak performance for technologies worldwide.

Sales Engineer & Consultant

• Provided technical analysis concerning Data Privacy to facilitate completion of RFI and RFP responses for various clients, with 85 percent success ratio.
• Delivered high-impact presentations to clients leveraging strong technical skills.
• Managed interoperability and alliance between software solutions and customers’ strategic business plans.
• Helped potential clients understand, compare and contrast several IT solutions.
• Collaborated with sales to develop cost justifications, business proposals and responses to RFI/RFPs.
• Engaged and coordinated post-sales implementation engagements.
• Helped close a minimum $2 million dollar sales 13 years in a row.
• Anointed to learn, support and sell two entire product lines, due to the unique requirement of both English and French support and sales.
• Contributed to a team that achieved a minimum 97 percent maintenance renewal.
• Liaised with Product Development and Marketing departments, perform client sales management, and report on industry/market trends, competition, and needs.
• Maintained extensive and specialized knowledge of COMPUWARE’s products, customers and competition, to enhance customer service ability and stay current on company offerings.
• Produced detailed phone support, personal product demonstrations and on-site evaluations of clients’ current software solutions.
• Responded to requests for information or pricing in an efficient manner and prepared sales package proposals.
• Trained and lectured clients, staff and executives on various solutions, including Data Privacy and Application Auditing.
• Facilitated customers and partners, as well as on-site professional services support such as installations and configurations upon deployment of software.
• Created, updated and disseminated training materials for 10 different software products on both mainframe and mid-tier/distributed environments.

• Served as Project Manager/Team Lead developing and updating training material with a specific timeline and with the participation of 10 team members.
• Gained proficiency in MS Windows, MS Office, Salesforce.com, and Data Privacy Solution Mainframe.
• Was one out of two people chosen (out of 24) to be a mentor for the Professional Development Program, training non-IT professionals to be support personnel.
• Worked in various realms, including ETL, Data Privacy in the testing space, Data Management and Data Optimization for both short-term and long-term sales cycles.

MONTREAL TRUST / BANK OF NOVA SCOTIA                                                  1984 to 1996

Premier financial institution providing personal, commercial, corporate and investment banking services to individuals, small and medium-sized businesses, corporations and governments.

Principal Analyst & Team Lead

• Oversaw the team responsible for financial systems, including general ledgers, accounts receivable and accounts payable within the Trust Unit.
• Apprised management of more efficient methodologies to ensure better business decisions.
• Provided guidance, instruction, direction and leadership to the team to achieve key results for clients.
• Coached and matured the skill level of direct reports in order to continue their long-term development and ensure solid succession planning and departmental success.
• Liaised with Payroll, HR and Executive Offices as a subject matter expert.
• Gained proficiency in COBOL, IDMS, and IBM Multiple Virtual Storage
• Created “What if” scenarios and provided support for non-technical end-users.
• Designed major conversion project for Pension Plan Changes/Acquisition (BNS).
• Worked with the Finance Team to determine the ongoing business needs and requirements for the reporting of all assets, sales, redemptions, management fees, trailer fees, and advisory fees.

Certifications

Security+                                                                                                                                                   

• Knowledge of security concepts, tools, and procedures to react to security incidents, to ensure that security personnel are anticipating security risks and guarding against them.

CIPP/C: Certified Information Privacy Professional/Canada                                 

• Demonstrates understanding and application of Canadian information privacy laws, principles and practices at the federal, provincial and territorial levels.
• Requires completion of Certification Foundation Exam and CIPP/C Exam.

CIPP/IT: Certified Information Privacy Professional/IT                                                    

• Entails understanding privacy and data protection practices in the development, engineering, deployment and auditing of IT products and services.
• Necessitates completion of Certification Foundation Exam and CIPP/IT Exam.

IBM Certified Database Administrator – DB2 9 DBA for z/OS                                           

• Validates capability of performing intermediate to advanced tasks related to database design and implementation, operation and recovery, security and auditing, performance, and installation and migration/updates specific to the z/OS operating system.

Education

Concordia University, Montreal, Québec

Bachelor of Commerce, Accounting (1979)