It’s Time to Combine Security and Privacy Awareness Training
This article was originally published on CPO Magazine.
Meet Bob. Bob’s an employee at BigCorp, and he’s confused.
He’s got info security folks requiring him to take annual training, posting educational videos, and sending simulated phishing email all the time. Then he’s got the privacy team requiring training of their own and inviting him to “lunch and learns” on privacy by design.
But when it gets right down to it, Bob doesn’t understand quite where security ends and privacy begins. When he asks, the privacy and security folks are perfectly happy to go on at length about how different their two domains are—but it often sounds like an old Miller Lite beer ad: “Tastes great!” “Less filling!”
To Bob, it’s all about protecting data. He wishes that security and privacy would come together to present a single, coherent message. The best chance for this to happen is for security and privacy professionals to collaborate and bring their awareness efforts together into a single, unified effort. And the time is now.
The Time is Right
It’s clear that the conditions are ripe for a merger of the security and privacy domains, at least in the way they communicate about risk to employees. After all, both cybersecurity pros (battered by hacking attacks and ransomware) and privacy pros (pressed by the demands of the GDPR, the CCPA, and whatever comes next) are keenly aware that all the technical controls and policies won’t do any good unless their employee population is engaged in playing their role in their day-to-day jobs.
When it comes to employee awareness, security and privacy share goals that are largely the same—both want employees aligned with the mission to create a more secure, trustworthy, and risk-aware culture. And both use similar methods to achieve those goals: you both use training and ongoing communication to reach employees.
There are important differences in the domains, from the nature of the risks that need to be mitigated, to the ways those risks presents themselves to users, and finally to the expansion of some risks into the broader social context (think Facebook and the 2016 elections). Exploring these differences can clear the way for the merger of security and privacy programs—at least when it comes to awareness training.
The Risks are Different
The security and privacy professions have always found kinship over a certain type of risks: the risks involved in securing the personal data that the organization gathers. Privacy pros recognize that part of their responsibility is to designate appropriately secure places to store data, and security pros recognize their responsibility in building and guarding these secure places.
But their risk domains diverge substantially after that: security folks are determined to resist attacks from a variety of malevolent outsiders, including cybercriminals, nation-state hackers, and hacktivists, and to ensure that employees do not expose the organization to these external dangers in the ways they store, transmit, and destroy data. In the security domain, the threats are largely external and they are imposed on the organization against its will. (Though of course, there are also risks posed by employees who through negligence, ignorance, malice, or inattention pose a threat.)
The threats faced by the privacy profession are quite different. Perhaps the greatest difference is that privacy risks are created by the business as it handles personal information in the conducts of its work; such risks are voluntarily chosen, not imposed by an outside actor. They are the risks that arise when you put complicated work in the hands of fallible humans, and very often they involve questions of ethics and judgment that can be genuinely complicated.
No matter the difference in the ways these risks present themselves, they’re presented to employees just the same. So it’s the employees who need to develop the skills to identify and overcome these risks, no matter where they originate.
The “Bad Guys” are Different
What’s the first image that comes to mind when you think of the “bad guy” or enemy when it comes to cybersecurity? Chances are you’ll turn to a stereotype: a hacker, dressed in a black hoody, hunched over a keyboard, or a malevolent looking Russian who is part of a criminal syndicate launching cyberattacks. (Or perhaps you’ll see President Trump’s 400-pound man.)
Such stereotypes are now so common that they are ridiculed, but like most stereotypes they reveal that our culture embraces the idea that there is an external “bad guy” who’s trying to hack into our protected domain to pursue his illicit ends. With bad guys like this, it’s hardly any surprise that our good guys proudly don the honorable mantle of law enforcement or military, and use an abundance of military language to describe their work, from defending the perimeter to threat vectors and so on. The basic narrative structure adopted by the cybersecurity professional is simple and direct: we are the good guys, and we are protecting the innocent and virtuous organization from the bad guys.
Privacy has no singular bad guy. It’s true that privacy pros also identify the cybercriminal as a menace, but he is not central to the privacy narrative. Instead, privacy pros work within a much more complicated moral landscape, one in which the very act of gathering and using personal data puts the company at risk—not just the risk of falling out of compliance with the law but also the risk of losing the trust of employees and customers.
The bad guys in the privacy domain are not so much evil as ill-informed: they are the software engineer who doesn’t segment her database to isolate geolocation information, or the marketing assistant who neglects to consider whether he has the appropriate consent to send an email blast to the intended recipients. In this world, the privacy professional is still the good guy, but in a more complicated ethical position. They are the guardians of the ethical protections placed on personal information, and they must direct their company and its employees on the complexities of staying within appropriate boundaries on the collection, use, and storage of data, despite enormous financial pressures to the contrary.
Attend the professional gatherings of security and privacy professionals (as I’ve done in the last months), and these distinct differences are immediately manifest: the security conferences are overpopulated by men, many with military or law enforcement backgrounds, and the stories they tell are filled with the language of protection and the suppression of threats. The privacy conferences are filled with lawyers, equally male and female, and their stories are about difficulties of navigating the ever-shifting ethical boundaries around personal information.
You can see how easy it would be for more doctrinaire members of either profession to mischaracterize the other and to insist that their worlds remain separate. Privacy purists might judge the security advocate to be living in a black-and-white world, and believe that the security professional is over-committed to technical solutions and an overly defensive posture. Security purists, on the other hand, see the privacy professional as prone to underestimating threats and overly dependent on policy and procedure to accomplish what should be done with strict controls.
But These Differences Don’t Matter to Employees
And yet, both professions need to recognize that all their differences truly mean nothing to most employees. Since it’s the employees they are trying to reach with their awareness training, it’s in the delivery of the awareness program that security and privacy professionals stand the best chance of reaching their common goals.
In a joined security and privacy awareness training program, employees can be presented with a view of the world as it really is: one where the very work of the company (no matter the industry) creates the risk of exposure, and where the personal data and intellectual property that is created by the company provide a tempting target for nefarious outside actors. In the conceptual world created by a joined program, employees don’t need to parse out the differences between security and privacy—they can recognize that these are simply different elements of an overall data protection program that truly has the best interests of the company at its core.
Combining security and privacy together in a data protection awareness program (or a risk awareness program) provides practical as well as conceptual benefits. The practices used by mature Security Awareness programs—with their model of a continuous and ongoing education program, one that combines required training with a regular drumbeat of supporting communications, or reinforcement—can be extended to include privacy-related content, but pooling resources into a shared program allows such a best-practices program to operate with fewer overall staff. Combing security and privacy content into a single annual training course reinforces the overall message that these are not separate domains, but also has the side benefit of reducing overall training time by reducing overlap. Even the phishing simulation tools used by the info security teams can be leveraged to support the privacy program, by testing employee’s ability to demonstrate their embrace of appropriate privacy practices.
There is little to lose and much to gain from a combined program that emphasizes the variety of risks faced by organizations in today’s digital world and invites employees to build the knowledge and skills that they will need to survive and thrive both at work and at home. Because Bob doesn’t carry about the differences between security and privacy: he just wants to know what to do to protect himself and his company.