IAPP Privacy Perspectives: Creating a Risk-Aware Culture Through Built-In Privacy

We must weave privacy and security into not just new technologies and services, but into the very fabric of an organization to achieve a risk-aware culture.

This article was written by Tom Pendergast, MediaPro’s Chief Strategist for Security, Privacy, and Compliance. It was originally published under the International Association of Privacy Professionals’ (IAPP) Privacy Perspectives blog. View the original article here.
The security and privacy communities are slowly converging – once focused on their own interests, they have since begun to align behind an increasingly unified approach to information protection. Last year’s Privacy. Security. Risk. 2015 conference, run jointly by IAPP and CSA Congress, serves as one of many examples to illustrate this convergence.
One of the drivers of this can be traced back to Privacy by Design. A distinct school of thought with clear organizing principles, PbD ran parallel to “security-by-design” variants that have since developed into a way to deliberately design security into applications. In 2013, Ann Cavoukian, a major contributor to PbD, said, “It is becoming widely recognized that privacy and security must both be embedded, by default, into the architecture, design, and construction of information processes.”
This is true – but I’d argue that this convergence needs to be taken even further.
More than designing privacy and security into new products, technologies, and services, we must also weave them into the very fabric of organizational culture. By applying a PbD lens to the way we communicate to and educate all employees about security and privacy issues, we will begin to create the risk-aware cultures the modern information economy demands.

Trickledown Effect

The best way to ensure security and privacy protections are an integral part of corporate culture is by building them into the core mission and values of an organization from the start. Rather than a driver, information protection is typically an afterthought, an added obligation or even a penalty enacted by outside regulators. Even if there’s no overtly negative tone to this effect, there’s usually an implicit dismissal or undermining of concerns of security and privacy professionals, with a resulting trickledown effect. In short, business leaders themselves often tend to view privacy and security protections as a detractor of growth, rather than an enabler and driver of business value.
If your organization is like the one described above, hopefully you realize you need to change your culture.
You can start by taking a look at your code of conduct or mission statement. There’s no better example I can think of than Microsoft*, where “Managing & Protecting Information” is one of the key pillars in its Standards of Business Conduct, which is required training for all employees and typically held up as a benchmark for quality corporate education. I realize there are a number of organizations that have similar aspiration language, but the difference at Microsoft is how that language is put into practice, and in turn, means something to employees and guides their actions.
While ideal, values rooted in PbD don’t need to be ingrained in a corporate code to be effective.
They do, however, need to be championed consistently and visibly by management. In his 2012 book, The Power of Habit, Charles Duhigg tells the story of Alcoa CEO Paul O’Neill, who leveraged single-minded emphasis on workplace safety as a source of inspiration to employees that guided corporate decision-making, ultimately leading the company to a dramatic and profitable recovery.
The lesson here is that even unglamorous values like “protecting information” can be essential to the functioning of an organization if they are championed by executives, embedded in operational procedures, aligned to key business goals, measured regularly, and effectively communicated on a consistent basis to all employees. This ensures these values are proactive parts of corporate culture, embedded within the organization’s design, and accepted across the organization as the default mode of operation for all employees.

Privacy and Security Across the Full Spectrum

Operationalizing values of privacy and security is no easy task. Dispersing information to all employees about the role they play in ensuring organizational security and privacy in a positive, encouraging way, is one of the most difficult tasks faced by privacy and security professionals, but it is worth it!
I often hear those charged with security and privacy education commiserating that their jobs would be much easier if employees would simply stop doing ill-advised things like misclassifying information or clicking on phishing emails. We can all probably understand their frustration since these mistakes make their jobs harder. But the simple truth is, employees won’t become active champions of information protection if they are denigrated for mistakes we see as silly or inexcusable.
As such, the onus is on security and privacy professionals and educators to take a positive-sum approach to making security- and privacy-based thinking a vital part of organizational culture. We can do this by interacting with employees and management in a way that helps them understand just how important privacy and security are, and how fascinating – and sometimes fun – they can be. I’ve seen this done firsthand at Western Union*, where folks in charge of these programs have actively included employees in helping them solve the security and privacy dilemma. Using interactive on-boarding sessions, online training and a consistently positive and respectful tone toward employees, they have successfully involved employees and contractors in applying existing knowledge to real business problems.
Emphasizing the positive is not the same thing as a positive-sum approach. No program can successfully avoid communicating negatives associated with being under attack from those after your information. However, in regards to employee education and communication, my experience with hundreds of companies who do this kind of work convinces me that emphasizing the resulting positive actions and outcomes associated with information protection is preferable to a program that emphasizes sanctions and admonitions.
One other critical component of building a risk-aware culture is the integration of messages about information protection into the full lifecycle of the business. This is more than offering annual training on privacy and security – training is not enough.
Companies that leverage highly visible, regular communications and activities focusing on key risks have the most success at building information protection into organizational culture. This might be something as simple as fun videos sent out on a regular interval, posters in the breakroom, or positive messages from upper management. Or, they might be more complex, such as public – but non-punitive – simulated phishing campaigns.
Employees need to see the benefits of reporting potential privacy incidents before they lead to data breaches. It’s essential that you raise transparency and visibility of efforts to promote information protection, as it’s critical to the development of a security and privacy aware culture within your organization.

Designing a Risk-Aware Culture

Embedding PbD – like principles within an entire employee population – isn’t going to happen overnight!
It’s going to take time, yes, but ensuring security and privacy are central to organizational operations is one of the most critical jobs facing professionals in this space today. This way of thinking offers tremendous opportunity to implement risk-aware cultures that can stand up to the pressures of an increasingly tempestuous world.

*Full disclosure: Both Microsoft and Western Union have done work with MediaPro in the past.
Tom Pendergast is the chief architect of MediaPro’s Adaptive Architecture approach to plan, train, reinforce, and analyze workforce learning and awareness in the subjects of information security, privacy, and corporate compliance. Tom has a Ph.D. in American Studies from Purdue University and is the author or editor of 26 books and reference collections. Tom has devoted his entire career to content and curriculum design, first in print, as the founder of Full Circle Editorial, then in learning solutions with MediaPro.

Share this Post