REDPIXEL – stock.adobe.com
Privacy and cybersecurity programs share a common goal: protecting the confidentiality of information. Cybersecurity programs tackle this goal from an institutional perspective as part of their mission to protect the integrity and availability of information the organization handles. Privacy programs take a different angle. They seek to protect the personal data of individuals whose information the organization collects.
Given this common focus, leaders and practitioners of cybersecurity and privacy programs have a tremendous opportunity to work together. Let’s look at three different ways: building a shared data inventory, collaborating on compliance and cross-populating steering committees.
1. Build a shared data inventory
One of the most obvious — and beneficial — collaborations between privacy and cybersecurity programs is building out and maintaining the organization’s data inventory. This crucial asset tracks which information the organization maintains and the systems and business processes that work with each data element. It’s impossible to implement cybersecurity or privacy controls around sensitive information if companies don’t know what information they have and where it’s stored. An inventory is a prerequisite for both programs.
The major difference in requirements is this: A cybersecurity program is interested in all the information tracked by a privacy program; a privacy program is only interested in tracking personally identifiable information. That means other types of information an organization wants to protect, such as trade secrets and other intellectual property, is the responsibility of the cybersecurity program.
2. Collaborate on compliance
Legal and regulatory compliance efforts are often the first place where privacy and cybersecurity programs intersect. Achieving compliance with regulations such as HIPAA, PCI DSS and a variety of state-level privacy and data breach response laws requires work from both teams. Formalizing this structure can provide the springboard for other collaborations between the two programs.
3. Cross-populate steering committees
Privacy and cybersecurity programs clearly have a stake in each other’s success. Privacy programs depend on security controls to achieve their objectives even as cybersecurity programs seek to protect the confidentiality of private information. It’s helpful if each program is represented on the other’s steering committees and governance efforts. If feasible, more progressive organizations may consider combining multiple steering committees into a broader information protection committee.
One word of caution: Organizations that experiment with this approach should ensure the objectives of one program don’t eclipse the other in governance conversations.
Privacy and security professionals share a common goal to protect the confidentiality, integrity and availability of information entrusted to the organization. Companies that encourage these groups to collaborate closely create an atmosphere where mutual interests are freely shared, as well as help the company better serve its internal interests.
This was last published in January 2022
Dig Deeper on Security operations and management