Why it’s time to rethink your ideas about privacy controls

Part of Solutions Review’s Premium Content Series – a collection of columns written by industry experts in maturing software categories –Richard Bird, Product Manager at SecZetta, shares some thoughts on why it’s time for companies to rethink their views on privacy controls.

Think about your personal life. What degree of privacy do you expect to have? And how much privacy do you have? It’s a hard truth to accept, but privacy doesn’t really exist in the digital world for individuals. Despite the time, effort, and money spent keeping user information private, privacy controls can often be a waste of resources for most businesses.

The expectation of privacy is a myth. The whole notion of privacy and privacy control was a result of companies’ irresponsible handling of customer data and information. Where would we be if companies had handled customer data correctly from the start?

Privacy priorities are misaligned

Aside from privacy controls not being an efficient use of resources, there are other things that organizations need to embrace when it comes to their privacy strategy:

  • Privacy is compliance driven.
  • Government mandates are reactionary and unachievable.
  • Privacy is a business issue, not a security issue.

Let’s dig deeper into these.

Privacy is compliance driven (but there is a disconnect between privacy and security)

Privacy programs and security controls have never been well connected. Instead of taking the proper steps to ensure that customer data is well protected, many organizations attempt to achieve “privacy” (intentional quotes) only to satisfy lawyers looking to tick a box in the compliance assessment categories. In the meantime, there is no progress on the industry side. Information security companies and organizations are not creating appropriate solutions or controls that guarantee privacy. This has created a huge disconnect between stakeholders in the areas of privacy and security.

Compliance-focused organizations are nothing new to most security professionals. When it comes to third parties, most organizations find that performing regular audits provides adequate protection against impending cyber threats. But, again, compliance is not synonymous with security. Compliance drills are just one pillar of a comprehensive, thoughtful, and well-executed safety program.

Government mandates are reactionary and unachievable.

Government regulations are rarely forward-thinking. Instead, they tend to be reactionary measures put in place after something terrible has happened. Governments have issued privacy mandates in response to companies’ mishandling of data, not necessarily because it’s the right thing to do or the best way to regulate privacy concerns, but to signal that they’re taking measurements. As a result, these regulations often create unrealistic expectations that businesses cannot meet.

Think of the time and money spent complying with the General Data Protection Regulation (GDPR) – or the even less stringent US equivalent, the California Consumer Privacy Act (CCPA) – to get people to agree, agree or refuse all cookies for information that most companies already have. What’s the point? In this case, it seems more a question of regulatory compliance than of genuine protection of individuals’ personal information.

Privacy is a business issue, not a security issue

Security professionals are often tasked with responsibilities related to an organization’s privacy program. However, the volume of consumer data that companies have collected over the years poses a disproportionate risk to security teams given the sensitive nature of personal, financial or health-related data. On the other hand, consumer data is inherently more valuable to businesses because it can provide audience and market insights and inform organizational decision-making. Therefore, privacy is much more of a business issue than a security issue.

For companies to take on this responsibility, they need to start taking responsibility for the health and well-being of every customer relationship. Take Apple, for example. Apple’s new operating system handles data privacy in a revolutionary yet practical way. Privacy settings are highly customizable, allowing users to give or deny consent for device-wide tracking. In doing so, Apple quickly expanded people’s choices and prioritized their customer relationships.

The conversation needs to move from confidentiality to choice

Once you’ve accepted these truths, it’s easy to see what needs to happen next: the conversation needs to move from the idea of ​​privacy to the reality of choice. Rather than taking steps to secure large volumes of sensitive consumer data and risk unfortunate mishandling or data breaches, companies should give individuals the right to determine what data they want to share and with whom they want it shared. to share.

When an organization pays too much attention to measures such as increased privacy controls and does not focus on creating a strong identity and access management program, it is more exposed to data breaches, cyberattacks and other potential harms. Here are three essential cybersecurity practices that organizations should focus their time and attention on:

1) Refocus on the fundamentals

Too many organizations are distracted by new technologies, concepts and conversations. Their security practices are falling apart, with no clear strategy to ensure cybersecurity fundamentals align with their current business practices. This results in the persistence of programs designed to support outdated business and computing environments and perpetuates a false sense of security.

Organizations need to focus on cybersecurity fundamentals like identity programs. Today’s evolving workforce and migration to the cloud require new risk-based identity programs that manage identity-level access for non-employee third-party employees like blockchains. procurement, partners, contractors, bots and devices.

2) Take a holistic approach

Rather than focusing their efforts on compliance-influenced activities, organizations should build their approach to security and risk management around the needs of their program, their users, and their customers. As digital transformations progress, privacy controls, security programs and risk management strategies, including for third parties, must also evolve.

Organizations that take a holistic approach to risk management through a purpose-built, scalable, and automated solution will find that they are more than just ticking a compliance box. Instead, they will implement a more cohesive and agile risk management program to protect against cyber risks.

3) Mitigate third-party risk with automation

We have established that the expectation of privacy is a myth. But here’s what isn’t: the third-party connection to many of this year’s most important cyber events. Businesses increasingly rely on third parties to drive meaningful innovation and customer value. However, most organizations lack a consistent, repeatable way to centrally track and manage their relationships with third parties, non-employees, and access to the company assets they need. The certainty that organizations are expanding their attack surface and exposing themselves to increased cyber risk by engaging third parties further complicates this challenge.

Organizations need to automate best practices to manage the dynamic relationships required by their third-party resources and redefine the boundaries between identity and risk management. Only then can they truly mitigate risk and protect valuable consumer data from malicious actors.

Richard Bird
Latest articles from Richard Bird (see everything)

James V. Hayes