Advanced persistent threats (APTs) have changed the world of enterprise security and how networks and organizations are attacked. In a new Palo Alto Networks eBook, Cybersecurity for Dummies, we explore:
The cybersecurity landscape and why traditional security solutions fail
Throughout two days of sessions, attendees explored the Fair Information Practice Principles, privacy/technology research efforts, and the need to address privacy risks—to consider privacy from the planning stage of projects and close the longstanding communications gap between legal and engineering areas.
We joined breakout sessions to discuss the frameworks engineers use, explore privacy case studies, and determine ways in which engineering methods can address privacy risks. On day two of the event we focused on drone use, which prompted some lively, thought-provoking discussions.
My takeaways from the workshop:
Huge gaps in communication between the engineering areas and legal/policy areas need to be closed. Each group needs to listen to the other when it comes to privacy discussions. Each side has much to learn from the experiences of the other.
Privacy engineering is much more than a policy issue and much more than just getting software or systems to meet existing legal requirements for data protection. Because those laws/regulations were created in a reactionary atmosphere, they will always lag behind a significant number of new and emerging privacy risks. Engineers will be key in mitigating those privacy risks through the use of an effective privacy-engineering framework, and through the use of a catalog of vetted and reasonable privacy-use cases.
Engineers already have frameworks they have used for many years to build software and systems. Instead of trying to get them to use something completely different, efforts should be made to establish privacy standards that are integrated within these established frameworks, written in language appropriate for engineers.
Privacy engineering is not just for large organizations. There are many small and mid-size organizations that create software and systems; they must also know how to engineer privacy into their products. Often there is an even greater need for such organizations to practice privacy engineering for all the software and systems they create.
Naomi Lefkovitz, NIST senior privacy policy advisor who presided over the two-day event, indicated that NIST plans to produce a report based on the information, recommendations and comments collected during the workshop. NIST will host further workshops to refine what will likely become the privacy portion of the Cybersecurity Framework.
I found this workshop beneficial—an important first step toward identifying actionable privacy standards to include within the Cybersecurity Framework, which engineers will be able to effectively utilitize within their current frameworks to help build in the (currently missing) controls that are needed to help to protect privacy.
Last month I had the great pleasure to speak at the 2014 ISACA Nordic Conference, where I shared my passion for security culture and how to build it.
In my view, security culture is, simply, about building and maintaining measures to help your employees feel safe and free from danger.
But let’s back up a bit to get a clearer picture. It helps to understand the origins of this culture. In this sense, culture is the collected security information in a society that is passed from one generation to the next. It can consist of norms, knowledge, tools, etc.
Naturally, this culture can be modified and transformed to suit each organization. Norms—the regulations, policies and other rules (written or not) that regulate how people in your organization function, from when and how they drink coffee to how they interact with their passwords—are malleable. They work best when they are adjusted for each enterprise and each situation.
Tools used with computers, information systems and software are most commonly considered “technology.” Much like their ancestors, such as the hammer, technology tools make it easier to reach a goal, such hammering a nail or ensuring proper security within a system.
Knowledge is the third piece of the puzzle, binding technology and norms together. Knowledge guides people in interacting with technology in the right manner. Knowledge enables people to understand why norms force them to do things according to the rules.
Culture is a critical part of society. It helps define a people. This holds true within the narrower scope of security culture. By taking what you have already—technology and norms—and adding knowledge to your organization, you are moving in the right direction. You are moving to a security culture.
