//
you're reading...
Information Security, IT & TECHNOLOGY

Dear CISOs and Legal Counsel: We Can’t Wait for the Privacy Regulators


ISACA-Logo

Privacy is constantly in the news these days. Should Apple create a “back door” to unlock a terrorist’s iPhone for the FBI? Should Microsoft provide European citizen’s information stored on servers in Ireland in response to a US subpoena? Should data be allowed to be stored outside of Germany, France, Sweden and Russia for cloud services? Should we store information in the cloud without retaining the keys? Should commerce between the US and EU flow under the proposed replacement for Safe Harbor (Privacy Shield)? Or maybe the question is should someone be awarded tens of millions of dollars for having their privacy violated for filming them naked in a hotel room without their consent, or for filming someone’s engagement in a sex tape and releasing it to the Internet?

The Issue is Clear:  Why Should Anyone Trust Anyone?
We could leave this issue to privacy officers, internal and external legal counsel, governments, data protection authorities, politicians, regulators, and technology companies to sort out. We could wait for the ultimate answer to solve the privacy question once and for all. And wait. And wait some more. And wait for another review, debate, newsworthy event (such as needing information from another critical terrorist phone). Or wait for the next cloud service to be hacked, exposing photos that violate an individual’s right to privacy.

The reality is we just don’t trust each other—person to person or country to country. The reality is also, we have to trust each other at some level to interact personally or conduct business with each other.

As we grow up, we implicitly trust our parents to protect and lead us in the right direction. We have temporary moments of insanity during the ages of 5-6 and 13-17, where we don’t trust what they are telling us (because we just know better), and our parents all of a sudden get smarter when we turn about 22! In other words, we have temporary moments of disbelief, or a lack of trust in what they are telling us. It is the receiver of the message (in this case the child), that does not believe the sender (parents), even though thesender of the message was telling the truth and had good intentions all along. Trust is earned by delivering a consistent message that matches the real environment.

So what does this have to do with privacy in our organizations? Everything. We are currently in a state where people and governments are challenging the trust model. However, we cannot stop and wait for resolution of this temporary insanity and total lack of trust to figure out how to enable others to trust our assertions.

We Will Lose Valuable Time
We must, as “parents of our own organizational destiny,” continue to refine the controls on our systems and enhance how we protect information privacy. As we promote our message of information protection, those who make the rules will recognize that the organizations performing fundamental security work, building in privacy considerations and protecting rights through followed processes, will be able to be “trusted” and interact with other people and countries.

Privacy is much more than publishing a privacy notice on the company web site or sending out notices. Privacy is an organizational commitment to build trust by securing information and limiting access to accurate information to only those who have a right to it. Security officers are at the core of this issue and must be literate in the language to be effective.

At the 2016 North America CACS conference in New Orleans May 2-4, 2016, Todd Fitzgerald’s “One-Hour Privacy Primer” session will explore privacy concepts every security officer, privacy officer, auditor, lawyer, and governance professional should know:

  • The role of the CISO with respect to Privacy
  • 8 Universal (OECD) privacy principles
  • Global laws impacting privacy
  • Privacy by Design principles
  • Understanding data elements and the language of privacy

Todd Fitzgerald, CISA, CISM, CRISC, CISSP, CIPP/US, CIPP/E, CIPM, PMP, CGEIT, ISO27000, ITILv3f, Global Director Information Security, Grant Thornton International, Ltd.

[ISACA Now Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 115,116 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,068 other followers

Twitter Updates

Archives

April 2016
M T W T F S S
« Mar   May »
 123
45678910
11121314151617
18192021222324
252627282930  
%d bloggers like this: