The Issue is Clear: Why Should Anyone Trust Anyone?
We could leave this issue to privacy officers, internal and external legal counsel, governments, data protection authorities, politicians, regulators, and technology companies to sort out. We could wait for the ultimate answer to solve the privacy question once and for all. And wait. And wait some more. And wait for another review, debate, newsworthy event (such as needing information from another critical terrorist phone). Or wait for the next cloud service to be hacked, exposing photos that violate an individual’s right to privacy.
The reality is we just don’t trust each other—person to person or country to country. The reality is also, we have to trust each other at some level to interact personally or conduct business with each other.
As we grow up, we implicitly trust our parents to protect and lead us in the right direction. We have temporary moments of insanity during the ages of 5-6 and 13-17, where we don’t trust what they are telling us (because we just know better), and our parents all of a sudden get smarter when we turn about 22! In other words, we have temporary moments of disbelief, or a lack of trust in what they are telling us. It is the receiver of the message (in this case the child), that does not believe the sender (parents), even though thesender of the message was telling the truth and had good intentions all along. Trust is earned by delivering a consistent message that matches the real environment.
So what does this have to do with privacy in our organizations? Everything. We are currently in a state where people and governments are challenging the trust model. However, we cannot stop and wait for resolution of this temporary insanity and total lack of trust to figure out how to enable others to trust our assertions.
We Will Lose Valuable Time
We must, as “parents of our own organizational destiny,” continue to refine the controls on our systems and enhance how we protect information privacy. As we promote our message of information protection, those who make the rules will recognize that the organizations performing fundamental security work, building in privacy considerations and protecting rights through followed processes, will be able to be “trusted” and interact with other people and countries.
Privacy is much more than publishing a privacy notice on the company web site or sending out notices. Privacy is an organizational commitment to build trust by securing information and limiting access to accurate information to only those who have a right to it. Security officers are at the core of this issue and must be literate in the language to be effective.
At the 2016 North America CACS conference in New Orleans May 2-4, 2016, Todd Fitzgerald’s “One-Hour Privacy Primer” session will explore privacy concepts every security officer, privacy officer, auditor, lawyer, and governance professional should know:
- The role of the CISO with respect to Privacy
- 8 Universal (OECD) privacy principles
- Global laws impacting privacy
- Privacy by Design principles
- Understanding data elements and the language of privacy
Todd Fitzgerald, CISA, CISM, CRISC, CISSP, CIPP/US, CIPP/E, CIPM, PMP, CGEIT, ISO27000, ITILv3f, Global Director Information Security, Grant Thornton International, Ltd.
[ISACA Now Blog]