Forbes recently released an article emphasizing the interdependency between privacy and security. Many companies struggle with privacy and security issues because organizations tend to segregate these entities but at the root, they are interconnected.
As defined by the author, Evan Francen, information security is “managing risk to information confidentiality, integrity and availability using administrative, physical and technical controls.” Likewise, the simple definition for privacy is “managing risk to the confidentiality of personally identifiable information using administrative, physical and technical controls.” The meaning of privacy is actually a subset of security and is more focused on confidentiality.
However, organizations place more emphasis on privacy because there is a higher sense of urgency spurred by costly legal actions and regulatory concerns (i.e. The European Union’s General Data Protection Regulation – GDPR). As humans, we are drawn to issues of privacy as it is something widely valued and understood. But organizations often do not have the same sense of value on our privacy—which has become the ultimate driver for regulation in the industry. Fear of noncompliance to these regulations and the subsequent consequences is what has kept privacy at the forefront for most organizations.
Conversely, fear of noncompliance does not serve as a driver for information security. Instead, information security is defined by frameworks and standards. The lack of guidance and repercussions for noncompliance to information security laws has blurred the focus on information security. Ultimately, as Mr. Francen indicates “we often comply with the letter of the law versus the intent of the law…”
With legal teams interpreting the law for privacy issues and IT departments focusing on preventing security issues, there is often a disconnect between the teams working on a very interconnected topic.
To best manage cybersecurity risk, it is not the sole responsibility of IT or the controller who makes the insurance purchasing decisions. It is an organizational concern that encompasses every aspect of a company. A cohesive approach to cybersecurity is the only way to actively manage privacy and security issues. This unified approach will create clarity and improve effectiveness, while also ensuring compliance.
Please contact a trusted risk manager to develop and implement a cohesive approach for privacy and security at your organization.