We recently held a panel discussion with Peak’s Gary Myers, FreeAgent’s Richard Grey, Trace’s Sorcha Lorimer, and our own Guillaume Montard to pose the question: “How do you bridge the gap between security and privacy teams?”
If you weren’t able to join us, here’s a rundown of the key takeaways that came up during the chat. You can also find an archive of the discussion at the end of this post if you’d love to watch it in its entirety.
It's impossible for a single person or team to handle everything, so find a way to share the knowledge
As software complexity has grown, regulations entered into effect, and needs changed, the responsibilities of different departments have evolved. Agile development cycles removed the ability for a traditional handoff from product to development to legal to ops, and so on. As a result, the skill sets of everyone involved in the process has grown—for better or worse.
Sorcha raised the question about the sheer wealth of information that needs to be understood and managed by teams. There's the knowledge expectation as a whole for each subject, which is hard, but doable. What becomes impossible is wrapping in changes in laws, changes in technology, and changes in industry. General training on the key areas and expectations for the entire organization is a great place to start, but you’ll still need individuals to shepherd everyone along.
Subject-matter experts (SMEs) in each of the fields need to be brought together. Gary suggests experimenting with multidisciplinary “squads” that come together on a cadence appropriate for your size in order to facilitate communication and knowledge-sharing.
"The key thing is to get people talking to each other in the first place" — Gary Myers
It can be challenging for privacy or security SMEs to enable teams while still protecting data. Richard encourages avoiding the cliché of being the “No” person. Answering requests isn't always about saying no. You can often say yes, with context. For instance, data sharing isn’t a bad thing, as long as the individuals providing the data are given the ability to make an informed decision about how their data is shared and used. When the whole team is aligned—more on that later—this is much easier.
Automate if you can
Every industry looks to automation as a solution to problems with known requirements. That isn’t always an option when it comes to privacy. As privacy requires legal interpretation and ethical perspectives, sometimes you need a human touch.
"Privacy, it's quite a soft skill to make sure that we're doing the right things. From a security perspective, we can absolutely automate a whole heap of things." — Richard Grey
The pipeline is a great place to automate as much as you can. Runtime application protection, static code analysis, and any best-practice health checks can help automate the security side. We’re slowly seeing privacy “checks” enter into the development pipeline, but that is still a challenge.
This leads us into our next takeaway.
The gray area is the hard part
Where security is black and white—you protect the data, or you don't—privacy can be much harder. There's the ethical expectations, there's the spirit of the law vs the letter of the law, etc.
“I think where DevSecOps can come into play when it's about privacy is to be able to have those questions come up as quickly as possible at the beginning of the lifecycle.” — Guillaume Montard
The unfortunate reality is these privacy concerns come up far too late, sometimes years later. The “move fast and break things” mentality of modern startups permeates into privacy and often means the unspoken “fix things” step comes far too late. The ability to surface those gray area questions early and often—particularly when designing features—is a key way to avoid this problem.
Privacy enhancing technologies can be really valuable
Synthetic data is a powerful tool for balancing the utility of data while ensuring privacy. Regarding its usage:
“Minimizing a lot of the risks by [using synthetic data] and adhering to the best principles of things like GDPR, et cetera, in the process is something that's absolutely applicable and something we're doing practically and taking seriously.” — Gary Myers
The risk with looking to new technology to solve problems can sometimes prolong the solution.
“The issue with thinking that a new technique will solve every problem, is that sometimes you hide the real problem, and it creates more complexity to really understand what to do exactly.” — Guillaume Montard
Tools can be useful, but sometimes simplicity wins.
Richard described a great example of drawing a simple picture of the data flows in an organization to make it easier to understand.
"That picture spoke a thousand words within our company of people knowing what was happening. It's a tool we can all do with a piece of paper, and that's worked really, really well for us—and of course it didn't cost anything." — Richard Grey
Keeping these foundational documents simple and in plain language helps them move throughout teams and helps anyone in the organization better understand the concepts.
In addition, so many of the tools needed to meet privacy expectations are also the tools needed for security. Both require data flow maps, need to know where their data goes, and who has access, so why not unite those efforts rather than silo them? The tool isn’t the problem, but the separation is.
The world is watching
Customers and industries are savvier than ever before. Laws, breaches, and exploits that used to be something only known or aware of within the security industry are making their way to greater audiences. We're even seeing government bodies pay attention to infosec news.
“It's becoming a mainstay in our regular news, and we have things like the FTC saying specifically 'if you haven't dealt with log4j we're coming after you'...InfoSec isn't just our little world anymore.” — Gary Myers
This casual awareness from the outside makes internal training and collaboration even more important. The more eyes on internal systems, the better.
It all comes down to culture
Where does the accountability lie? Ultimately, it's the leadership team. Privacy and Security may be “everyone's responsibility” as we like to say, but the leadership team is accountable for making that happen. Through culture, values, and training.
"Either the leadership of the company thinks it's very important, and they impose certain language and potentially KPIs that could infuse the [mindset] into the entire organization to make it clear and understandable, or they say 'well, this is just something for legal. Let the legal people come to us when they need.'" — Guillaume Montard
To put even further emphasis on the point:
"All of the decisions and actions and everything that happens are as a result of the motivations and drives of the people. So, set the values of the organization and set it in the DNA of the organization that 'this is what we do and this is why we do it' and people understand that 'why' and understand that motivation. That's where you get a more holistic approach. It doesn't come any other way." — Gary Myers
You can view the full discussion here: