Aligning Privacy and Security Incident Response

Both privacy and security teams are vital to protecting data, customers, and organizations. But too often they can end up working in silos, or even at opposing purposes because of differing goals, expertise, or even different definitions of what events require action. Aligning privacy and security incident management can help avoid risks, security gaps, and missed regulatory requirements.

It’s a long-standing issue—since the beginning of the digital economy and digital privacy—but with the help of technology and automation, organizations are finding new ways of aligning privacy and security incident management.

Common Goals

At a high level, privacy and security have a common goal–keeping information private and secure. But the details of what each team is working toward can create a division of priorities. For instance, when an incident occurs, the privacy team is focused on assessment and compliance requirements, while the security team may be focused on getting systems back online, closing security gaps, and/or stopping further exposure of information.

The teams often speak in different terms, as pointed out in a recent webinar with ServiceNow, ConfigureTek, and RadarFirst. The security team reacts to “events” in which a security alert indicates some sort of anomaly. The privacy team reacts to “incidents” in which some event, digital or physical, causes unauthorized disclosure of personal information. For each incident, privacy needs to determine where there is a “breach” with regulatory requirements to notify individuals, regulators, or other authorities such as state attorneys general.

But if the two functions don’t work smoothly together, both may miss their goals. In order to make informed decisions and meet notification deadlines, privacy teams need immediate, comprehensive, accurate information about security incidents. Without it, they are at risk of over-reporting incidents by erring on the side of caution or under-reporting because they are operating with incomplete information.

Both over- and under-reporting can negatively impact the organization’s reputation (hence, revenues) and hurt its credibility with regulators, and under-reporting can incur fines and other regulatory action. And if security lacks visibility into privacy incidents, it may miss the warning signs of potentially serious security problems.

Both privacy and security play important roles in protecting the organization and its stakeholders, and they need to work together. So, how to bridge the gap?

Elements of a Coordinated Incident Management

When an incident occurs, the privacy and security teams need to coordinate. First, each team needs to know when and how to alert the other.

When security logs an event, one of its top priorities should be to determine whether any personal or “sensitive” information may have been exposed. If personal information may have been exposed, security needs to alert the privacy team, share their initial findings, and keep privacy updated as the investigation continues.

When the privacy team logs an incident, one of their top priorities should be to assess whether the exposed information was digital or physical (according to the 2023 Privacy Incident Benchmark Report, about 44% of incidents still involve physical exposure). If the exposure is digital, they should notify security immediately, share initial findings, and coordinate as the assessment proceeds.

The challenge is to enable this coordination in a way that doesn’t impede either team in its sprint to investigate, mitigate, maintain compliance, and close any security gaps.

Enabling and Ensuring Cross-functional Collaboration

Coordinated incident management doesn’t grow spontaneously in the heat of a serious incident. It needs to be nurtured in multiple ways:

• Relationships: Incident management isn’t the only process where privacy and security teams should be working together. Both should have a seat at the table when new business systems and initiatives are being developed. Early involvement gives both teams a chance to anticipate and mitigate privacy and security risks, plan for change management with data and security training, and work together on data mapping that will serve both in good stead when security events and privacy incidents arise.

• Awareness: Both the technology and compliance landscapes are constantly changing. Privacy and security can be more proactive in helping each other if they regularly update each other on new regulations, new threats such as ransomware or phishing tactics, etc. Monthly or quarterly updates can also help build relationships and communication, and discussion can lead to new ideas for protecting the organization.

• Integration: To fully collaborate on incident response, privacy, and security need integrated tools and workflows. To meet that need, RadarFirst has partnered with digital workflow leader ServiceNow to create Radar for Security Operations and Radar for IT Service Management. Incidents tracked within ServiceNow that involve compromised personal data and require investigation by the privacy team are routed to Radar Privacy for automated risk scoring and assessment under both regulatory and third-party notification obligations. A bidirectional relationship between the two platforms creates a seamless workflow and facilitates the exchange of critical information across the privacy and security teams, who work in parallel to reduce decision time and efficiently resolve incidents.

Better Together

Privacy and security may have different terminology and short-term objectives, but their overarching mission is the same: to protect the organization and its stakeholders. With proactive relationship-building, ongoing communication to build awareness, and integration to enable an efficient, collaborative workflow, both teams can achieve their individual and overarching goals better than either would alone.