One way to foster that cooperation is through understanding. With that in mind, we asked RADAR’s own privacy and security experts—Alex Wall, Esq., senior counsel and global privacy officer, and Andrew Migliore, vice president of engineering—about their respective challenges and how teamwork can make everyone’s job easier.
Q1: What is the number one privacy or security challenge you or your clients face in incident response/incident risk assessment?
Alex Wall, Esq.: For many companies, getting executive and/or board-level buy-in is the most difficult step. I am fortunate as privacy officer for RADAR in that I have strong executive and board sponsorship for our privacy program. In some organizations, privacy initiatives can lack resources or organizational accountability. Another challenge is making time for not only setting the framework for the privacy program, but also continuing to revisit it. Privacy officers can sometimes struggle to find time to work with busy team members as an ongoing advocate for privacy in the organization, while keeping up with rapid developments in the privacy and security field. Continued involvement is key for a sustainable privacy program.
Andrew Migliore: Time. It is often difficult to identify the scope of a security incident until you have carried out an investigation. Even with a comprehensive detection solution, it can be hard to determine the nature of an attack in a timely manner. Once an incident has been determined to have privacy concerns the security team has to communicate their initial findings with their privacy counterparts. Security must also keep the privacy team updated on any new findings so privacy can perform risk assessments quickly and accurately. Unfortunately, many companies have a very poor interface between security and privacy and disproportionately focus on security-only solutions while throwing findings “over the wall” to each other rather than directly collaborating.
Q2: How can privacy and security help each other overcome their challenges?
Alex: Security is like Jack Nicholson in A Few Good Men. You want them on that wall, shielding the perimeter from malicious incursions so that those safeguards form a critical part in protecting the privacy rights of customers and employees. In most respects, privacy and security are aligned in their goals. It is often advantageous to schedule privacy workshops and programs around the same time as security ones in order to reinforce each other’s lessons and learnings. The security and privacy teams, having a shared need to continually update executives and company owners on their requirements, can often “join forces” to ensure that organizational sponsorship continues.
Andrew: Privacy should work with security to identify their common requirements with regard to incident response. Automation and improving communication are key to a timely incident response. Specifically, the privacy team should work with security to develop, implement, and enforce policies and procedures of the organization’s privacy programs in accordance with current laws. Given that most privacy incidents aren’t electronic or detectable through monitoring by security, the privacy team needs to advocate for an incident response solution that has purpose-built workflows designed to reduce risk and ensure compliance with numerous state and federal data breach laws
Q3: Describe the roles that you have during incident risk assessment, and how working with each other can help you better fulfill that role?
Alex: When assessing an incident, it is helpful to having security’s advice on key questions such as whether a particular action taken by a person constitutes unauthorized access to data or how to best describe remedial or preventative actions taken in response to an incident.
Andrew: Security is responsible for protecting valuable information from unauthorized access. When an incident occurs, security must perform damage control, returning systems to normal operations as soon as possible. When there is a security incident with privacy concerns, the security team members are responsible to help coordinate response activities and communicate status (escalating to upper management as required). Security has the responsibility of determining the root cause of how the incident was perpetrated and how to prevent another event of the same kind from happening in the future.
Q4: What is one thing security and privacy can do to make their respective jobs easier
Alex: I think that there is a natural tendency in security roles to keep information very tightly controlled, and this natural goal can sometimes come into conflict with the need to educate the privacy team on an ongoing basis. It’s important to keep an ongoing flow of communication between the teams so that privacy does not labor under outdated perceptions of the way that data is stored, used, categorized, or protected in an organization and can adapt to evolving technology, which is also key to the sustainability of a privacy program.
Andrew: Regularly communicate with both the security team and the rest of the company, reminding everyone about the importance of privacy and compliance. In order to implement a truly 360-degree security and privacy program, security and privacy teams have to work together.
Through collaboration, the privacy and security teams at RADAR were able to implement a robust program that enabled them to be successful during their SOC 2 Type II audit, a comprehensive certification demonstrating the ability to keep sensitive data secure.
Learn more about how privacy and security can work together with the free whitepaper, Incident Response Management Software: The CISO’s Secret Weapon for Reducing Enterprise Risk.