About the author
From solutions architecture to security, Gabe Gumbs brings deep technical experience to his position as Chief Innovation Officer at Spirion. He leads the Spirion team through strategic product development to create technologies that push data security forward in an increasingly complex digital world.
Data privacy and data security aren’t the same thing, but you can’t have data privacy without data security.
Or put another way, to ensure that you are always in compliance with data privacy regulations, you will also need to deploy a solid cybersecurity system.
To know that you are doing the most to protect your data, you must understand the differences in the risks to data.
Cybersecurity risks are defined as risks associated with unauthorized access to data. Privacy risks are derived from authorized access to data. But to ensure that you have the appropriate authorized access to data, you require security controls.
This goes to the heart of what Spirion does as an organization: How do you apply the right security controls to the right assets? It starts with understanding exactly what your assets are and the sensitivity of the different pieces of data before you begin to apply controls that offer both privacy and security.
Avoid introducing friction to the business
The gut reaction is to apply the strictest security controls in your organization to your most valuable data. Sure, that will help protect sensitive information from unauthorized access, but that introduces a significant amount of friction to business operations. No one wants friction added to their business. It slows down productivity and frustrates workers who may need to jump through additional hoops to access the data needed to get their work done.
The strictest control could also be the wrong control for your organization’s assets. In fact, many security controls are likely going to be the wrong fit. For example, the control you pick to protect your assets is encryption. Encryption is a great tool, and it is a necessary tool for a lot of data privacy regulations. But if you decide that all the data is important so you will encrypt everything, then two things are true here:
- Nothing is important if all of it is important, and
- You have to share unencrypting solutions with a wide array of individuals and systems to make it available for their normal work processes, which defeats the purpose of the encryption in the first place.
The more workable solution is to add this security control – in this case encryption – to only the most sensitive data.
Recognizing your valuable data
As mentioned earlier, nothing is important if all data is treated as important. We know not all data is created equally. You wouldn’t value an email about scheduling a meeting between co-workers the same as you would a database of customer PII (at least you shouldn’t consider them equal value). But every organization generates trillions of pieces of data that a human can’t possibly go through and separate. Just as having the right security controls for addressing risks, you need the right data management tools that offer a full view of your data landscape and segment it based on its value, so you can apply the right controls to sensitive assets, based on their levels of importance.
Using NIST Frameworks
The National Institute of Standards and Technology (NIST) offers two frameworks – one for cybersecurity and the other for privacy – to guide you through setting up your data privacy and data security controls. For example, the privacy framework provides risk management guidance in areas such as how and why to take privacy into consideration when deploying new security systems and how to encourage privacy compliance across all sectors of the organization, including the C-suite, legal, and HR.
Every company needs to evaluate its data privacy management system, but remember, you can’t have data privacy without data security. For the best risk management solution, you need to have both types of systems working in concert with each other.