Minerva Studio - Fotolia

Can CISOs facilitate peace between privacy and information security?

Privacy and information security can often be at odds with each other in enterprises. Expert Mike O. Villegas explains how C-levels can help to get the two to work in harmony.

Security and privacy often butt heads within enterprises. Why is this, and what can CISOs do to help facilitate better collaboration, communication and cooperation between the privacy and information security professionals in their organization?

Information security deals with access to and confidentiality of data. Privacy deals with laws, compliance and risk. Both are critical in the protection of information assets, but both are very different in extent.

However, they are not in opposition; they complement each other. Some depict privacy and information security as vinegar and oil, but if they work together, they make a pleasant vinaigrette.

COBIT 5 defines privacy as the manner in which "an enterprise collects, stores, and releases the personal information that it collects." A privacy policy "informs the client of the specific information that is collected and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Furthermore, the policy ensures compliance with relevant legislation related to data protection."

SANS defines information security as "the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption."

Privacy deals with data. Information security deals with the protection of such data. They cannot exist without each other. It is not enough to know what and where critical data exists. There needs to be a way to apply the proper level of protection commensurate with the risks associated with its value to the organization.

What links privacy and information security are risk and compliance.

Chief privacy officers (CPOs) are responsible for performing a Privacy Impact Assessment (PIA). The PIA states which personally identifiable information is collected and explains how that information is maintained, how it will be protected and how it will be shared.

Peaceful cooperation between privacy and information security depends on collaboration among C-levels. The CISO should seek out the CPO and use the PIA to deploy that level of protection to ensure it meets the risk and compliance levels defined in the PIA.

The CISO should also work with the CPO to provide the board of directors or executive management with a joint presentation on how the information security program has determined and deployed protection of information assets. This gives the program credibility and management support, resulting from a pragmatic and realistic view of information security.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn how to use an incident response policy to collaborate better

Find out why HIPAA doesn't do enough for privacy and security

Check out the differences between an active board and a passive board

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing