Why Privacy Matters in Cybersecurity | Ep 32

The Tripwire Cybersecurity Podcast

8 Apr 202226:18

Summary

TLDRIn the Tripwire Cyber Security Podcast, host Tim Erlin interviews Jarel Oshody, Deputy Chief Privacy Officer at the CDC, to discuss the nuances between privacy and security within the cyber security realm. They delve into the distinct objectives of privacy, focusing on individual rights over personal data, and security, which centers on data protection against threats. Oshody emphasizes the importance of privacy by design, proactive data management, and the collaborative effort between privacy officers and security professionals. Key insights include the significance of privacy impact assessments, the role of privacy in data breach response, and the strategic reduction of data usage to mitigate risks.

Takeaways

🔒 Cybersecurity and privacy are distinct disciplines, with security focusing on data's confidentiality, integrity, and availability (CIA), while privacy is concerned with individuals' rights to control their personal information.
🤝 Collaboration between security and privacy professionals is crucial for comprehensive data protection, as they can complement each other's expertise and ensure all aspects of data handling are covered.
👥 The role of a privacy officer involves a wide range of responsibilities, including managing data inventory, implementing privacy by design, conducting privacy impact assessments, and handling notifications and consents.
🏢 In government agencies, privacy practices are guided by specific laws like the Privacy Act of 1974, which mandates Privacy Impact Assessments and System of Records Notices, whereas commercial organizations navigate a patchwork of sectoral and state privacy laws.
💼 A law background is particularly helpful for privacy officers, but it's not a requirement. The field also values technical expertise and the ability to bridge the gap between legal requirements and technical implementations.
🌐 The GDPR has been a significant influence in raising public awareness about data rights and has prompted organizations to improve data management practices to comply with stringent regulations.
🛡️ Security professionals can learn from privacy's emphasis on minimizing data use and conducting continuous risk assessments, which can help reduce the attack surface and ensure better data protection.
📚 Privacy engineers are a growing field, acting as translators between the technical and legal aspects of privacy, helping to implement legal requirements into technical solutions.
🔑 Data mapping and inventory are foundational for both security and privacy, enabling organizations to manage and protect data more effectively, and to respond to data subject requests.
🔄 The principles of data minimization and anonymization are key strategies in privacy that can also benefit security by reducing the amount of sensitive data that needs to be protected.

Q & A

What is the main focus of the Tripwire Cyber Security Podcast?
-The Tripwire Cyber Security Podcast focuses on exploring cyber security for the enterprise, discussing techniques and best practices to protect against cyber threats, and hardening defenses against hackers.
How does Jarel Oshody define the difference between privacy and security?
-Jarel Oshody distinguishes privacy and security by explaining that security professionals focus on the CIA triad—confidentiality, integrity, and availability of data—while privacy professionals concentrate on individuals' rights to control their personal identifiable information (PII) and its lifecycle.
What does the acronym CIA stand for in the context of cybersecurity?
-In cybersecurity, the acronym CIA stands for Confidentiality, Integrity, and Availability, which are the three core objectives that security professionals aim to protect.
Why is collaboration between security and privacy professionals important?
-Collaboration between security and privacy professionals is crucial because it ensures that both the technical and legal aspects of data protection are addressed, leading to a more comprehensive approach to safeguarding against cyber threats and maintaining compliance with data privacy regulations.
What is a Privacy Impact Assessment (PIA) and why is it important?
-A Privacy Impact Assessment (PIA) is a process used to identify and mitigate potential privacy risks associated with new or existing systems, particularly those involving the collection, use, and storage of personal identifiable information. It is important for ensuring compliance with privacy regulations and for building trust with individuals whose data is being handled.
How does Jarel describe the role of a privacy officer?
-Jarel describes the role of a privacy officer as encompassing a wide range of responsibilities, including identifying and managing PII, implementing privacy by design, ensuring proper notifications and consents, developing privacy operations, and collaborating with security professionals during data incident responses.
What is the significance of the Privacy Act of 1974 in the context of the podcast?
-The Privacy Act of 1974 is significant as it is the main law that government agencies like the CDC follow for privacy practices. It includes requirements for Privacy Impact Assessments, system of records notices, and responding to Privacy Act requests, which are all crucial for handling personal information in a government context.
How does the concept of 'Privacy by Design' relate to the development of new systems or products?
-'Privacy by Design' is a concept where privacy considerations are integrated into the design and development of systems and products from the outset, rather than being an afterthought. This approach helps to minimize data usage, reduce privacy risks, and ensure compliance with data protection regulations.
What are the key differences between privacy considerations for a government agency versus a commercial organization?
-Key differences include the types of privacy laws and regulations that apply, such as the Privacy Act of 1974 for government agencies versus a variety of sectoral and state privacy laws for commercial organizations. Additionally, government agencies have requirements like system of records notices and Privacy Act requests, which are not present in the private sector.
What advice does Jarel give to security professionals regarding data privacy?
-Jarel advises security professionals to understand that their job is not done once a breach is mitigated or access is prevented. Instead, they should focus on best practices like minimizing data usage, conducting continuous risk assessments, and considering the broader implications of data handling on an organization's reputation and customer trust.