Why Privacy Matters in Cybersecurity | Ep 32
Summary
TLDRIn the Tripwire Cyber Security Podcast, host Tim Erlin interviews Jarel Oshody, Deputy Chief Privacy Officer at the CDC, to discuss the nuances between privacy and security within the cyber security realm. They delve into the distinct objectives of privacy, focusing on individual rights over personal data, and security, which centers on data protection against threats. Oshody emphasizes the importance of privacy by design, proactive data management, and the collaborative effort between privacy officers and security professionals. Key insights include the significance of privacy impact assessments, the role of privacy in data breach response, and the strategic reduction of data usage to mitigate risks.
Takeaways
- ๐ Cybersecurity and privacy are distinct disciplines, with security focusing on data's confidentiality, integrity, and availability (CIA), while privacy is concerned with individuals' rights to control their personal information.
- ๐ค Collaboration between security and privacy professionals is crucial for comprehensive data protection, as they can complement each other's expertise and ensure all aspects of data handling are covered.
- ๐ฅ The role of a privacy officer involves a wide range of responsibilities, including managing data inventory, implementing privacy by design, conducting privacy impact assessments, and handling notifications and consents.
- ๐ข In government agencies, privacy practices are guided by specific laws like the Privacy Act of 1974, which mandates Privacy Impact Assessments and System of Records Notices, whereas commercial organizations navigate a patchwork of sectoral and state privacy laws.
- ๐ผ A law background is particularly helpful for privacy officers, but it's not a requirement. The field also values technical expertise and the ability to bridge the gap between legal requirements and technical implementations.
- ๐ The GDPR has been a significant influence in raising public awareness about data rights and has prompted organizations to improve data management practices to comply with stringent regulations.
- ๐ก๏ธ Security professionals can learn from privacy's emphasis on minimizing data use and conducting continuous risk assessments, which can help reduce the attack surface and ensure better data protection.
- ๐ Privacy engineers are a growing field, acting as translators between the technical and legal aspects of privacy, helping to implement legal requirements into technical solutions.
- ๐ Data mapping and inventory are foundational for both security and privacy, enabling organizations to manage and protect data more effectively, and to respond to data subject requests.
- ๐ The principles of data minimization and anonymization are key strategies in privacy that can also benefit security by reducing the amount of sensitive data that needs to be protected.
Q & A
What is the main focus of the Tripwire Cyber Security Podcast?
-The Tripwire Cyber Security Podcast focuses on exploring cyber security for the enterprise, discussing techniques and best practices to protect against cyber threats, and hardening defenses against hackers.
How does Jarel Oshody define the difference between privacy and security?
-Jarel Oshody distinguishes privacy and security by explaining that security professionals focus on the CIA triadโconfidentiality, integrity, and availability of dataโwhile privacy professionals concentrate on individuals' rights to control their personal identifiable information (PII) and its lifecycle.
What does the acronym CIA stand for in the context of cybersecurity?
-In cybersecurity, the acronym CIA stands for Confidentiality, Integrity, and Availability, which are the three core objectives that security professionals aim to protect.
Why is collaboration between security and privacy professionals important?
-Collaboration between security and privacy professionals is crucial because it ensures that both the technical and legal aspects of data protection are addressed, leading to a more comprehensive approach to safeguarding against cyber threats and maintaining compliance with data privacy regulations.
What is a Privacy Impact Assessment (PIA) and why is it important?
-A Privacy Impact Assessment (PIA) is a process used to identify and mitigate potential privacy risks associated with new or existing systems, particularly those involving the collection, use, and storage of personal identifiable information. It is important for ensuring compliance with privacy regulations and for building trust with individuals whose data is being handled.
How does Jarel describe the role of a privacy officer?
-Jarel describes the role of a privacy officer as encompassing a wide range of responsibilities, including identifying and managing PII, implementing privacy by design, ensuring proper notifications and consents, developing privacy operations, and collaborating with security professionals during data incident responses.
What is the significance of the Privacy Act of 1974 in the context of the podcast?
-The Privacy Act of 1974 is significant as it is the main law that government agencies like the CDC follow for privacy practices. It includes requirements for Privacy Impact Assessments, system of records notices, and responding to Privacy Act requests, which are all crucial for handling personal information in a government context.
How does the concept of 'Privacy by Design' relate to the development of new systems or products?
-'Privacy by Design' is a concept where privacy considerations are integrated into the design and development of systems and products from the outset, rather than being an afterthought. This approach helps to minimize data usage, reduce privacy risks, and ensure compliance with data protection regulations.
What are the key differences between privacy considerations for a government agency versus a commercial organization?
-Key differences include the types of privacy laws and regulations that apply, such as the Privacy Act of 1974 for government agencies versus a variety of sectoral and state privacy laws for commercial organizations. Additionally, government agencies have requirements like system of records notices and Privacy Act requests, which are not present in the private sector.
What advice does Jarel give to security professionals regarding data privacy?
-Jarel advises security professionals to understand that their job is not done once a breach is mitigated or access is prevented. Instead, they should focus on best practices like minimizing data usage, conducting continuous risk assessments, and considering the broader implications of data handling on an organization's reputation and customer trust.
Outlines
๐ Introduction to Cybersecurity and Privacy
The podcast begins with a discussion on the prevalence of cybersecurity incidents and the importance of preparation. Tim Erlin, VP of Strategy at Tripwire, introduces Jarel Oshody, Deputy Chief Privacy Officer at the CDC, to explore the nuances between cybersecurity and privacy. They touch on the distinct objectives of security, which focuses on data's confidentiality, integrity, and availability (CIA), and privacy, which is concerned with individuals' rights to control their personal information. The conversation emphasizes the necessity for collaboration between security and privacy professionals to ensure comprehensive protection against threats and compliance with regulations.
๐ก๏ธ The Role of a Privacy Officer
Jarel Oshody elaborates on the various responsibilities of a privacy officer, which include overseeing the lifecycle of data, implementing privacy by design, managing notifications for employees, third parties, and customers, and developing privacy operations. The role also involves conducting privacy impact assessments, ensuring contracts have proper data use agreements, and collaborating with security professionals during data incidents. The importance of cross-functional relationships and the establishment of privacy champions within different business units are highlighted as key strategies for effective privacy management.
๐ Cross-Functional Knowledge and Privacy Careers
The conversation shifts to the importance of cross-functional knowledge for privacy officers, with Jarel emphasizing the value of relationships over knowing everything. The discussion also covers the career paths in privacy, which can include legal backgrounds but are not limited to them. The emergence of privacy engineering as a field that bridges the gap between technical and legal aspects of privacy is introduced, highlighting the growing need for professionals who can translate legal requirements into technical implementations.
๐๏ธ Privacy in Government vs. Commercial Sectors
Jarel contrasts the privacy considerations between government agencies and commercial organizations. He explains that while the Privacy Act of 1974 forms the basis for government privacy practices, the private sector is governed by a patchwork of sectoral and state privacy laws, such as GDPR. The differences in requirements, such as system of records notices and data subject access requests, are highlighted. The discussion also touches on how the foundational principles of privacy, like the Fair Information Practice Principles, underpin all privacy laws and how they are adapted to current technologies.
๐ Practical Privacy Advice for Security Professionals
The podcast concludes with practical advice for security professionals from a privacy perspective. Jarel suggests that security professionals should understand that their job is not done once a breach is mitigated. Instead, they should focus on best practices like minimizing data use, conducting continuous risk assessments, and embracing the concept of privacy by design. The conversation reinforces the idea that reducing the amount of personally identifiable information (PII) involved in systems can lower risks and improve an organization's competitive advantage by building trust with clients.
๐๏ธ Closing Remarks
Tim Erlin thanks Jarel for the insightful discussion on privacy and acknowledges the value of understanding the role of a privacy officer. The podcast wraps up with an invitation for listeners to join the next episode, where they will continue to explore stories of protection and best practices in cybersecurity.
Mindmap
Keywords
๐กCybersecurity
๐กConfidentiality, Integrity, and Availability (CIA)
๐กPrivacy
๐กData Lifecycle
๐กPersonal Identifying Information (PII)
๐กPrivacy by Design
๐กData Protection Impact Assessment (DPIA)
๐กSystem of Records Notices
๐กCross-Functional Relationships
๐กData Minimization
Highlights
The podcast discusses the distinction between privacy and security in the context of cybersecurity.
Security professionals focus on CIA: confidentiality, integrity, and availability of data.
Privacy professionals concentrate on individual rights to control personal identifiable information.
Privacy and security are distinct disciplines within the broader cybersecurity industry.
Collaboration between security and privacy professionals is crucial for a comprehensive approach to data protection.
Privacy officers are involved in the entire lifecycle of data, from collection to destruction.
Privacy by design is an approach where privacy is embedded into the development process from the beginning.
Data privacy regulations require organizations to manage personal data responsibly, even if it's secure from hackers.
Privacy officers ensure compliance with data privacy regulations through proactive measures like privacy impact assessments.
The podcast emphasizes the importance of cross-functional relationships for effective privacy management.
A law background is not a requirement for a career in privacy, but it can be particularly helpful.
Privacy engineers bridge the gap between the technical and legal aspects of privacy.
Government agencies have different privacy considerations compared to commercial organizations due to specific laws and regulations.
The Privacy Act of 1974 provides the foundation for privacy requirements in government agencies.
Data minimization is a strategy to reduce risk by limiting the amount of personal data an organization holds.
Data mapping is essential for managing data effectively and responding to data subject requests.
The podcast concludes with advice for security professionals on learning from privacy practices to enhance data protection.
Transcripts
breaches and cyber security incidents
are making headlines every day what are
you doing to be prepared
welcome to the tripwire cyber security
podcast brought to you by tripwire the
show that explores cyber security for
the enterprise and how to identify and
protect against cyber threats before
they happen
listen for techniques and best practices
to harden your defenses against hackers
now here's your host tim erlin
welcome everyone to the tripwire cyber
security podcast i'm tim erlin a vp of
strategy at tripwire and today i am
joined by jarel oshody who's the deputy
chief privacy officer at the cdc i am
glad that you are here so on this
podcast um we generally talk about cyber
security information security which is a
pretty broad topic and that that that
topic can include privacy but i think
there is really a distinction between uh
privacy and security when you sort of
get down to the the details that they're
they're pretty distinct and uh the two
disciplines security and privacy don't
always align with each other so i'm i'm
excited to have you here to talk a
little bit about the the privacy side of
the the larger cyber security industry
um and i wanted to start with maybe just
that a topic of understanding what the
difference is so jarrell from from your
perspective how do you see privacy and
security as as different how are they
distinct
well with security um i should say with
the security professionals that i work
with they're
generally
concerned with the what they call cia
the confidentiality integrity and
availability of data so you know they
don't want they want to make sure it
doesn't get in the hands of bad actors
they want to make sure it doesn't get
tampered with um they want to make sure
that it's available when we need it and
those are the things that they um tend
to focus on however um
as a privacy professional i are we tend
to focus on um
the rights
the rights that individuals have to
control their personal identify
information and how it's used um so
um basically
as a security professional they may
feel like
uh you know we've guarded against these
malicious threats
um and that like um
but and on the privacy side we're more
so focusing on the life cycle of data
how the personal information is
collected
shared used
destroyed
retention policies
things like that when it comes to
not just information but
information that includes personal
identifiers and so if i i mean if i
think about that as sort of you know two
over you know a venn diagram with two
overlapping circles
um you know security as you say is
focused on bad actors i mean privacy
obviously cares about bad actors as well
if they're
you know violating the the the privacy
rights that are you know of concern and
and security i would think cares about
some of the privacy aspects um because
obviously if you if you fail to protect
the data it can then fall into the hands
of bad actors definitely but keeping
personal data away from hackers doesn't
automatically make an organization
compliant with data privacy regulations
if that makes sense yeah that makes
perfect sense and i always um i always
that always makes me think back to the
the payment card industry the pci data
security standard
um which is a a security standard but um
when you dig into it you you have to
remember that it's there actually to
protect the the card brands not the
organization so understanding the
motivation behind the controls and
protections in place
even if they're the same is really
important it changes what the the
objective is like yeah yeah most
definitely and in privacy we definitely
especially with regards to privacy
impact assessments or what some people
may call
data protection impact assessments we
are definitely looking at the controls
we're looking at technical
administrative physical controls or
questioning them
making sure um
we are collaborating with security
professionals to find out like hey what
do you think about these technical
controls because you know i'm not as
well versed as
my counterparts so um it's definitely
collaboration
um more than anything
well so so let's talk about that that
role a little bit um of a privacy
officer you know uh because it's
different from being a security analyst
as we've talked about what is your your
job as a privacy officer
it encompasses a myriad of things all
identifying um pii so when it comes to
mapping data or i actually shouldn't say
mapping data because i know in the
security world that
means something else so just keeping
up to date with our data inventory
um
implementing privacy by design so we we
want to be we want people to reach out
to us and contact us to ask us questions
and guidance
um when new products
are being thought about or new systems
are being thought about we want to be
reached out to in the beginning because
we want privacy to be embedded into the
entire process we don't
when we're contacted after the fact
we realize holes we realize gaps realize
things where
data privacy wasn't taken into
consideration and you know it cost more
money to go back and fix something than
to basically be included throughout the
process
also
notifications are a huge
deal so
no making sure employees third parties
uh customers
are notified or given cons the
opportunity to consent with the
opportunity to withdraw consent um
also just
uh
developing privacy operations all
together from trainings um
annual trainings
uh tabletop exercises uh contracting is
a big part of it as well
especially when personal identifying
information is involved we want to make
sure
even with a
data use agreement we're sharing
information for research or what have
you we still want to make sure that
the party we're sharing information has
the proper controls in place and they're
going to take as good care of
this data um
just as we would and and they aren't
going to share it with other people um
we want to just make sure that
risk assessments are done so as i spoke
about pias we want to make sure that
when a new
system is being developed we're doing a
pia but also when that same system
decide our authorities decide hey we're
going to use the same system but we're
going to collect a different type of pii
or more pii or we're going to use the
same pi but for a different purpose
um you know what i mean it may
you may have a system where no social
security numbers were involved and now
we're going to be adding
we're going to be collecting ssns now so
that requires different controls
or um you were going to be using the pi
for a different purpose
that requires different consents that
requires what they call fresh consent
things like that and also collaborating
with the security function when it comes
to data incident response
so um our security
department they incur different types of
data incidents and breaches
but we may not be needed if it doesn't
involve
personal identifying information but if
it does
we're immediately notified and we have
to
mitigate those risks and determine how
notice should be given um
to those affected uh things like that
and
more
more so related in the government sector
we have the system of records notices
and those are published in the federal
register so if we do have a system of
record a system of record is basically
just a system where
um
information is retrieved
by using uh some personal identifier
like a social security number
or something like that so if
um if it's considered a system of record
then we have to
provide notice to the public allow a
30-day comment period in the federal um
before it's
allowed and then we have these routine
uses
for these systems
that allows us to utilize people's pii
to do our job to do the job that the
system was created to do
um
to process information or what have you
uh so i mean it's a it's a myriad of
yeah there's a lot
yeah i'm i could go on but
um
yes definitely so we're working with all
the business units privacy is involved
uh we're not siloed at all
anywhere there's pii basically exactly
so marketing
uh finance
hr
research and development
uh you
name it pii is likely involved
but and honestly we would love to
minimize the use of data that's like our
main goal
yeah yeah shrink the environment as much
as possible yeah so that's so is it
highly valuable for you to have sort of
cross-functional knowledge of how those
different functions operate in order for
you to do your job more effectively it
seems like it would be it's important to
have cross-functional knowledge but it's
more so important to have
cross-functional relationships
because i don't know everything i'm not
interested in knowing everything but i'm
interested in having relationships with
all of these different business units um
making sure they know that
my door is open the lines of
communications are always open and based
on um privacy by design please reach out
to us please let's talk about this um
you know i mean you're not bothering me
if anything you're making my life much
easier
and also creating privacy champions with
these people and these different um
in these different
areas um
as i impart knowledge on them
they can because you know
in many organizations the privacy unit
is
generally a small
uh
group
you know tasked with doing more with
less and so the more privacy champions
you have the more
trainings you can do
the less risk for human error uh
incidents
uh things like that and they get they
notice they see how
as we work together more we can create
faqs we can create uh
flowcharts things like that where they
don't necessarily have to reach out to
us as much because they are um empowered
by the knowledge that they have
because of our relationship
[Music]
you are listening to the tripwire cyber
security podcast thousands of
organizations rely on tripwire to serve
as the core of their cybersecurity
programs why because we detect
suspicious activity before it becomes
breach
our systems work on site and in the
cloud define monitor and minimize a wide
range of threats with deep system
visibility and automated compliance we
help you shorten the time it takes to
catch vulnerabilities and ensure your
organization is following the absolute
best practices in cyber security today
for more information visit tripwire.com
that's tripwire.com
when we talk about cyber security like
security analysts there's often a you
know sort of a technical background
there it's pretty common for people to
move from
uh you know sort of an i.t role and then
they become interested in security and
they move into a security role from
there that's a you know today there's a
you know educational career path that
people can take but in the past it was
off an i.t
your background hover is in in law as
opposed to
technology is that right
yes i am not
i am not technical at all um i rely
heavily on um
so we have our technical privacy
analysts and we have um
more so our
compliance privacy analyst um so
it's a team effort i definitely you know
i am an attorney i know the law
i know how to apply the law
operationalize the law um but also i
know how to be resourceful
and uh
leverage those that do have the
technical backgrounds to translate
uh what i would like like to implement
they can
though there are translators between the
technical um
and the compliance
so for someone who's interested in
privacy as a career is that law
background a requirement is it just
um particularly helpful or is it that
they're as you sort of were describing
there are two disciplines there's a
technical side and a legal side oh no
yeah it's definitely not required i mean
there's privacy counsel council
so those are generally attorneys people
with legal
background they call jd adjacent or
legal adjacent type positions also
privacy compliance where jay-z helps
there's also
a new growing field there there's
actually a new
um
certificate for it
but the privacy engineers
privacy engineers is
that field is growing they are basically
uh
they are the tech people who are the
translators
yeah yeah they're the best of both
worlds if you ask me
um but then there's and then we have the
security and the people who are more
technical or someone that may have their
cissp
or something like that
um
may not be able to
uh communicate as easily with someone
like me who has my who you know i may
speak legalese and the privacy engineer
is the perfect middle person
uh to help uh get the job done
yeah to split that difference or provide
that as you said that translation
of the the legal language into the
technical implementation
so you you obviously work at a you know
large government agency but privacy
isn't something that's exclusive to to
government so
what are sort of the key differences
between privacy considerations for
a government agency versus a you know a
commercial organization
well um
so for instance in the government
the privacy act of 1974 is
the main law that we follow and
operationalize and
under it you know that's that required
that's why
the under the privacy act or under
privacy like there's the ego
um
act and
that states you know for every system a
privacy impact assessment is required um
those system of records notices i spoke
of are required um people can um
request information that the agency has
on them
in a system of record through a privacy
act request and where to respond in a
certain number of days
um on the other side in the private
sector
there's
all of these sectoral privacy laws state
privacy laws um other countries they
have their own
privacy laws
and they
they have the same principles but for
instance uh data subject access requests
and
under in the private sector
states like california or
like gdpr they have a long list of
individual
rights
that they have with organizations so
they can request access
deletion correction
they have a long list of
requests that they can make and there's
they also have a certain amount of days
that
those things must be completed um
there's all but there's no
system of records notices required or
things like that there's no uh need
there's no mandate that a privacy impact
assessment must be completed for every
system that a company has generally i
know with gdpr
dpia is only required
uh when sensitive pii or high risk pii
is involved uh things like that those
are uh
differences
of the obvious differences
um that i see and and also with
contracts
uh the contracts and the private sector
i know that
um
there's less red tape um
many of the because there's no
federal privacy law
i mean every state doesn't have a
privacy law lots of the data protections
that are in place are contracted there
are data protection clauses involved
that um that are mandating uh how data
is protected shared used destroyed
things like that
so the privacy act of 1974 obviously
predates
much of the technology that we're using
today but it still provides the
foundation for
the privacy requirements and practices
that are
you know that we apply today in you know
our sort of much more connected world
um was the the second piece that you
mentioned in there sort of an update
that allows
updates the law to apply to the current
technology how does that work actually
that's fascinating well actually the
privacy act um is based on
the i believe it's the fair information
practice principles
and
the fair information practice principles
are actually
what
i personally feel
all of these privacy laws are based upon
um the are you familiar with the effect
with that
no well no i'm gonna say yes but you
know for the benefit of the the
listeners that you should explain it
so yes the whole um the collection
limitation
data quality
purpose specification
where you need to you know state the
purpose or the reason that you need pii
the use limitation
saying you can't disclose it or you
can't collect it for one reason and use
it for another the security safeguard
principle the openness principle
uh the individual participation
principle that's just all of the rights
that individuals have with regard to
their information
and the accountability principles and
that's saying that the person who is
controlling my data has to be
accountable by you know complying with
whatever reg or measures are in place um
so
though the um fibs is really what uh
all privacy laws are based on but yes
the privacy law of 1974
i find it interesting that
um
10 years ago when i
was handling privacy access requests for
individuals and four-year requests for
individuals
now i see all of i always
i always i felt like i was speaking
another language
when uh
people my friends were in the private
sector and didn't
uh they would they just were like they
didn't they weren't aware of how much
or how many rights we had with regard to
our personal information and now
many of them with these the data subject
access requests in the private sector
they get it
so
yeah and it seems you know from an
external perspective
it seems like gdpr was really sort of a
a watershed moment for
changing the public perception of
you know sort of uh
data data rights 100
people didn't even know that
uh
that was a thing
you know what i mean and it also
caused
it also caused companies and
corporations
to
um manage their data better because if
it was mapped properly
you're able to you know if it's created
in a way back to privacy by design
uh is created in a way
to where if you need
all the information on jarrell oshody
it's the data's mapped in a way that you
can see with systems
uh
and you know and you're able to carry
out that action or carry out that
process
yeah if you're required to to be able to
delete all the data on an individual you
better be able to find all the data on
that individual exactly and that's how
it starts that's why uh data inventory
is the very beginning you can't manage
what you don't know you have yeah yeah
which is you also can as far as data
incidents and data breaches yeah
it's an interesting corollary to the the
security phrase you can't you can't
secure
uh you know what you don't know you have
as well and same same is true for data
and privacy yeah
definitely and yeah they definitely uh
overlap most definitely
[Music]
you are listening to the tripwire cyber
security podcast thousands of
organizations rely on tripwire to serve
as the core of their cybersecurity
programs for more information visit
tripwire.com
that's tripwire.com
so i i want to i want to end our
conversation with maybe a sort of a
little practical advice for
uh the security folks who are listening
to security analysts and professionals
um so coming from from from the privacy
side of of the industry
what what lessons do you think
information security can learn
from privacy
it would be nice if they understood
that
we that our job isn't done
just because
we've mitigated a breach
or
just because we prevented
uh access
in a particular
place like we're always focusing on best
practices minimizing data where we can
just constant
risk assessments
when data is used in a certain way
that's that's really interesting
you you you touch there on this this
idea of sort of minimizing where data is
used as a means to
you know essentially shrink the
footprint of what you have to be
concerned about and
that seems like something that that
security could could look at um you know
sort of the the concept of minimizing
the surface area if you will
um for attack or for for an attacker as
a as a you know a means to to reducing
the amount of work um to secure an
environment yes
yes so if we
the less pii involved
the lower the risk the less
uh high risk
uh
the less risk as far like if if a system
is hacked and
all the information is
uh
and none of the information involves pii
then
the risk is a bit tends to be a bit
lower um
because companies
it's their reputation at risk it's the
trust of their clients um things like
that that it's a competitive
differentiator if you will these days
uh so the the more de-identified
information we can use or anonymous uh
anonymized information we could use the
better
i want to thank you jirel for joining us
i thought it was a super interesting
conversation i learned a lot about
privacy and what it means to be a
privacy officer
and i really appreciate you spending the
time with us oh thank you i appreciate
you asking me and i appreciate
discussing it as well because i feel
like no one knows what i do so
well now now some people do at least
and thank you to everyone for listening
uh i hope it was enjoyable and i hope
you'll tune in for the next episode of
the tripwire cybersecurity podcast
you have been listening to the tripwire
cyber security podcast join us next time
as we explore stories of people
protecting people and techniques and
best practices to harden your defenses
against hackers
we'll talk to you next time on the
tripwire cyber security podcast
[Music]
you
Browse More Related Video
Privacy and Security: Impact of Digital Technology
How to Implement GDPR Part 2 :Roadmap for Implementation
Encryption Technologies - CompTIA Security+ SY0-701 - 1.4
A Stern Warning About In Car Technology and Privacy
Cybersecurity Simplified โ Episode 42: ChatGPT and Cybersecurity โ The Good, Bad & Ugly
Data Protection Officer Philippines
5.0 / 5 (0 votes)