In the event of a data breach, a company's security and privacy organization share the responsibility of damage control. Yet there is inequitable resource allocation between the two.
"Security teams are almost always bigger than privacy, I think that's a given," said Ron De Jesus, head of global privacy at Grindr, during the RSA Conference Wednesday. Security teams are "not necessarily more mature, but they definitely have more resources."
Companies spend more on security; security spending is expected to reach $150.4 billion 2021, while privacy-related spending is projected to surpass $8 billion through 2022, according to Gartner. Yet, the overlap between the two functions is considered a top core competency for security professionals.
Knowing the layers of privacy needed in security, privacy organizations need to lean on their security counterparts as much as possible. If companies are not aware of the overlaps between their security and privacy organizations, time and resources are wasted.
"If you have a strong security team in place for your organization, they can be some of your strongest ambassadors," said Susan Lyon Hintze, managing partner at Hintze Law, during the conference.
"You don't have to create something new," said Lyon Hintze. Even if security is not in a privacy professional's lane, "those are your best friends, you better get to know them."
The intersection of data security and privacy policies means the security organization "may have already done a lot that you can leverage," as a privacy professional, said Lyon Hintze. Even if the security organization is entirely responsible for data security, without the input of privacy, Lyon Hintze wants privacy professionals "to be good friends with security … buy them pizza, take them out for coffee."
The security person in charge of a company's data security is responsible for the fundamentals of what privacy practitioners need to do. Data inventory, for example, is likely something security organizations already do and privacy organizations need.
Privacy for all
Any silos between the two departments could impact the work either group is doing. It doesn't matter who takes the initiative to involve the other, but companies should ensure privacy is infused with existing security processes. Areas companies might find redundancies between the two include incident response plans, or inlaying privacy into the security reviews of application launches.
Uber's Chief Privacy Officer Ruby Zefo previously worked at Intel when the chipmaker folded privacy touch points into its security development lifecycle as privacy needs and policies became more robust. Intel was able to place the touch points throughout the company's existing security development lifecycle process "so that the engineers would not have to go through a completely different process to do those things," she said during the conference.
The incorporation of privacy and security influences Intel's product development, which has an effect on the company at large. Uber uses the same intake process where security and privacy answer their respective questions to better the overall goods and services the business offers.
Still, it's difficult for privacy executives to share their metrics of success with business shareholders. "When I tell the exact team that we've done 10 [data protection impact assessments], there's crickets at the end," he said. "It was exciting for me to say and it was exciting for our team," but it doesn't compute for stakeholders. It's a similar dilemma security executives face when talking to the board.
Because of high-profile data breaches, there is more attention than ever on privacy and security, however. "I hope that coming down the line, we'll be able to measure how these types of privacy controls have actually increased revenue," or application downloads, said De Jesus.
With privacy and security protocols affecting a company's products, reaching the everyman employee with privacy-specific information can be daunting when security is also grasping for their attention.
Instead of risking training fatigue between separate security and privacy courses, De Jesus suggests "why not piggyback as much as we can" from one another. The security and privacy professionals are aware of the nuances between them — one is more technical while the other is more legal — but the general employee base or stakeholders likely don't understand the distinction.
Uber uses a privacy champions program which amassed nearly 300 participants, according to Zefo. Participants are given specific training and tasks and if their performance reaches a certain level, Uber has incentives in place for them.
"Their management has visibility into it, they get a spreadsheet with who's participating, and that can help them with their annual review," said Zefo. "So there's a give but also a get."