In our second installment, we’ll cover the next phase in the lifecycle, Design. Keep in mind, depending upon your circumstance, you could enter the lifecycle at any stage. This installment title does not contain just a catchy subtitle but actual requirements under law in legislation like the European Union’s The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Keep in mind that Data Security and Data Privacy are not precisely the same but very closely related and interdependent.
Why is designing security and privacy into all facets of an organization important? It is about appropriately protecting sensitive information, and we humans are projected to create more of that information in the next five years than in all of human history! Think about the Internet of Things (IoT) connected devices, software development, computer-aided manufacturing, agriculture, etc. These verticals interact with sensitive information on computer systems/software that is often implemented in their “default” – less than an optimally secured state. That leaves users and organizations left to figure out after-the-fact how to govern and secure them. It is far easier, cheaper (sometimes by as much as 200%), and most often more effective to build these elements in at the outset (or acquire systems and software that are secured out of the box) vs. bolting privacy and security on as a hasty and probably only marginally implemented afterthought.
Where should this designing take place? At the requirements gathering phase all the way through delivery into production. What elements should be included in Design? If any element of it can interact with sensitive data, however your organization defines “sensitive data,” then it should consider security and privacy. At the minimum, that means architecture and implementation of any of the following:
- servers
- networks
- backups
- end-user devices
- applications (cloud or on-premises, commercial off the shelf and homegrown)
- cloud services (IaaS/PaaS/SaaS – hybrid/public/private)
- databases
- access permissions
- data flows
So let us talk about benefits. For Privacy by Design, besides being part of the law in some case and now often being considered a basic human right, there are three primary benefits:
- Identifies potential problems with data protection upfront
- Promotes greater awareness of privacy and data protection issues across an organization and therefore, companies are more likely to comply with legal requirements
- Reduces the chance or impact of a reputation hit
There three big benefits for Security by Design as well:
- Reduces human errors at the earliest stage possible
- Reduces your attack surface, the sum of the different points (or “attack vectors”) where an unauthorized user (the “attacker”) can try to enter data to or extract data from an environment, a basic security measure
- Reduces the risk of liability
In summary, strong and effective security is essential to meet the objectives of privacy. Sound privacy principles are valuable in guiding the implementation of security. Security by Design & Privacy by Design (SPBD) work hand-in-hand, or should. Design them both in from start to finish for better outcomes every time.
Our next installment will address how to proactively manage data privacy and security, making continuous improvements for a more robust and resilient organization. See you then. In the meantime, BE AWARE. BE SECURE.