It’s Time to Combine Security Awareness and Privacy Awareness Training
Meet Bob. Bob’s an employee at BigCorp, and he’s confused. He has Information Security folks requiring him to take training once a year and posting videos and sending simulated phishing e-mails all the time. He also has the Privacy Team requiring training and inviting him to “lunch and learns” on privacy by design. But Bob still doesn’t understand quite where security ends and privacy begins. When he asks, the privacy and security folks are happy to go on at length about how different their two domains are, but to Bob, it sounds like an old Miller beer ad: “Tastes great!” “Less filling!” To Bob, it’s all about protecting data. He wishes that security and privacy would come together to present a single, coherent message. The best chance for this to happen is by combining security and privacy awareness efforts into a single, unified effort. And the time is now.
It’s clear that the conditions are ripe for a merger of the security and privacy domains—at least in the way they communicate about risk to employees. After all, it was just yesterday that cybersecurity pros were in the hot seat following big data breaches at Target and Anthem and others, and that the information security profession as a whole was coming to terms with the idea that all the technical protections in the world were not going to save the day if you didn’t also prepare all your employees to be a “human firewall.” Today, similar attention and pressure is being placed on the privacy profession, with the GDPR and the CCPA the sharp regulatory point of the spear for the ever-increasing scrutiny being placed on companies that consume vast amounts of consumer data and fail to apply appropriate controls and protection. As with security, the privacy profession is coming to terms with the fact that all the privacy policies and lawyers in the world won’t do you any good unless your employee population puts good privacy protections into practice in their day-to-day jobs.
When it comes to awareness, then, let me make an introduction: Security Awareness—meet Privacy Awareness. Your goals are largely the same—you want employees aligned with your mission to create a more secure, trustworthy, and risk-aware culture. And the methods you use to achieve your goals are also similar: You both use training, ongoing communication, and reinforcement to reach employees. There are important differences in your domains, from the nature of the risks that you are trying to mitigate, to the narratives of how that risk presents itself to users, and finally to the moral complexity of the broader social context you engage in. Understanding these differences can clear the way for the merger of security and privacy programs—at least when it comes to awareness.
The Risks Are Different
The security and privacy professions have always found kinship over a certain type of risks: the risks involved in securing the personal data that the organization gathers. Privacy pros recognize that part of their responsibility is to designate appropriately secure places to store data, and security pros recognize their responsibility in building and guarding these secure places. But their risk domains diverge substantially after that: Security folks are determined to resist attacks from a variety of malevolent outsiders, including cyber criminals, nation-state hackers, and hacktivists, and to ensure that employees do not expose the organization to these external dangers. In the security domain, the threats are largely external, and they are imposed on the organization against its will. (Though, of course, there also are risks posed by employees who, through negligence, ignorance, malice, or inattention, pose a threat.)
The threats faced by the privacy profession are very different, indeed. Perhaps the greatest difference is that privacy risks are created by the business as it handles personal information in the conduct of its work, and in that they are voluntarily chosen, not imposed by an outside actor. They are the risks that arise as you place complicated work in the hands of fallible humans, and very often, they involved questions of ethics and judgment that can be genuinely complicated.
No matter the difference in the ways these risks present themselves, the truth is they present themselves to employees, and it’s the employees who need to develop the skills to identify and overcome these risks, no matter where they originate.
The “Bad Guys” Are Different
What’s the first image that comes to mind when you think of the “bad guy” or enemy when it comes to cybersecurity? Chances are you’ll turn to a stereotype: a hacker dressed in a black hoodie, hunched over a keyboard or a malevolent looking Russian who is part of a criminal syndicate launching cyberattacks.
Such stereotypes are now so common that they are ridiculed, but like most stereotypes, they reveal that our culture embraces the idea that there is a “bad guy” out there who is trying to hack into our protected domain to pursue his illicit ends. With bad guys like this, it’s hardly any surprise that our good guys proudly don the honorable mantle of law enforcement or military and use an abundance of military language to describe their work, from defending the perimeter to threat vectors and so on. The basic narrative structure adopted by the cybersecurity professional is simple and direct: We are the good guys, and we are protecting the innocent and virtuous organization from the bad guys.
Privacy has no singular bad guy. Oh, sure, privacy pros also identify the cyber criminal as a menace, but he is not central to the privacy narrative. Instead, privacy pros work within a much more complicated moral landscape, one in which the very act of gathering and using personal data puts the company at risk, and not just the risk of falling out of compliance with the law but also the risk of losing the trust of employees and customers. The bad guys in the privacy domain are not so much evil as ill-informed: They are the software engineer who doesn’t segment her database to isolate geolocation information, or the marketing assistant who neglects to consider whether he has the appropriate consent to send an e-mail blast to the intended recipients. In this world, the privacy professional is still the good guy, but in a more complicated ethical position. They are the guardians of the ethical protections placed on personal information, and they must direct their company and its employees on the complexities of staying within appropriate boundaries on the collection, use, and storage of data.
Attend the professional gatherings of security and privacy professionals (as I’ve done in recent months), and these distinct differences are immediately manifest: The security conferences are overpopulated by men, many with military or law enforcement backgrounds, and the stories they tell are filled with the language of protection and the suppression of threats; the privacy conferences are filled with lawyers, equally male and female, and their stories are about the difficulties of navigating the ever-shifting ethical boundaries around personal information.
You can see how easy it would be for more doctrinaire members of either profession to mischaracterize the other. Privacy purists might judge the security advocate to be living in a black-and-white world and believe that the security professional is over-committed to technical solutions and an overly defensive posture. Security purists, on the other hand, see the privacy professional as prone to underestimating threats and overly dependent on policy and procedure to accomplish what should be done with strict controls.
These Differences Don’t Matter to Employees
And yet, both professions need to recognize that all their differences—in risks, in “bad guys,” in the narratives and mental models they use to understand their work—truly mean nothing to most employees. And it’s the employees they are trying to reach with their awareness training and reinforcement and other programs, including phishing simulations, that matter so much in both domains. It’s truly in the delivery of the Awareness Program that security and privacy professionals stand the best chance of reaching their common goals.
In a joined Security and Privacy Awareness Program, employees can be presented with a view of the world as it really is: one where the very work of the company (no matter the industry) creates the risk of exposure, and where the personal data and intellectual property that is created by the company provide a tempting target for nefarious outside actors. In such a program, employees can recognize that the world they live in at work is much like the one they live in in their daily lives, and that they play a role in deciding what to share and who to share it with, as well as a critical role in keeping their own access and their own data protected. In the conceptual world created by a joined program, employees don’t need to parse out the differences between security and privacy—they can recognize that these are simply different elements of an overall data protection program that truly has the best interests of the company at its core.
Combining Security and Privacy together in a Data Protection Awareness Program (or a Risk Awareness Program) provides practical, as well as conceptual benefits. The practices used by mature Security Awareness programs—with their model of a continuous and ongoing education program, one that combines required training with a regular drumbeat of supporting communications, or reinforcement—can be extended to include privacy-related content, but pooling resources into a shared program allows such a best practices program to operate with fewer overall staff. Combing security and privacy content into a single annual training course reinforces the overall message that these are not separate domains, but also has the side benefit of reducing overall training time by reducing overlap. Even the beloved phishing simulation tools used by the Information Security teams can be leveraged to support the privacy program by testing employees’ ability to demonstrate their embrace of appropriate privacy practices.
There is little to lose and much to gain from a combined program that emphasizes the variety of risks faced by organizations in today’s digital world and invites employees to build the knowledge and skills they will need to survive and thrive both at work and at home. Because Bob doesn’t carry about the differences between security and privacy—he just wants to know what to do to protect himself and his company.
Tom Pendergast is the chief learning officer and security strategist at privacy awareness and training firm MediaPRO.