Ann Cavoukian, who served as Ontario’s Information and Privacy Commissioner from 1997 until 2014 and now works for Ryerson University’s Privacy and Big Data Institute, believes that focusing on privacy and data security will not constrain a company’s growth.
Quite the opposite, actually.
“It’s a threat to not address security and privacy,” Cavoukian says, citing recent security incidents involving Madison Square Garden and the U.S. Navy as two examples of the many “remarkable, massive data breaches” that occur every day.
“The need for security is absolutely essential,” she says. “And while privacy subsumes a much broader set of protections than security alone, in this day and age of cyber attacks, if you don’t have a foundation of strong security, you’re never going to have any privacy.”
The case for ‘security by design’
Since leaving her position as Ontario’s security watchdog, Cavoukian has dedicated much of her time to advocating for what she calls a “non-zero-sum” approach to data privacy, emphasizing that enterprises and other data-dependent organizations should not develop security solutions by weighing one interest against another – say, privacy versus data utility – but by maximizing both, a process she calls security by design.
“It’s a challenge,” she acknowledges. “But doing it after the fact means you’re already missing out on so much – the data breach has happened, and you’re playing catch-up.”
By embedding security and privacy into a project’s design stage – whether said project involves coding, building a system, or developing an operational practice – it becomes an essential feature rather than an afterthought, one that can develop along with the rest of your work, Cavoukian says.
Naturally, she adds, this idea has met with resistance in certain circles.
“Whenever I see people say, ‘that will slow us down,’ I go, ‘are you kidding me? Privacy breeds innovation.’ Because you have to be really smart and creative to have those privacy and data utilities in place,” she says. “And you can do that best by embedding privacy into design.”
A business, rather than technical problem
To a great extent Jason Doel, co-founder and COO of IT risk management firm Tracker Networks Inc., echoes Cavoukian, but working in the risk management sphere has helped him understand why many companies – mid-sized businesses especially, along with some enterprises – are so often reluctant to implement the changes needed to shield their companies from both privacy advocates and cyberattacks in the first place.
“To me, the words ‘security’ and ‘privacy’ – especially ‘security’ – have a technical connotation, rightly or wrongly, and so people tend to think of it as a technical issue, which I don’t think it is,” Doel says. “I think it’s really a business problem, and I think that’s part of the reason why there’s a disconnect.”
Framing security as a technical problem, he says, leads many businesses to evaluate it as a pass/fail proposition – that is, the company is either secure or it’s not – and ensuring the company’s security simply involves building virtual walls.
“I don’t think that model ever worked,” Doel says with a chuckle. “But I think companies are at different stages of recognizing that, and that at the end of the day it’s a business risk issue.”
Instead, he says, business leaders from the CEO and board members on down should strive to identify the risks their company faces – and what they’re prepared to accept – before repositioning security as part of their enterprise risk management scheme or, at the very least, making sure the two departments are aligned.
That advice might be anathema to many Canadian companies, but the largest European and American multinational and financial services firms have already made the transition, he says, acknowledging that many midsize companies are still working through this realization, which in many cases requires translating technical concepts into business terms that the C-suite can understand.
“We use the term ‘crown jewels,'” Doel says. “What do you consider your crown jewels? … Too many people when they go into risk management take a traditional top-down approach of trying to estimate when bad things could happen, and I think they could make progress much faster by coming at it from the bottom up, by focusing on the crown jewels.”
Once you’ve identified your crown jewels, he says, you can also identify the systems hosting your most valuable data, along with the risks facing them, and prepare accordingly.
“There is no such thing as perfect security,” Doel says. “Every organization eventually gets hacked one way or another, and this idea that it’s the technicians’ problem and they have to keep everything perfect is not a realistic approach.”
“It’s similar to what I believe the financial industry went through when they embraced risk management, because the companies found that the better they got at risk management, the riskier business they were able to take on,” he says. “I think there’s a parallel in technology – when you have a good culture, when your business executives are aligned with your technology executives, and you have an objective, fact-based framework for making decisions regarding new innovations, then you can actually outperform your peers by being able to embrace innovation faster.”
It’s not just about recovery
More importantly, as Ryerson’s Cavoukian notes, embedding privacy-enhancing features such as data encryption into their code can help companies avoid headline-grabbing breaches in the first place.
“As you know, data breaches not only result in lawsuits, but class-action lawsuits,” Cavoukian says. “And it’s not just the dollars and cents paid by the company that is overwhelming, but the damage to your brand.”
“Trust is at an all-time low these days, so I always tell companies – use privacy to gain a competitive advantage,” she continues. “And, if you build trusted business relationships with your customers, they will gladly let you have their information for other secondary uses.”
Tracker Networks’ Doel also notes that in his opinion certain sectors, notably the Internet of Things (IoT), should be constrained by security concerns: “I don’t think it will be, but it probably should be,” he says with a chuckle. “I think the pressure of innovation is going to push it so fast that it’s going to outstrip our ability to secure it.”
After all, he notes, IoT has already formed the basis of many high-profile attacks – and without an industry framework in place, it’s likely to get worse before anyone figures out what to do about it.
Cavoukian and Doel will be joined by financial services firm TMX Group Ltd.’s chief information security officer, Bobby Singh, and identity management software developer BioConnect’s founder and CEO, Rob Douglas, for a panel entitled “Security and Privacy: Still Constraints to Growth?” at Technicity 2016, an IT World Canada-sponsored event taking place tomorrow, on