Why privacy and security teams should collaborate 

Michael Lucas and Michelle Erickson
| 12/17/2021
Getting privacy and security teams on the same page is a critical component of a robust security posture.

Getting privacy and security teams on the same page is a critical component of a robust security posture.

Consider this scenario: An organization’s privacy team rolls out a new third-party risk management system that required devoting significant hours and budget, building out a privacy questionnaire, developing the flow of the assessments, and configuring software. After the privacy team sends out assessments, it begins to receive responses from the third-party recipients such as, “I already completed a security assessment. Why is this coming separately?” and “Our contract requires us to respond to only one assessment annually, and we have already completed a security assessment for your company.”

This situation – security and privacy teams acting independently – is all too common. Privacy and security teams might share similar strategies, but when they operate independently of one another, their similar systems and processes can overcomplicate the organization’s approach, and the teams can end up competing with one another for attention and resources. Too often, even with numerous shared goals – managing third-party risk, meeting data regulation requirements, responding to incidents and potential breaches, and ensuring that data is processed and stored securely and ethically – privacy and security teams remain siloed, and they rarely come together to collaborate. Organizations that want to strengthen their security postures should evaluate their privacy and security teams and work to increase collaboration between them.

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.

What makes collaboration so difficult?

Privacy and security teams function separately for a reason. After all, their education, expertise, and day-to-day activities differ quite a bit. Unfortunately, because they function separately, organizations and the teams themselves sometimes come to the conclusion that privacy is a legal problem and security is a technology problem. However, the overlap between privacy and security is significant. Additionally, the breadth of each team’s coverage can make it difficult to develop strategies and prioritize projects independently or to even consider collaboration. Without frequent communication, a lack of mutual understanding of each team’s functions develops, which can lead to an inability to find common ground and collaboration opportunities. 

Once the organization establishes – likely by default – a culture of privacy and security teams operating independently, it can become difficult for the teams to emerge from their silos because collaboration is based on mutual trust. True collaboration requires that teams work together with confidence that everyone is focused on the best mutual results rather than on solutions that unequally benefit one team. This level of trust can be difficult to accomplish with teams that frequently work together – and it’s nearly impossible for those that do not. 

One obstacle to developing trust is that privacy and security teams use separate metrics and reporting requirements. Privacy and security teams typically report up to the chief privacy officer (CPO) and chief information security officer (CISO), respectively, and they must separately report on the progress and success of projects and the performance of their teams. Reporting to different leadership can impede collaboration because privacy and security leaders often have different timelines and priorities in mind. For example, data classification and mapping might be a priority objective for the privacy team but toward the bottom of the wish list for the security team. Especially with teams that are stretched thin, competing priorities usually result in an inability to provide resources to any noncritical activity. 

What are the benefits of tight integration?

When organizations can overcome these obstacles and develop a tightly knit, integrated community of privacy and security professionals, success often follows. Certainly, teams experience an adoption period as they get used to collaborating and as they adjust to each other’s work styles. But when collaborative processes are in place, each team’s – and ultimately the organization’s – resulting efforts can have more diversified inputs, broader reach, and increased depth.

Successful collaboration often results in increased efficiency, both during the development of the project and following implementation. During project development, appropriately distributing tasks to the most suitable team increases efficiency. For example, if privacy and security teams collaborate on a risk management solution, the privacy team might identify relevant third parties using its inventory of existing data protection agreements while the security team addresses platform development. The teams can develop separate lists of questions to include in the third-party assessments and then review the lists together to remove redundancies and create a concise experience for the end user. After project completion, because both teams are familiar with the shared platform, the number of manual processes required is reduced, and third-party inventory and assessment results are available in the same platform for collaborative reporting and tracking.

Another benefit of collaboration is increased compliance from end users. For example, the privacy team might introduce privacy training via a learning platform to familiarize the organization’s employee base with the growing list of privacy regulations. At the same time, the security team also needs to deliver training to employees. Rather than the security team working on a separate platform to issue its own training, it’s more efficient to add content to the existing learning platform. In the end, with a more seamless training experience, employees might be better equipped to comply with privacy and security regulations.

Increased end-user compliance also extends to third parties. When third parties and vendors receive multiple requests for assessments from the same client, they can become overwhelmed, ask for alternative options, or delay assessments. However, delivering all security and privacy requests in a unified, concise format can result in fewer questions and concerns from third parties.

Finally, one of the most significant results of collaboration between privacy and security teams is increased support from leadership. When these two separate functions come together and present how a desired project addresses the goals and strategies of both departments, they are much more likely to receive leadership support, which can result in more funding and resource allocation on future projects. Leadership is pleased because the organization is using resources efficiently, and privacy and security teams are happy to receive the resources they need to accomplish their goals. 

How can privacy and security teams find opportunities to work together?

In a culture of siloed privacy and security departments, it can be difficult to identify ways to come together and collaborate. One simple way to encourage collaboration is to align the privacy and security enterprise with a common framework. Agencies such as the National Institute of Standards and Technology (NIST) have developed frameworks with both privacy and security considerations, which, when adopted, can help the teams speak a common language and work toward the same goals.

Once an organization aligns with a framework, privacy and security teams can designate which team is responsible for ownership of the controls or control families and identify areas that naturally benefit from collaboration. The collaborative opportunities should naturally break down into a spectrum, as illustrated in the following exhibit:

Exhibit: Interdependence of security and privacy

Interdependence of security and privacy
Source: Crowe analysis

When identifying areas of collaboration, organizations might first consider the domains in the center of the graphic that demonstrate the most overlap between security and privacy. With this middle ground as a starting point, replicating this approach into other areas can become more natural.

  • Breach management and notification. If a breach occurs at an organization, the security team likely will take initial notice. However, involving the privacy team in the breach analysis and response is critical, as privacy requirements are relevant if the breach involves personal data.

    Privacy and security teams can streamline the incident response collaboration by proactively working together to outline the response process, identify owners of each step in the response plan, and determine the criteria an incident must meet to have privacy implications. By preparing in advance, the teams can respond more quickly and be able to meet requirements when faced with an actual incident.
  • Data protection. Data protection encompasses significant governance and technical controls. Privacy regulations include strict requirements for data governance, such as requirements for data classification and mapping, data protection controls, and data destruction controls. In order to achieve compliance with many of these controls, the privacy team needs support from information technology and security. 

    Privacy and security teams can collaborate to develop a shared data classification model, allowing the organization to classify data according to its impact on security (including confidentiality, integrity, and availability) and privacy. Additionally, teams can work together on data mapping exercises, which allow the privacy team to demonstrate compliance with regulations and give the security team a more comprehensive picture of the data it needs to protect. Finally, the teams can establish agreement on standards for operational data controls including encryption, backups, retention, and destruction processes that address both teams’ concerns. 
  • Access management. Access management is a key principle of cybersecurity, and the organization’s security team likely has defined standards and procedures to manage access. However, privacy teams must be able to demonstrate that access is managed effectively. A requirement of privacy regulations is that personal data is accessed by only those users who require the information.

    In order to demonstrate this need for access, an organization must have a clear picture of where personal data resides and who has access to those locations. The privacy team can work with the security team to communicate these requirements and identify relevant data storage locations. The security team can then better assist the privacy team by communicating its access management procedures to make sure they meet the shared teams’ goals.
  • Training and awareness. As mentioned, privacy and security teams provide employee training to make sure that data is handled appropriately and that all employees understand their responsibilities. Rather than attempting to tackle this separately, both teams can work together to develop a comprehensive training plan that addresses both security and privacy considerations. 

In general, it is critical for each team to identify liaisons and for teams to stay connected with one another. Establishing periodic meetings to discuss what each team is working on and learn about projects that are underway can help encourage further discussion, spark ideas, and organically identify ways for teams to support each other. Privacy and security leadership should encourage their teams to remember the shared goals and realize they can accomplish more together. 

 

Is there a topic you’d like to read about?

Let us know.