What makes collaboration so difficult?
Privacy and security teams function separately for a reason. After all, their education, expertise, and day-to-day activities differ quite a bit. Unfortunately, because they function separately, organizations and the teams themselves sometimes come to the conclusion that privacy is a legal problem and security is a technology problem. However, the overlap between privacy and security is significant. Additionally, the breadth of each team’s coverage can make it difficult to develop strategies and prioritize projects independently or to even consider collaboration. Without frequent communication, a lack of mutual understanding of each team’s functions develops, which can lead to an inability to find common ground and collaboration opportunities.
Once the organization establishes – likely by default – a culture of privacy and security teams operating independently, it can become difficult for the teams to emerge from their silos because collaboration is based on mutual trust. True collaboration requires that teams work together with confidence that everyone is focused on the best mutual results rather than on solutions that unequally benefit one team. This level of trust can be difficult to accomplish with teams that frequently work together – and it’s nearly impossible for those that do not.
One obstacle to developing trust is that privacy and security teams use separate metrics and reporting requirements. Privacy and security teams typically report up to the chief privacy officer (CPO) and chief information security officer (CISO), respectively, and they must separately report on the progress and success of projects and the performance of their teams. Reporting to different leadership can impede collaboration because privacy and security leaders often have different timelines and priorities in mind. For example, data classification and mapping might be a priority objective for the privacy team but toward the bottom of the wish list for the security team. Especially with teams that are stretched thin, competing priorities usually result in an inability to provide resources to any noncritical activity.
What are the benefits of tight integration?
When organizations can overcome these obstacles and develop a tightly knit, integrated community of privacy and security professionals, success often follows. Certainly, teams experience an adoption period as they get used to collaborating and as they adjust to each other’s work styles. But when collaborative processes are in place, each team’s – and ultimately the organization’s – resulting efforts can have more diversified inputs, broader reach, and increased depth.
Successful collaboration often results in increased efficiency, both during the development of the project and following implementation. During project development, appropriately distributing tasks to the most suitable team increases efficiency. For example, if privacy and security teams collaborate on a risk management solution, the privacy team might identify relevant third parties using its inventory of existing data protection agreements while the security team addresses platform development. The teams can develop separate lists of questions to include in the third-party assessments and then review the lists together to remove redundancies and create a concise experience for the end user. After project completion, because both teams are familiar with the shared platform, the number of manual processes required is reduced, and third-party inventory and assessment results are available in the same platform for collaborative reporting and tracking.
Another benefit of collaboration is increased compliance from end users. For example, the privacy team might introduce privacy training via a learning platform to familiarize the organization’s employee base with the growing list of privacy regulations. At the same time, the security team also needs to deliver training to employees. Rather than the security team working on a separate platform to issue its own training, it’s more efficient to add content to the existing learning platform. In the end, with a more seamless training experience, employees might be better equipped to comply with privacy and security regulations.
Increased end-user compliance also extends to third parties. When third parties and vendors receive multiple requests for assessments from the same client, they can become overwhelmed, ask for alternative options, or delay assessments. However, delivering all security and privacy requests in a unified, concise format can result in fewer questions and concerns from third parties.
Finally, one of the most significant results of collaboration between privacy and security teams is increased support from leadership. When these two separate functions come together and present how a desired project addresses the goals and strategies of both departments, they are much more likely to receive leadership support, which can result in more funding and resource allocation on future projects. Leadership is pleased because the organization is using resources efficiently, and privacy and security teams are happy to receive the resources they need to accomplish their goals.
How can privacy and security teams find opportunities to work together?
In a culture of siloed privacy and security departments, it can be difficult to identify ways to come together and collaborate. One simple way to encourage collaboration is to align the privacy and security enterprise with a common framework. Agencies such as the National Institute of Standards and Technology (NIST) have developed frameworks with both privacy and security considerations, which, when adopted, can help the teams speak a common language and work toward the same goals.
Once an organization aligns with a framework, privacy and security teams can designate which team is responsible for ownership of the controls or control families and identify areas that naturally benefit from collaboration. The collaborative opportunities should naturally break down into a spectrum, as illustrated in the following exhibit:
Exhibit: Interdependence of security and privacy