There was a time in the not-so-distant past when the intersection of privacy and security was not the focus of discussions around mitigating risk. After all, the privacy profession itself is young, and the cacophony of new technologies, data-gathering websites, uses for big data and threats to security that are the stuff of daily headlines today were beyond the horizon of public perception and common organizational concerns even just 15 years ago.

That’s all changed, and privacy and security practitioners are quickly recognizing the need to understand each other and work together.

Later this month, with the IAPP and Cloud Security Alliance bring P. S. R.—Privacy. Security. Risk.—to Las Vegas, NV, providing space for those discussions and opportunity for education is exactly what will happen.

But what do seasoned privacy and security pros think about all this? The Privacy Advisor connected recently with Navigate’s Chris Zoladz, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, AvePoint’s Dana Simberkoff, CIPP/US, (see sidebar), and Return Path’s Dennis Dayman, CIPP/E, CIPP/US, CIPT, who shared their insights.

As Dayman put it, “Every day, we create 2.5 quintillion bytes of data—so much that 90 percent of the data in the world today has been created in the last two years alone, and most of that is now in electronic form. So for us, it is information security that takes the leading role in understanding the privacy requirements and establishing the security measures that will enable any company to comply with the privacy requirements of clients, partnership agreements, internal policies and governments.” 

And that increased amount of data that companies possess translates to “a profound responsibility to protect their customer’s data and ensure their privacy rights, use the data appropriately and ensure that their actions don’t inadvertently compromise their customer’s actions or wants despite their perceived best intentions. Data is power, but it is also a massive responsibility,” he added.

Dayman and Zoladz weighed in on specific questions about privacy and security, and what they expect privacy pros will take away from P. S. R.

The Privacy Advisor: Why is it so critical to consider both privacy and security in your work as a privacy professional?

Dayman: Not all security measures protect data, and not all privacy depends on security practices and technology. However, there can’t really be much privacy without great security, so I have to know how to balance the needs vs. the wants both in security and privacy and at the same time keep a business running without becoming the CRK (Chief Revenue Killer). We all know that the privacy and security practitioners don’t seem to agree on what constitutes privacy and what constitutes security. Customers expect companies to protect their information and keep their dealings confidential; they rarely care whether that protection is the responsibility of privacy or security experts. They just want to know their information is safe.

Zoladz: It is often said that you cannot have privacy without security, and it is true. Based on my personal experience leading a privacy program at a large multinational and subsequently consulting with numerous organizations, the security team is an invaluable resource for holistically understanding internal and vendor risk, identifying options to properly secure the exchange of personal data with business partners, preventing electronic data leakage and other elements that are important to privacy. 

The Privacy Advisor: Was there a particular take-away from last year’s IAPP Academy/CSA Congress that still resonates with you as we gear up for P. S. R.?

Dayman: I know from experience that last year’s conference helped opened the channels between privacy and security and help make a stronger bond than we’ve ever seen in this industry as a whole. In fact, the timing of the IAPP Academy/CSA Congress last year was perfect, since data breaches had already dominated headlines in the first half 2014. This time last year, a staggering 43 percent of companies had experienced a data breach with a total exposure of more than 10 million personal records. So, fate can be twisted at times and sort of “forced" the security and privacy people together last year even though they hadn’t understood the ramifications of the breaches to them and their teams.

This year, the message for us at P. S. R. will be no different: There is no us vs. them with security and privacy. We must work as a team if we want to reduce the number of breaches and impacts to consumers and those who trust us with their data. I’m taking away from this year the same take-away I got last year, and that is make friends and work together. This has to be done as a team.

Zoladz: I was particularly impressed with the active participation and engagement by security professionals in privacy-related sessions. To me, this was evidence that security professionals are increasingly focusing on the interdependencies between security and privacy. Similarly, it was impressive to see privacy professionals immerse in security topics and conversation. It is this type of collaboration that makes each discipline stronger and better positioned to add value to the organizations in which they work.

The Privacy Advisor: What makes P. S. R. the conference to attend for privacy pros to immerse in privacy and security knowledge and networking opportunities?

Dayman: I think many privacy people fear the IT aspect of security. It is frequently argued that privacy is a legal matter and information security is an IT matter. But in today’s environment, these two statements are far from true: Both domains are business matters with strategic significance. P. S. R. will allow privacy professionals to immerse themselves into the world of security and IT and not fear it. It’s a “safe place," as we might joke with the term a bit, but we all have the same goals in mind to make our companies the most successful they can be and not end up in the negative spotlight.

Zoladz: This is the premiere event for privacy professionals and has been made even better over the past two years by partnering with the CSA security community. Instead of attending two or more separate conferences, attendees can get it all at one conference.                 

The Privacy Advisor: What are you most looking forward to at P. S. R.?

Dayman: Oh that is simple: the networking. I love to meet my friends who all attend IAPP conferences but, at the same time, make new ones. These are friends that I’m also able to bounce ideas off of as well or ask the “how did you handle this?” questions. The IAPP community is a diverse one—different people, different backgrounds and experience, different products and services. It allows me to hear different perspectives and see things I may not have before or applied to my thinking. I always look forward to the opening of the sponsors’ area for drinks the first night. I have the opportunity to go find my IAPP brethren (some I met on the road at one time when Trevor used to do the traveling EU roadshow many years back—HINT HINT!). I also get to reconnect with the IAPP staff that I’ve become very good friends with—those that keep us all informed when we aren’t at a show together. I look forward to getting back to my office after and sending out so many new nice-to-have-met-you emails as well.

Zoladz: Everything. The sessions, networking and social events are a great combination of education, meeting new privacy and security colleagues and reconnecting with existing friends, colleagues and clients. And, it’s Vegas, baby!

photo credit: Effraction via photopin (license)