Web Conference: Dual Literacy in Privacy and Security — A Guide for Infosec Professionals

Original broadcast date: July 10, 2020

Join us for this web conference where you will learn how business, consumer and regulatory dynamics are driving the convergence of privacy and information security, what privacy knowledge is essential for infosec pros continued strategic relevance within organizations and which topics of privacy knowledge are most important for infosec professionals. 

Rick Habib, CIPP/US, Director of Programming, IAPP

Caitlin Fennessy, CIPP/US, Research Director, IAPP

Alex Grohmann, CIPT, Principal, Sicher Consulting
ShanShan Pa, CIPP/E, CIPP/US, CIPM, FIP, Head of Compliance, Privacy, U.S., EMEA, Alibaba Cloud
Dana Simberkoff, CIPP/US, Chief Risk, Privacy and Information Security Officer, AvePoint

Find a full transcript of the questions posed during the program along with answers provided by the panelists below.

Participant questions from July 10, 2020 recording:

1. Can you discuss the benefits of privacy professionals expanding their scope and obtaining certifications, such as the CISSP?

ShanShan Pa, CIPP/E, CIPP/US, CIPM, FIP: The CISSP certificate demonstrates a very intensive and in-depth knowledge on information security topics. There is definitely a benefit of obtaining a CISSP certification as a privacy professional. The caveat is that you must make sure you then find the opportunity and also put the learning into practice.

Alex Grohmann, CIPT: Understanding that not only security but also the technologies associated with securing privacy data is invaluable to a privacy professional. It will help address the “how” associated with ensuring privacy data can be protected. The CISSP is a very intense certification, especially for someone not in the technology field, much less the security field. Depending on the time and effort, obtaining the CISSP would be a good idea. However, it would most likely take a great deal of time, and there are other options, including CompTia’s Security+, which is much less demanding.

2. Are there any discussions in the works regarding partnerships with security organizations/certifications to bridge the present gaps between security and privacy professions/worlds?

Pa: There are various works and resources on bridging the two, including the IAPP’s Privacy Engineering Section and the new CIPT guidebook that provides a cohesive view on information technology and privacy.

Grohmann: Information Systems Security Association and the IAPP are already at work on this very topic. The cross-pollination of thoughts and ideas are already taking place within both these associations.

Dana Simberkoff, CIPP/US: I have found a number of excellent discussion groups and forums through LinkedIn. Also, I would highly recommend participating in the virtual and in-person conferences managed by RSA. The RSAC APAC conference is actually happening virtually right now and for free!

3. For someone with a first line controls background, do you see more value in the CIPM or CIPT designation? Is one area more saturated? For example, is it harder to get a job building out a privacy program?

Pa: CIPM provides soup-to-nuts knowledge on a privacy program management, while CIPT focuses much more on the technology side of privacy. If you are a first line control owner, start with CIPT because it likely helps with the work currently on your plate, and once you are ready to build up or manage the privacy program, CIPM will help you connect all those dots. I don’t see one area as more saturated.

Simberkoff: I agree with ShanShan. I think the CIPM is more geared to understanding the elements of a privacy program and privacy program management and accountability, whereas the CIPT covers the fundamentals and operational mechanics of privacy.

4. I’ve been asked by my organization to take on privacy and security, and I’m quite new to the IAPP. We’re doing what we can to build privacy and security programs from the ground up, but I’d love to see what working programs look like. Where can I go for mentorship? How have our panelists learned to build effective programs?

Pa: Congratulations on your new challenge! Start with an industry framework that will help navigate the path ahead. For example, the CIPM body of knowledge can also serve as the blueprint reference point for you to check the steps and areas that need to be considered when building a privacy program. The IAPP also offers a member directory and different boards that you could reach out to for advice. Rome wasn’t built in a day, and similarly, your privacy program is a continued work in progress that will change and adapt to your organization’s own character.

Grohmann: The Washington, D.C., chapter is starting a series of KnowledgeNet meetings concerning the basics of building a privacy program. The first installment is later this month. Also, reading and understanding NIST’s Privacy Framework is a wonderful foundation for any program.

Simberkoff : I am personally very happy to have anyone reach out to me directly. Please feel free to connect on LinkedIn or the IAPP can share my details. I am a big fan of mentorship, and the IAPP in-person or virtual events are also a great forum for this, as well!

5. What are the new technologies organizations are adopting to enable remote work?

Grohmann: This is a subject for an entire webinar on its own. Remote work will become the norm, if it has not already. There are significant consequences associated with the majority of a company’s workforce accessing data from unsecured location a majority of the time.

Simberkoff: There are multiple issues around virtual meeting and conferencing technologies, like Microsoft Teams, WebEx, Google, Zoom, etcetera. I agree, this is a big topic. Overall, the cloud and rapid acceleration into the virtual workplace is creating a number of security/privacy concerns. I just participated in a webinar on this topic, and I would be happy to share the link once its online.

6. For those of us coming to security from a privacy background, what resources would you recommend to upskill?

Pa: I personally like to read security-related articles, such as Wired, so I have an idea of current events, as well as detailed explanations of the security aspects. The IAPP’s P.S.R. event offers a combined topic of privacy and security, the best of both worlds. Unless your work involves a lot of technical parts, jumping right into the binary world might be a little overwhelming. If you do need to jump in, SANS, ISACA and ISC2 all provided in-depth security training and resources.

If you are not looking for certificate training book, I’m currently reading “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers.” You don’t have to have a tech background to understand it.

Grohmann: Rick Howard is a cybersecurity thought leader. He created “The Cyber Security Canon” in an effort to identify the key books/novels associated with information security.

ISSA for member content and networking, and ISACA and ISC2 are for educational content.

There are too many conferences to list. Many can be rather expensive, but there are plenty at reasonable rates. YouTube and online educational forums, such as Cybrary and Udemy, are also understandable and offered at very, very reasonable prices.

Simberkoff: Again, I highly recommend the RSA conference. I also took a terrific course through Harvard’s online university that I would very highly recommend. It was a bit of work but paid for itself in spades.

7. How do you see the relationship/potential conflicts between the chief information security officer and data protection officer roles? Would it even be possible in small companies/organizations for one person to serve in both roles?

Pa: There shouldn’t be conflict between the two roles, but I do understand that there are situations in which you have to balance security and privacy; we are seeing a lot of examples during this pandemic. At the end of the day, we must understand and align on what the ultimate objective is—to protect the data and data subject’s rights. It is possible in small companies/organizations for one person to serve both roles if that’s the circumstance. The point is not to create a conflict of interest, as the European Data Protection Board mentions here.

Simberkoff: I am not sure that I would recommend that a CISO be a DPO as I think the DPO needs to be autonomous somewhat from the organization, which the CISO cannot be. However, I think a chief privacy officer and CISO can be one and the same.

8. Is it fair to say that the separation of cybersecurity and privacy will soon become a thing of the past, or is there a reason to keep the present separate entities, particularly with tightening budgets?

Pa: Not necessarily. While both of them are intertwined, security does more than just privacy, and privacy needs the input from other parts of the organization, as well.

Grohmann: There will always need to be specialization associated with privacy, the legal/regulatory requirement side and a security side. It should not necessarily be viewed as a separation, but rather a collaboration of different knowledge bases.

Simberkoff: I don’t think they will merge entirely but will continue to overlap. This makes it incredibly important for cross-functional training and skilling up!

9. The previous diagram showed the overlap between privacy and security, but do you see an overlap between data governance and companies that have chief data officers and CPOs?

Pa: Privacy is focused on the data that is related to personal information, while data governance in each organization might cover different data scope.