In Part 1 of this two-part blog ‘series’, I played the part of a security expert (which I do most days), and examined how privacy is changing the face of the security industry.
In Part 2, I have enlisted the help of a lawyer, data protection and contracts expert, who is basically to blame for me getting into this ‘privacy stuff’ in the first place. She also happens to be my sister; Angela Boswell.
In her learned (and earned!) opinion……………………
It seems a long time ago now, that being in almost daily contact with the InfoSec team became the norm in my role as a legal advisor on privacy.
From the beginning, it was obvious that we had broadly the same goal – to protect the organisation from harm – which might be loss of reputation, regulatory action, potential contractual liability and so on. However, we certainly didn’t always have the same priorities – think “not getting in trouble with any regulatory authorities” versus “preserving Infosec’s or R&D’s budgets”. In many cases, legal advisors may need to persuade other teams to spend their budget on meeting new (or even old) regulatory requirements instead of product development or efficiency tools.
Of course, the two worlds have always been driven by different forces: lawyers think in concepts, often framed in hypothetical scenarios, and always consider the need to avoid risk or litigation at all costs. Security people have to find practical solutions which will work in the real world. Oh, and they have to be affordable too. It has often seemed that the two are not compatible.
In a lot of ways I have been fortunate (well, in hindsight I have) in that developing a cooperative approach has been largely guided by the market. Being in sales-driven, service-provider organisations, our customers forced that closer alignment. Deals would not get done on legal promises alone; Infosec also had to deliver proof to our prospects that we were to be trusted. Suddenly, a top-down commitment to privacy became marketable and there was a commercial imperative to legal/infosec cooperation. Privacy-by-design, vendor due diligence, all that stuff that sounded great before became very real.
It would be fair to say that in the bad old days the Infosec could be distrustful of legal; they might continually ask for advice as to whether their systems/products/processes are compliant but never get a straight answer – all they might get would be long-winded descriptions of all the things that have to be considered and all the various possible outcomes, with no commitment to any particular course of action – essentially ‘It depends’. On the other hand, the legal advisor knows that a simple ‘yes’ or ‘no’ to the question of compliance means that as an organisation you are approaching the matter of privacy in the wrong way. In general, privacy legislation is around principles, it’s not a standard, and if you have made a call based on evidence but got it wrong, it’s far less serious than making no judgement at all. The decision-making process is almost more important than the final decision, which is alien to the goal-based thinking of your typical IT security practitioner
So, if “Is this compliant?” is the wrong question from Infosec, and “It depends” is the wrong answer from Legal, what is the way forward?
Understanding the needs and motivation of your could-be allies. Ideally an organisation will have a Compliance department whose purpose it is to evaluate risk and translate requirements into policies, standards, and procedures. But many do not, so legal advisors and security experts need to find that common ground.
What security people need is clear guidance; they are unlikely to be fascinated by the nuances of the law or impressed in any mental gymnastics that a lawyer thinks they have performed in order to make sense of the regulations. Infosec want to know what they can do about it so that they can move on to the next twenty projects that have been put on hold until the latest ‘compliance’ issue has been sorted out.
In the worst cases, that security team may come to believe that the lawyers are not adding anything useful or relevant to the conversation.
Infosec need to trust that lawyers are not:
- overplaying the risks – if anyone tells you that a security breach for any reason, or a wrong decision made in good faith, could land you with a 4% fine, either they don’t understand the risk-based model of privacy law themselves or they are selling something – either way your alarm bells should be ringing like mad; and/or
- living in ivory towers where everything is expected and demanded even if it is not actually possible or reasonable. Don’t forget the concept of “appropriate” security and that you are allowed to factor into the risk equation such things as likelihood of harm and the cost of implementation.
On the other side of the coin, the legal team need to be able to trust that security folks are not:
- overplaying the cost/difficulty of solutions; and/or
- downplaying the possibility of potentially harmful situations or hiding anything that the lawyers need to know
It’s said that necessity is the mother of invention, and this can certainly be the case: the need to progress can be the driver of creativity – not the creativity to bypass regulations (please, no!), but the creativity to find ways to meet the requirements whilst still maintaining a competitive edge or staying within sensible budgets.
This solution requires movement from both sides, and more than that it requires mutual understanding. So how do we reach these sunlit uplands?
Firstly both sides need to be prepared to develop an understanding of the needs of the other side – not to just assume that every spanner is aimed at your works, but to realise that there are necessary considerations which might not be your own, but which are still of crucial importance to the wider picture. Ask questions, don’t assume you already know the answers because then you never learn anything. Do you own research, first and come to the table knowing at least something but then let your counterpart show you what they know and pay attention. Only by understanding what your colleagues are talking about will you be able to cooperate effectively. It seems obvious but you’d be surprised how often this falls down (or maybe you wouldn’t).
Secondly, get comfortable with the grey areas – and that goes for lawyers too. We know that security folks want clear answers but your very risk-averse lawyer will feel that any wrong decision is a failure on their part (and so might their bosses/CEOs/clients) and we have all met the ones who want an entirely risk-free solution. The only way to avoid all risk is close up shop and go home.
It won’t happen overnight and trust takes time but you know when you’ve got it right and believe me, as a lawyer, there’s nothing better than being able to tell your Infosec or product development colleague or client: actually you don’t have to go to such extremes, X (less onerous control) would be justifiable given the cost vs the risk here.
And that’s music to everyone’s ears.
[If you liked this article, please share! Want more like it, subscribe!]