Privacy is a  deeper, broader and more complex than it might appear, blending  personal, organizational and societal issues.  Privacy means different things to different people. Privacy and information security have a lot in common but each goes further.   Personal information is both sensitive and valuable, hence the associated information risks deserve to be identified, evaluated and treated in the same manner as other information risks.  Compliance with privacy laws and regulations such as GDPR should be a non-issue if the organization takes privacy seriously. However, there are specific obligations that need to be identified and satisfied. From an individual’s perspective, privacy is mostly about people retaining control over their own personal information ( e.g. being able to restrict its use and onward disclosure). From the organizational perspective, personal information is acquired, processed and exploited for various business purposes - hopefully with...

Along with increasing legal and regulatory compliance pressures on organizations to implement appropriate privacy controls, popular awareness of the issues appears to be on the up with commercial implications for organizations. Global IT megacorps such as Facebook, Microsoft, Apple and Google are particularly exposed to public criticism simply because they are household names ... but that's not to say they are powerless, far from it.  Contrast Apple's handling of the FBI iPhone security incident against Facebook's handling of the Cambridge Analytica scandal , plus other privacy incidents. All the megacorps have to take their own cybersecurity seriously simply because they are such massive targets facing business-critical information risks: it's literally an existential issue. They are also forced to comply with various laws and regulations, for the same reasons as any other organization - to avoid potentially huge punitive fines and other substantial costs arising from...

This week I'm slugging away at the coal face to complete the management materials for November's privacy awareness module - an update on our previous coverage to reflect current issues, recent incidents and so forth. As always, we'll be providing a set of goodies specifically aimed at management from which customers can pick and choose to suit their purposes: 1.       Diagrams for privacy - the topic in pictures 2.       Management seminar on privacy - see below 3.       Board agenda on privacy compliance - I blogged about this on Friday 4.       Elevator pitch on privacy - sums up the key points in about 150 carefully-chosen words 5.       Model policy on privacy compliance - a template to customize 6.       Model policy on privacy inquiries, complaints & incidents - another policy template 7.  ...

Since the very beginning of our security awareness services back in 2003, one of our regular monthly deliverables was a "board agenda" - a security awareness item aimed at informing and engaging the most senior managers in an organization. At that stratospheric level, awareness materials need to be both succinct and relevant to stand any hope of being used. Senior managers are extremely busy people.  The board agendas are each just one side of paper if printed, as is usually the case for board papers in their briefing packs. We deliberately avoid jargon and lengthy explanation on the basis that the audience is both busy and competent, generally highly experienced and quick-witted people keen to get straight down to business. The audience isn't expected to know  everything , but hopefully they can rely on the support of their trusted networks of peers and direct reports, plus of course the remaining security awareness content provided. Oh and Google, naturally. We'd lo...

This week I'm exploring the compliance aspects of privacy for November's security awareness and training module, hunting down information about the meaty fines meted out for privacy incidents breaching GDPR for starters.   According to what I've read so far, the regulators determine GDPR fines by considering ten specific factors, most of which a proactive management has the capability to control. Management can therefore (to some extent) influence the GDPR penalty part of the business impact of privacy breaches. The speed of response when notified of a breach, for example, is largely determined by the incident management activities. Incident response can be designed and operated to be more efficient and effective, for instance through sensible policies and procedures, coupled with awareness, training and exercises, plus other aspects such as clear roles and responsibilities plus slick incident reporting, escalation and official notification mechanisms. If the organization i...

Over the weekend, I wrote about CISOs and ISMs preparing cunning strategies and requesting budgets/proposing investments.  During the remainder of 2019, we will be treated/subjected to a number of predictions about what's in store for information security in the year ahead, thanks to a preponderance of Mystic Megs with unsupervised access to the Interweb, gazing wistfully into their crystal balls and pontificating.  As with horoscopes in the tabloid rags, some of their predix will be right on the button by sheer chance in the sense that, given an ample sufficiency of poo to throw at the wall, some of it will stick. A few more informed pundits, however, will be chucking stickier poo thanks to their experience and insight.  Trouble is, how are we to distinguish the insightful few with sticky poo from the manifold plain or polished poo propellants? Years ago, the solution involved tracking or looking back at prior predictions to assess how accurate the pundits were ... altho...

This Sunday morning, further to my tips on planning for 2020, prompted by " 5 disruptive trends transforming cybersecurity " and fueled by some fine Columbian (coffee not coke!), I've been contemplating information risk and security strategies. Here's a dozen generic strategic approaches to consider: Use risk to drive security.   Instead of vainly hoping to address every risk, hammer the biggest ones, tap at the middling ones and let the little'uns fend for themselves (relying on general purpose controls such as incident and business continuity management, resilience etc .).   'Hammer the biggest' means going the extra mile for 'key' or 'critical' controls addressing 'key' or 'major' or 'bet the farm' risks, and implies substantial effort to identify, understand and evaluate the risks, as well as actually dealing with them. Make security processes as slick as possible, using automation, simplicity, repeatability etc ...

The Security Executive Council is a consultancy specializing in physical security for commercial organizations. Their latest newsletter led me to a  nice little piece about business cases , including this:  Brad Brekke, SEC emeritus faculty and former Vice President of Assets Protection and Corporate Security for Target Corporation, emphasizes that the business case must be built upon a deep understanding of the business and security's role and strategy within it. "I'd recommend you conduct this exercise: Study your business. Know how it operates, how it makes money, how it's set up, what its strategy is – for instance, is it a growth strategy, an expense-driven strategy, a service-driven strategy. Know the culture and risk tolerance of your organization and know the voice of its customer," says Brekke. That approach makes sense for any substantial strategy, change or investment proposal. All organizations exist to achieve [business] objectives, so being clear ab...