I recently helped my son build his first pine wood derby car. He took second place out of a field of ~60 cars. The secret of taking a block of wood, four nails and cheap plastic wheels is reducing all forms of friction that the car can face and moving the balance to the right parts of the car.
One of the dads realized this fact a bit late in the process and asked a fellow dad if he happened to have any graphite (a carbon-based lubricant) with him. The response was “of course I do, I carry it on me at all times…right next to my Chapstick!”
"Friction" in a human and organizational sense is defined as “conflict or animosity caused by a clash of wills, temperaments or opinions.”
The average employee not working in a security/privacy/legal role may hear the terms “privacy,” “security” and "IP/privacy legal" and think they are variations of the same focus and desired outcomes. For example, defending a company against the theft of intellectual property and confidential information would intuitively have some overlap to protecting personal information. With that shared goal, everyone should work seamlessly well together, right?
The answer, all too often, is a hesitant and unfortunate “no.”
Many companies experience friction, silos and turf wars between security, privacy and legal departments. Friction creates drag. Drag slows progress. Lack of progress reduces a company’s ability to successfully manage collective risks.
Tim Sewell (CTO/Co-founder of Reveal Risk) and I were reflecting on personal experiences and observations of these issues across different companies, and decided to analyze what was going on so we could help colleagues and clients create win:win:win outcomes between these functions. Our usual approaches to further research this seemingly common problem turned up virtually no articles or blog posts on the topic. We suspected the root causes and potential solutions were likely hidden amongst people/politics, culture, fear and legacy thinking.
Not to be deterred and wanting to get to the root of the issue, I went to my network to enlist respected experts and crowdsource contributions to the analysis and solutions. I am grateful to have had over 15 volunteers raise their virtual hands to contribute. In a testament to the complexity of these issues, many asked to remain anonymous because of current situations and relationships but shared their input by role and industry.
Problem 1: Communication/understanding/engagement
Poor communication, understanding and engagement between functions around tools, processes and practices within cyber security can lead to surprises, disagreements, improper evidence handling, broken attorney-client privilege and project delays.
Analysis: Lack of engagement, transparency and partnership were common symptoms shared by almost everyone I talked with. Potential root causes were found to be:
- Lack of cross training, education and understanding other perspectives. A chief privacy officer (CPO)/attorney from a large telecom company said, “Information security and privacy functional roles in corporations have evolved separately over the years. The need for symbiosis across these roles is clear, but often these teams at corporations do not place an emphasis on cross-learning to solve these disconnects in goals and perspectives.”
- Lack of engagement at the right time or insufficient resources to do so, causing clashes when lack of alignment or direction is discovered. Emotions can get in the way of listening and understanding on both sides when the “wait…what are you doing?” moment hits. Matthew Berger, a privacy and cybersecurity attorney, commented that “Traditionally speaking, privacy is viewed as a roadblock. A hindrance to development, profits and growth and privacy compliance is viewed as a paper exercise. Good privacy professionals get involved at the beginning of the development process and prevent these roadblocks before time is spent designing and building a risk-laden product or process.”
Recommendation: Be a valued and invested partner. Seek to understand the other disciplines (at least enough to speak the same language) and build empathy towards their different perspective. As the large telecom CPO recommends, "Privacy professionals should pursue training and even certification in information security frameworks, and information security professionals should pursue training and even certification in privacy and legal fundamentals."
A senior security and privacy leader in the automotive industry, shares three of his successful tips on building partnership and trust:
- Be the person that reaches out. I am in one of our legal offices almost every day. I stop in for non-immediate chats. Asking how I can help, attempting to make things easier. For instance, any contract review I am asked to do I return within 24 hrs. This way I am viewed as an ally. Particularly, as I see every contract (customer/vendor) to review security/privacy provisions.
- Mentor as possible. I have trained legal folks to be Privacy Officers. The more I help them the easier it is when I need something quick.
- Bring food. I have brought legal folks cookies/candy on a regular basis (at least 1-2 times a week). Better to see someone that brings food than a problem.
Problem 2: Technology confusion/lack of understanding
Concerns about cybersecurity methods, tools and enabled features/functionality came up as a frequent source of conflict.
Analysis: A relative newcomer to the table, cybersecurity brings with it a host of advanced capabilities with potential privacy and legal concerns. A common example is “full packet capture” technologies that inspect encrypted network traffic. Intended to thwart malicious insiders and malware, these tools carry significant ethical and legal considerations. While the cyber security team’s intent may be to detect malicious code, privacy and legal professionals are concerned about misuse of the technology and its ability to “spy” on employees or inspect their personal files.
Lack of understanding about the details and nuances of a specific technology and its use cases leads to lack of alignment and raising an alarm (sometimes false alarm, sometimes valid concern). Potential root causes were:
- Inability to effectively communicate controls, technology and process between security, legal and privacy personnel creates over-inflated concerns and stalemates. Sharing too much or not enough detail can both have negative effects. Additionally, many terms in cyber security stem from military and intelligence and sound, well… kind of scary. As an example, terms like “SSL interception” or “breaking encryption” without context sounds like “we are going to use evil hacker tools to bust into encrypted of documents and have some guys in a room looking at all of the file details to see what people that work here are doing.” The framing, facts and controls must be surfaced in conversations to avoid confusion and alarm.
- Steve Snyder, of Bradley’s Cybersecurity and Privacy Practice Group said, "There is a lack of common vernacular to discuss cyber risk. IT/tech folks have one view of evaluating tech and managing projects; legal has a framework for discussions; business people have a different type of project management, etc. And while there are undoubtedly times when they have to come together on other projects when it comes to highly technical subject matter of cyber risk the differences seem more apparent in terms of how the problem is described, evaluated and how proposed solutions are described. I think one thing that helps is an advisor that has bridged those gaps in the past, which means typically someone external who has helped comparable entities harmonize their various stakeholders to communicate and understand the problem."
Recommendation: Teams must communicate earlier and in simple terms to ensure they stay aligned. Use precise, controlled language to avoid invoking fears of “big brother” and focus on describing their technology and use cases in the context of controls in place to prevent abuse. The phrases security & privacy by design really ring true. While this seems easy, many never get past this step because they trip up on language trying to talk too quickly.
Problem 3: Documentation/compliance focus vs operational outcomes
Friction can be caused by efforts to get the “documentation right” (both what to, and what NOT to put in writing) vs progressing operational outcomes.
Analysis: There is a healthy balance between “a free-for-all with no documentation or compliance efforts” and “drowning in a sea of bureaucracy and paper pushing and not moving anything forward.” Most companies fall somewhere in the middle of these extremes but skew one direction or another.
An automotive industry security and privacy leader shared “Realistically, some of the biggest issues have to do with operational vs. policy or ‘redline’ focus. The practitioner or operational focus involves getting work completed. Whereas the “redline” focus is driven towards a very narrow reading of the law, policy or standard. The redline focus is to perfect every little detail with limited sense of urgency or care if/ how the actual task needs to be done…Unfortunately, it is difficult to find operational folks with deep policy/ legal expertise and it is difficult to find operationally focused risk/legal resources. So, there is ongoing friction.”
A senior privacy leader in the airline industry shared, “The role of legal is frequently misconstrued as a company’s policing authority rather than being advisory in nature. In-house counsel is often asked for ‘approval’ or ‘blessing’ which is not the role, especially when the rules are not always bright line and guidance shifts based upon different factors. The role of legal is to provide legal analysis, surface the risks and provide recommendations to the business. The risks may often be accepted by the business through a mature risk acceptance process. This misconception is further emphasized when the general counsel role (advisor) is held by the same person as the chief compliance officer (enforcer).”
Recommendation: Beyond active partnering and understanding each other’s perspectives (in solutions 1 and 2), companies need to have clear responsibilities for each group. Compliance related functions need to have a stated and practiced objective to make compliance as easy and natural as possible. Operational functions need to determine how to better leverage their more compliance focused partners to drive process improvement and controls (not paper improvements).
Problem 4: Lack of process fundamentals
Without clearly defined processes (with RACIs) there is confusion about how things work and who should be involved, leading to conflict, misunderstandings and surprises.
Analysis: Having effective and well-defined processes reduces the chaos of unstructured processes and programs. Also, when a company lacks fundamental processes, more advanced efforts are hamstrung and destined to fail. One key component of any good process is decision rights. There will always be situations where there are disagreements or conflict
A senior privacy leader in the airline industry shared that “I’ve often experienced confusion between what security and privacy teams are responsible for (including when dealing with security colleagues). One recent example includes managing and providing direction, standards or policy on IT controls. I’ve frequently seen common controls that are simply missed within the scope of security policies and programs (logging standards, access controls, asset management, audit ready documentation). If basic good IT practices that support privacy and security are not being managed, it makes privacy and security by design impossible. It also makes it interesting to explain to an auditor why data management activities are not demonstrable when foundational asset management and asset controls cannot be confirmed.”
She also shared concerns about resourcing and breadth of ownership/coverage: “Another huge challenge is that most organizations are still relying upon a single privacy role to ‘manage’ an enterprise privacy program. This is not scalable when you have that privacy person supporting a large organization with multiple stakeholder teams (IT, ecommerce team, security, risk, marketing, HR, etc.). This program of one usually lacks sufficient budget to be effective in operational.”
Steve Snyder shared that there can be a “lack of attention to the problem due to lack of resources coupled with clear understanding of the problem. Typically, at small and medium sized businesses, IT is heavily utilized, probably understaffed on just supporting operations. They implement the solutions and practices but have no time to document or communicate them with anyone. The rest of the company is in the dark on the info sec side because it is not an operational issue that is in front of them all the time. I’ve seen this problem solved primarily by having a rigorous review, again, most often by a third party. By forcing an assessment, it forces the business to stop and take stock of what’s going on and gets people to focus on the issue instead of just looking at what directly drives the bottom line.”