Security alert: Why compliance and privacy matter

One bit of IT security dogma that’s gone unquestioned over the years is the notion that every technology belongs to one of three pillars: confidentiality, integrity, and availability, also known by the abbreviation CIA. Traditionally, a security team is doing its job if it manages to protect the technologies that fall into those three buckets.

For more than 20 years, I’ve been unsuccessful in completely breaking the CIA model. However, I think two new pillars are strong enough to warrant expanding CIA: compliance and privacy. These concepts are now important enough that if you miss covering them, you aren’t providing comprehensive security to the users or assets you’re assigned to protect. Adding a “C” and “P” to “CIA” doesn’t make for a particularly snappy anagram, unfortunately. CIACP? How about PIC²A? No, I didn’t think so. Even though it doesn’t spell a word, we should continue.

[ Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

Many Fortune 500 companies already have chief compliance officers and chief privacy officers. That’s telling. These companies obviously determined that one or both of these issues were getting insufficient attention though the existing CIO or CISO structure. To be fair, those are already full-time jobs without absorbing the responsibilities associated with ensuring compliance and privacy. The fact that compliance and privacy laws, regulations, and requirements differ from country to country makes them tough to manage.

First, let’s look at the three pillars of CIA. Confidentiality covers such technologies as access controls, encryption, authentication, authorization, firewalls, and any other technology that prevents unauthorized users from viewing protected content. Integrity encompasses technologies that ensure that content cannot be changed in an unauthorized manner without being detected, including digital signatures, hash algorithms, and public key cryptography. Availability comprises techniques that assure that content is readily accessible to authorized users when needed. Technologies here include fault tolerance, backup power supplies, redundant servers, disaster recovery, RAID storage, and anti-DDoS technologies.

Compliance warrants inclusion in the CIA model in that it’s top of mind at so many organizations. In fact, every company for whom I do a risk assessment is more concerned with compliance than with security. There’s a big difference between security and compliance. For example, compliance with a regulatory password policy might require that passwords be complex and at least 6 characters long. But if I were to recommend that passwords be noncomplex and a minimum of 15 characters (that is, passwords that are orders of magnitude stronger), the organization would have a more secure password policy, but not a compliant one. In nearly every case, compliance wins.

I can’t blame IT departments for choosing compliance over security. It’s great to have both, but your paycheck (and job security) will be determined by the former before the latter. After all, every company that gets hacked can always tell shareholders, “We were fully compliant with all existing regulations” and thus escape some scrutiny and legal blame. But if you were to opt to be more secure at the expense of compliance, your company would likely face a shareholder lawsuit — even for the same hacking incident. Don’t you love how the world works?

In addition to compliance, security professionals now must consider privacy at all times. All websites must now declare how much personal information they record and share. This poses a serious challenge for organizations like Facebook. Nearly everyone loves and uses the social-networking site, though Facebook continually steps on users’ privacy toes as the company tries to maximize profit. A lot of writers dog Facebook for that, but the company has to make a profit to pay the bills. I’m not saying every decision Facebook makes is perfect; some of them I certainly don’t agree with. But even the coolest, most usable sites are struggling with what privacy means. The fact that rules are different from country to country doesn’t make the balancing act any easier.

Speaking to the topic of the consumerization of IT and allowing employees to use their own computing devices, one Fortune 100 CIO said to me, “I’ve got the security issues handled; it’s the privacy issues that keep me up at night.”

The challenge here is that if IT manages employee devices to ensure acceptable security, but in doing so discovers personal information, all sorts of privacy laws automatically apply. Neither the organization nor the affected employees may be aware of the privacy violation. Perhaps it isn’t even considered a privacy violation in some countries. If management isn’t aware of the privacy violation — that is, none of the technical people involved are aware or didn’t notify them — how hard can we come down on management?

For all of these reasons, I think it’s time CIA morphed into CIA+CP, PIC²A, or whatever. Both topics are important enough that they need to be recognized and analyzed on their own.

This story, “Security alert: Why compliance and privacy matter,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.