Security and privacy are not interchangeable, and we must have both in order to protect our data and to live up to our obligations as data stewards. So what’s the difference between the two? It’s an important one.
Anthem, Sony Pictures, Target… It seems like we can’t turn around today without bumping into another data breach. Security consumes IT mindshare. We endlessly debate things like firewalls, encryption, and malware detection, and we focus relentlessly on keeping the bad guys out.
So I found it interesting that, when Gartner surveyed nearly 3,000 CIOs for its 2015 CIO Agenda report, security was one of the initiatives that actually dropped as a priority. Yet, two areas that CIOs marked as increasing in priority are arguably two big drivers behind security concerns: cloud computing and mobile.
How is this possible? Is it really that CIOs aren’t concerned about the safety of their data?
The answer of course, No. CIOs are not less concerned about data security than they were a year ago. The difference is that, as a whole, the computer industry has solved the issues around security. Sure, we’ll always need to develop stronger defenses, and hackers will always look for routes into our legacy systems. However, the computer industry has developed technologies and, more importantly, business processes for that ongoing problem.
But when it comes to the cloud, it’s a different story entirely.
That’s not to say the industry is hopelessly behind. The cloud gave us a clean slate, security-wise, and we’ve learned what it takes to secure it. Obfuscating the storage of both data and metadata, using encryption wisely, and employing authentication controls are just a few of the things we do to ensure that even if someone somehow got into the organization’s cloud, the data would be scrambled or otherwise meaningless to the bad guys.
If we’ve figured out cloud security, then why are we all still talking about it?
The answer is that we’re not talking about cloud security; we’re actually talking about privacy. The NSA-related issues, the revelations by Edward Snowden, and even, it’s suggested, the Sony Pictures breach: These all highlight privacy issues, not security. The difference is critical, and it’s when we confuse them that we reveal more information than we intended.
Let’s take this out of the virtual world for a moment. Where do you keep most of your important possessions? Usually it is wherever we live, since we keep close to us what matters most: our pets, electronics, rare books, copies of old tax returns, medical documents, etc. We all have many things in our lives. Some would be inconvenient to replace but the loss of others would be devastating.
So how do we mitigate the risks so this isn’t an issue? One part of the process is identifying the distinction between protecting our privacy and ensuring our data is secure.
Security is the process by which we keep the bad guys out. My house is secured in multiple ways: The yard is fenced; the doors are locked; and if someone tries to go in through a window, three dogs are waiting inside (probably asleep, but let’s not delve too deeply). The whole point of security is to make sure that people I don’t want in my house are unable to get inside, and the steps I can take to make sure that doesn’t happen are almost unending.