The importance of a governance model upholding privacy and security

Building blocks of a cybersecurity framework to enable a privacy-first organization

A practical outlook on security governance and frameworks

Any discussion on security ought to start by defining what needs protecting and securing. As the heavy industry implements a safety-first culture to protect a person's physical well-being, so too can digital organizations establish a privacy-first approach to protect a person's sensitive data.

Many people associate the terms governance and framework with large corporations and overbearing bureaucracy. In a more practical, everyday sense they simply mean structure, guidance, and following proven practice. According to British theorist Stafford Beer, cybernetics is "the art of effective organization" – something that is also key to defining, implementing, and continuously validating the security measures underpinning privacy.

Mission statement of the information security department as a support function in a digital organization

The information security department’s primary goal is to support objectives for privacy and security, as determined by the senior management of the organization. This goal can be achieved through:

• A practical governance model driven by the vision, strategy, and overall objectives of the organization, set in a top-down manner (and never through abstract security requirements defined in an ad hoc, bottom-up approach).

• The development and implementation of guidelines, policies, and practices that form a security framework, including continuous assessment and adjustment for effectiveness.

While the information security department can establish the governance model and framework, maintaining privacy objectives through a combination of security measures is best achieved as a cross-functional process. The priorities are set by the organization; however, all objectives, measures, and processes must be aligned with external requirements.

These external requirements should include legal and regulatory directives, and industry standards the organization chooses to implement. In the case of Data4Life, this external security standard is the BSI IT-Grundschutz: the IT baseline protection as defined and certified by the German Federal Office for Information Security.

In summary, the information security team is expected to deliver on its mission statement and will guide the rest of the company by organizing itself around these three pillars:

• Privacy
• Security
• Compliance

Four building blocks for achieving privacy and security objectives

With the organizational principles laid down and the three pillars in place, Data4Life defined four high-level building blocks to achieve the objectives set by senior management:

Privacy first: Leveraging GDPR requirements as mandatory building blocks rather than treating this landmark EU directive as a checklist exercise. Privacy-by-design means exactly that – considering the protection of personally identifiable information (PII) right at the outset.

Security culture: Security woven into the fabric of the company culture. Colleagues across the organization recognise the shared responsibility.

Central support function: The information security department is one central function supporting all departments and teams in designing and implementing controls to uphold privacy and security.

Enforcement and validation: The information security department enforces and validates privacy and security controls through the security framework. The department also monitors the company’s products and infrastructure to detect and address anomalies and deviations.

Transparency and communication: the keys to successful execution

The information security team should be fully transparent regarding the structure and approach outlined here. In return, they need the same openness and transparency from the rest of the organization. This way, they can track the key assets that need protecting (as defined by management in line with the objectives), and assess risks, evaluate threats, and detect vulnerabilities for those assets in a timely manner.

To do this efficiently, all members of the department need to be well versed in communicating security requirements to other teams. Security professionals should also be prepared to engage with – and to be engaged by – other colleagues across the company to assist them in interpreting and executing the requirements, thus making security culture a daily reality, rather than a slogan.

No company has unlimited resources: achieving and maintaining privacy and security objectives will forever be a balancing act. This is a continuous task, one that needs long term-commitment and ongoing re-evaluation of priorities. To “create equilibrium in a world of constraints and possibilities,” (philosopher Ernst von Glasersfeld), an approach built on a governance model and the appropriate framework is essential to upholding effective security measures in a privacy-first organization.