It is often said that privacy can’t exist without security, but that security can exist without privacy. Although there may be an element of truth in this statement, good security equally relies on good privacy for a 360-degree approach to protecting information.
Security and privacy are both among the key components of digital trust, as identified by ISACA’s State of Digital Trust 2022 survey report. Digital trust is at the intersection of privacy and security. Both concepts together lay a strong foundation for digital trust, along with other elements such as quality, availability, ethics and integrity, transparency and honesty, and resiliency.
Digital trust allows customers and stakeholders to say, “I trust you to do the right thing with my data,” and results in benefits for organizations such as a positive reputation, fewer privacy breaches and fewer cybersecurity incidents, according to the ISACA survey. Trust is built on the confidence that we have in a third party to protect and secure our digital interactions so that they can be relied upon as records of truth in an online world. If an organization cannot instill confidence from its users in the digital realm, then that organization will struggle to create an environment of digital trust.
Gaining digital trust relies on gaining the confidence of users. Confidence in the brick-and-mortar world is usually built over time, but time is not something that we have in the digital world, where interactions are instantaneous and relationships can be fickle. Organizations have one chance to get it right. One wrong interaction can cost you that user, and the friends of friends of that user. Users have high expectations, as they should – they are entrusting you with their personal data.
Building trust requires an organization to demonstrate good privacy and security practices, good data integrity for high reliability, and ethical behavior in all online interactions.
This also calls to mind the CIA (Confidentiality, Integrity and Availability) triad and focuses on:
- Confidentiality – ensuring data is only available to those with a need to know
- Integrity – ensuring information is complete and accurate
- Availability – ensuring information is available to those who need it when they need it
The Confidentiality and Integrity security concepts are easily translatable into privacy because, in essence, privacy and security are intertwined and share many common concepts. In privacy, we tend to think of Confidentiality and Integrity in the following way:
- Confidentiality – making sure the personal information provided is only used or shared with those with a need to know and when not being used is adequately protected and secured with the appropriate procedural and technological controls so that those who may want access are blocked, restricted, or prohibited from gaining access and using in a way that will bring harm – such as personal information being publicly disclosed and/or used in a way that negatively impacts the owner of that data
- Integrity – GDPR Art.4(d) requires that the any personal information in your care is accurate and where necessary is kept up to date. When sharing data with other parties, the owner of that data has the expectation that when that information is used in processing, it is accurate and a true reflection of the data owner. Maintaining the integrity of the data is the responsibility of the holder, e.g., controller, and if there are processes in place that can’t maintain data integrity, the negative implications to the owner can be expensive and costly to fix, such as denial or rejection of a service.
In a digital world, trust must be at the core of every interaction, and transparency and openness must be embedded in the system. If you can gain users’ confidence by doing the right thing, you can gain their trust.
So, even if security can live without privacy, digital trust cannot be built without both security and privacy working together.
Copyright 2022 ISACA. All rights reserved. From https://www.isaca.org.
By Yunique Demann, Sr. Director, Privacy Strategic Lead at NTT DATA Services.