When discussing privacy or security roles, some may refer to information security professionals as purely technical security experts and not great privacy professionals as if the roles are completely independent of each other and knowledge in one area is not useful in the other. The more precise answer to this question of whether privacy and security roles are intertwined might depend on the organization’s mindset and role objectives as defined by the job description but in general, we can not have privacy without security, or, security without privacy.
Although, there is nothing wrong with being labeled as a privacy professional when engaged in an information security role or security professional when engaged in a privacy role, this practice of fully separating both functions somewhat puzzles me especially when it comes from people who are experienced enough to not only know the differences of and similarities between both roles but also understand the scope of the information security function which continues to be the subject of daily debates in professional forums. In fact, the roles of privacy and security professionals are so intertwined that one can not exist without the other. I’ll go one step further and suggest that privacy is a control objective of the information security function. Personal information is just another information asset that companies must protect more or less depending on the industries they operate in and their regulated environments.
Privacy in general is defined as the act of securing and sharing individual personal information with authorized parties, while providing the data owner information and options regarding the use and protection of the personal data. And, security is the act of securing all information including private information at all times in accordance with prescribed access and distribution rules. Notice I said at all times because securing private information is not just limited to the flow of information within systems but also includes securing information within all areas of the operations outside of the information systems. This expansion of the information security scope to outside of the systems might be somewhat new and emphasized since privacy became a bigger issue. Having privacy in mind while securing information implies privacy can be an objective of the information security function in certain industries.
Although privacy requirements can be determined by a separate group other than the information security group, the two groups are still interdependent and understand each other’s roles to accomplish the goal of keeping personal information private. Privacy professionals are in general concerned with who is entitled to access private information of their consumers and employees in the course of the business, and security professionals implement the solutions to achieve the privacy goals. We have to remember that privacy requires both operational as well as technical security solutions and although some security professionals are solely focused on the technical solutions, information security is and should be an organization wide function. That being said, the technical and operational roles might be segregated for a variety of reasons such as expertise focus and compliance, however, the roles are very much interdependent and may be consolidated if the necessary expertise exists.
If we consider the objective of the information security and privacy to collectively limit information access to only authorized parties, then, both privacy and security roles are also concerned with securing information within the organization, inside and outside of the information systems. Most privacy professionals have adequate knowledge about legal requirements, best security practices, risk assessment techniques, as well as running training and awareness campaigns, and although, they may not know how to configure a system’s security features, they do understand general security practices which brings us to the next question: should an information security professional be able to configure systems or rather be a strategist and risk thinker? My opinion is that if we consider the role of an enterprise information security professional to include the security of systems, related information, and privacy of personal information, then, the configuration part can be left to the IT groups who can support the technical requirements of the information security objectives.
In conclusion, a well balanced professional who understands the objectives of information security and privacy roles must be capable to design policies and procedures to achieve the organizational goals of securing all information regardless of location and format, unless, the organization is primarily focused on the system security risks, has no personal information, or is unable to find qualified professionals.