Privacy or Security

When talking about privacy or security professionals, some people still refer to certified information security professionals as excellent privacy experts but not as excellent security experts. I guess that depends on their definition of the information security role. Although, there is nothing wrong with being labeled as a privacy professional, this practice of fully separating both functions somewhat puzzles me especially when it comes from people who are experienced enough to not only know the differences of and similarities between both roles but also understand the scope of the information security function which continues to be the subject of daily debates in professional forums. In fact, the roles of privacy or security professionals are so intertwined that one can not exist without the other. I’ll go one step further and suggest that privacy might in some cases be the control objective of the information security function.

Privacy in general is defined as the act of keeping one’s personal information secluded and only visible to selected parties. And, security is the act of ensuring privacy is maintained at all times in accordance with prescribed access and distribution rules. Notice I said at all times because securing private information is not just limited to the flow of information within systems but also includes securing information within all areas of the operations outside of the information systems. Having privacy in mind while securing information implies privacy can be an objective of the information security function in certain industries.

Although privacy requirements can be determined by a separate group other than the information security group, the two groups are still interdependent and understand each other’s roles to accomplish the goal of keeping personal information private. Privacy professionals are in general concerned with who is entitled to access private information of their consumers and employees in the course of the business, and security professionals implement the solutions to achieve the privacy goals. We have to remember that privacy requires both operational as well as technical security solutions and although some security professionals are solely focused on the technical solutions, information security is and should be an organization wide function. Now that being said, those who label a certified security person as a privacy professional and not a security person are those who have the limited thinking that information security is rather a technical function and does not cross over to the operations area, and this is where I fundamentally disagree with some of my colleagues. Because, if you consider the objective of the information security and privacy to collectively limit information access to only authorized parties, then, both privacy and security are also concerned with securing information flow within the organization both inside and outside of the information systems. Therefore, by suggesting that a certified security person is only a privacy professional, we are suggesting that either a) the person does not understand the requirements for securing personal information or b) information security is only concerned with information systems in which case a privacy person lacks total know how. Most privacy professionals have adequate knowledge about legal requirements, best security practices, as well as running training and awareness campaigns, and although, they may not know how to configure a system to operate in a certain way, they do understand best general security practices. I also think it’s wrong to label security professionals as the people who know how to configure systems but lack the understanding of operational security requirements and privacy goals.

I think experienced and certified professionals in information security fully understand the privacy objective of the information security function and are also fully capable of designing policies and procedures to achieve their desired goals. Therefore, to suggest that a certified security professional might be a good privacy person but not a good security person is an immature and irrational judgment call unless of course information security is expected to be solely focused on system security as some may suggest.

Whether you consider yourself a privacy or security professional, joining IMI and becoming certified can only boost your career.