Security and privacy are commonly seen to be at odds. Implementing effective security requires the ability to identify potential threats. However, doing so can result in sensitive or personal data being inspected, which can threaten privacy.
In reality, the only way to achieve data privacy is through implementing effective data security. A well-designed, privacy-first security program offers significant benefits to any organization while minimizing potential privacy impacts.
The security vs. privacy misconception
The view that security and privacy are at odds comes from taking the two concepts to their extremes. In this mindset, any potential access to sensitive data is considered a failure to privacy and something to be avoided at all costs. If this view is adopted, security programs are severely hampered in their ability to identify and address potential threats.
For example, consider the case of network traffic analysis. Packet inspection is an invaluable tool for a corporate cyber security program. Firewalls are an extremely common form of packet inspection, and not having a firewall in place would be seen as a violation of reasonable security measures required by laws and regulations in a number of jurisdictions globally. By looking inside the payload of a network packet, it’s possible to identify attempted malware infections, data exfiltration, account takeover, and other threats. However, from a privacy standpoint, packet inspection can create concerns where a packet contains PII or other sensitive data. From a privacy absolutist lens, end-to-end encryption with no packet inspection seems preferable.
On the surface, these two perspectives — providing necessary security and keeping personal data private — seem incompatible. But regulators have also made clear that providing reasonable security is critical to protecting data privacy. One only has to look at any number of privacy regulatory enforcement actions brought against companies that have suffered security breaches to see this. We think data privacy and security leaders can bridge the gap between security and privacy absolutism, but it requires a different perspective on data privacy and security altogether.
What are the risks?
Risk management is a core principle of both data security and data privacy programs. Unifying the goals of both of these programs requires taking a look at the potential risks to an organization’s data.
For any organization that processes people’s personal data, keeping that data secure and private is of paramount importance. One of the biggest concerns for organizations related to a data security program is the potential that security solutions can see PII and other sensitive data as part of their duties. These tools may scan emails, network packets, or files for signs of malicious content.
The other main risk to corporate and customer data is that it might be accessed by a cybercriminal. For example, modern ransomware steals and leaks sensitive data if a company doesn’t pay the ransom. Even if the ransom is paid, there’s no guarantee that the data will be deleted and won’t be leaked.
Avoiding both of these risks is impossible. An effective security program needs access to data, and ineffective security practically guarantees data breaches.
Finding a privacy-first way forward for security
When security solutions are designed with privacy in mind, we’ve found that organizations can implement robust security protections while protecting the personal data of their customers and employees. And we know that when organizations conduct a cost-benefit analysis, the potential benefits for a privacy-first security approach are significant.
For example, blocking malware before it reaches an organization’s systems can prevent a data breach. With an average price tag of $4.45 million in 2023 — not to mention the brand reputation and legal repercussions — preventing even a single data breach is critical for the company. So there’s no question that industry-leading security measures are critical. And any reputable security company should offer solutions that minimize its access to sensitive data and protect the personal data in its care.
Designing a privacy-first security program
Privacy and security don’t necessarily have to be at odds. A privacy-first security program judges the risks of implementing security and failing to do so. If the benefits of implementing a security solution, such as email scanning, outweigh the benefits — which it almost certainly will — then the organization should carefully deploy this capability.
When evaluating whether a security tool is good for data security and privacy, some key questions to ask include:
- Does it provide clear benefits? The potential privacy risks of a security solution are only acceptable if it also reduces the risk of a data breach.
- Does it minimize access to personal data? A security solution should minimize the amount of potentially sensitive data it accesses and processes.
- Does the company prioritize security? Check how the company has handled past security incidents and prioritized security investment.
- Does it meet regulatory requirements? Verify that the company has privacy-focused certifications such as ISO 27701 and ISO 27018, is certified to the prevailing local and international data privacy frameworks. If a company has these certifications in addition to standard security certifications such as PCI DSS, ISO 27001 and SOC 2 Type II, it’s a great sign that a vendor goes above and beyond on privacy and security.
Evaluating all of these criteria for the 60+ security tools used by the average organization can be a significant lift. This is another great argument for security consolidation. Performing deep due diligence on a single vendor with a wide suite of capabilities is easier than performing a shallower assessment of several point security products.
Privacy-led security
A key enabler of privacy-led security is the scope of the Cloudflare network. With 20% of all Internet sites protected by Cloudflare, a substantial portion of Internet traffic flows through its systems and informs Cloudflare’s threat intelligence in a way that does not compromise the privacy of customers’ end users.