Privacy is primarily concerned with protecting customer data, often called Personally Identifiable Information (PII). Lawyers are typically the dominant players. This field is heavily regulated, with laws requiring disclosure when "records" are lost. The costs of an incident are borne primarily by the individuals whose PII was stolen.
Security is primarily concerned with protecting intellectual property, often including trade secrets. Security professionals are typically dominant players. The field is less regulated, since a company loses its own IP. The costs of an incident are borne primarily by the enterprise because they become less competitive.
In this sense, an enterprise seeks to preserve both privacy and security: protect customer data and company data.
Of course, there are plenty of "privacy advocates" who concentrate on "protecting" the activities of anyone who interacts with an enterprise, whether customers or employees. My problem with these sorts of privacy advocates is that their laws, tactics, and worldview are often detrimental to the privacy and security I defined earlier.
For example, intruders know that it can be difficult to instrument and monitor activity in countries with "strict privacy laws" (hello .eu). As a result, intruders prey on organizations operating in those countries, knowing that it is rough for CIRTs to detect and respond to intruders. The result is that customer and enterprise data is at greater risk thanks to "privacy laws."
In terms of my last post, More Evidence Military Will Eventually Defend Civilian Networks, the focus is clearly on security as defined in this post. I could see Cyber Command helping American companies protect intellectual property. Secretary Lynn clearly said he is not trying to aid consumers losing their credit cards to online thieves.
Sabtu, 29 Mei 2010
"Privacy" vs "Security" or Privacy AND Security
19.13
No comments
Langganan:
Posting Komentar (Atom)
0 komentar:
Posting Komentar