Tug of war
Why won't the privacy vs. security debate die?
When I was first offered a CISO role in 2003 the position didn’t expressly include privacy. It was discussed and tacitly included but that struck me as disappointing. Having no background in cybersecurity or privacy, my understanding of both was pretty informal. Privacy in particular I understood almost exclusively in the colloquial sense of ‘privacy’. But privacy as a concept seemed very civil liberties-esque and aligned with my own intellectual passions; perhaps an even sentimental affinity for the private realm of inner dialog and thought. So I insisted on having privacy added to my title and formal job description. At the time, other than FERPA, the notion of privacy as compliance was utterly foreign to me. Thus for the next 14 years I occupied the dual role of CISO and CPO at two institutions.
Just last week this survey analysis was shared with me - it’s from Nov. ‘24, so I guess I’m far behind in my reading. This poll asked the question “Should Cybersecurity and Privacy Functions Be Integrated?” Beyond having embodied this integration for over a decade, it jumped out at me for a couple of reasons. First, I and my smarter, wiser friend and colleague Jane Rosenthal gave a talk at Educause national on this very question. We even wrote a piece about it as a follow up. Of course this was in 2012/13 so I was curious about how our advice held up. Second, yawn. Really? With all that’s going on in cybersecurity and privacy, this is what we’re spending time debating?
Okay, I get it, this is a question which is relevant only to professionals and is a truly great example of the phrase ‘inside baseball’1. However I do think there are a few important issues lurking in the question of why this debate won’t go away.
Lack of clarity on a functional definition of privacy. I’m not talking about a definition for ‘what privacy is’, but rather, what role should the privacy function play in an organization? Outside of higher education privacy has long been homed as either a marketing or a compliance activity. The external drivers for privacy are almost exclusively compliance as we see more and more regulations applied to data handling. But the impression I have is that higher ed privacy is somewhat factionalized between those that are comfortable with and embrace the compliance role, and those that prefer to approach privacy more from the educational and advocacy standpoint. Clearly I’m a big believer that we need to double down on advocacy even though compliance is the 800 lb gorilla. It’s hard to imagine privacy becoming all it could be as a field without resolving this basic issue.
Lack of clarity on what privacy means for cybersecurity professionals vs privacy professionals. As a younger and less mature domain, some privacy officers are struggling unnecessarily with security over turf. Cybersecurity absolutely is concerned with privacy, and to view it as merely the mechanics of data security is both inaccurate and reductionist. One simply can’t cut the thread binding an activity to its mission: cybersecurity may operationally focus on the classic CIA triad, but does so in the service of national security, national competitiveness, privacy, and civil liberties. Administratively and in practice cybersecurity has a longer tenure within the organizational ecosystem and is far more established than privacy. While the cybersecurity office will complain about being underfunded, the days of needing to justify having a security office are well in the past2. On the other hand, privacy officers generally remain individual contributors and seriously, I get it, it’s not a one person job. But the eyerolls I get from some privacy officers about staffing and resources gets old - if cybersecurity is better resourced3 than privacy in most organizations your conflict isn’t with cyber, it’s with your leadership4.
Failure to clearly differentiate a whiteboard from an actual organization. It’s easy (and fun) to design the optimal organizational structure for your function on paper. We all do it. But organizations tend to settle into structural patterns; patterns that have enormous inertia. Sometimes it’s best to just put sidewalks where people walk, and not where you want them to walk. Falling back on the usual arguments about ‘unbiased decision making’ or ‘getting more attention from leadership’ is naïve - using the org chart to achieve this is how a drunk uses a lamppost, for support rather than illumination. There are clearly times when an organization needs change, but by demonstrating skill authority and developing effective professional relationships, the significance of the org chart is diminished5.
Privacy and security are on the same team, despite being constantly presented as oppositional. Let me repeat this to make it clear: security is not the enemy of privacy, security is not the enemy of privacy. Effective security does not involve giving up privacy, nor does security need privacy to act as a governor. I can hear you thinking, “but Mr. Bonehead, clearly many security controls are intrusive if not outright surveillance; how is that not corrosive to privacy?” It’s a reasonable question, despite your rude name calling.
I frame the discussion of privacy as a series of overlapping spheres. The notional idea of privacy begins with the inner realm of thought, what I call the first sphere. We all rely on the private nature of our minds to explore ideas, visualizations, and imagined experiences as essential tools for exercising empathy and our emotional and intellectual lives. Now if we expand that to include someone else, to dialog with another person, or the second sphere, in the most intimate sense we are exposing some of that inner space to this other. Herein is born trust - the more we expose those inner activities, the more we have to trust the other to respect our privacy. (Of course it’s commonly known that a secret is only secret if the person it’s told to is dead; so much for societal trust).
Human society is, or was at least in the pre-digital days, little more than a massive expansion of this second sphere; instead of sharing with one person, we craft custom spheres with different groups and organizations each with carefully curated shared thoughts and a concurrently tailored notion of trust. Society and politics are little more than an entire algebra of how these various spheres are formed and interact. But with the expansion of the inner space into the digital universe, and thus to include digital forms of interaction, much of what was private now takes place in a fundamentally public medium, though one in which we indulge in the illusion of privacy. Encryption be damned, I doubt it’s truly possible to be confident in one’s privacy using any online medium6.
As I’ve described it, cybersecurity is a kind of force operating on these spheres - and yes, it can be intrusive. I recall an early discussion with a faculty member on why I was refusing to give him access to network flow logs - ignoring the potentially PII issues around IP addresses - I explained that the flow logs would trivially permit one to create a report showing the preponderance of traffic to democratic or republican websites by building on campus. Surely the denisons of the campus administrative buildings would not want that showing up in the Chicago Tribune. Yet we in the security office used network flow logs as the lingua franca for intrusion detection and security monitoring. Clearly the potential for abuse can’t be denied.
Earlier I mentioned that the mission of cybersecurity includes protecting privacy. I take it as axiomatic that by preventing malicious and destructive surveillance and data theft, cybersecurity practices are part of the trust fabric that secures the spheres of thought and interaction that comprise modern society. Nevertheless, it is reasonable to ask ‘how does one ensure that the ‘force’ of cybersecurity remain in the service of privacy, and not at the expense?’ But I think I’ll defer on answering that now, it warrants more thought and a dedicated post.
In essence I’m arguing that as the greater digital ecosystem currently operates, notions of privacy are more delusional than we realize. Every thought you type, every photo you take, every story you pen is trivially captured or ‘discoverable’. Perhaps delusional is too strong a word; maybe it’s better to say that lacking any alternative, we’ve normalized what is essentially ‘not private’ as ‘private’, or at best ‘kind of sort of private since up until recently sheer scale meant it was unlikely to be made public’. The role cybersecurity plays (or should play) is to reduce the permeability of the carefully constructed spheres of thought and trust7. As I reread this I’m struck by how deeply cynical a view of digital culture this appears to be, though I might argue it’s more realistic than cynical. But given the recent near collapse of free speech (see here and here and here for examples) and the close elision of speech and thinking, it’s hard not to end up falling down that rabbit hole.
Security and privacy as organizational functions naturally have different modes of action but ultimately share a singular mission. Wasting time arguing about reporting lines or org charts diverts us from the issues that really matter. Surely now is not the time to indulge in busy work.
Given the small number of respondents, (110), it’s tempting to ignore this poll entirely. Educause has > 100k members across ~2100 member organizations, thus only .001% of the membership responded. However after checking with Educause they told me “taking a look at our member database, I see 887 CISOs and 100 CPOs in our membership.” So maybe 110 isn’t that low. But it does lead me to think most of the respondents are either security and privacy professionals.
When I started the security office at UIUC in 2003, I believe we were the last school in the Big 10 to do so.
By ‘better’ I mean ‘appropriately resourced’ not ‘equally resourced’.
By the same token, it’s not at all clear to me that the nuance around many issues of privacy, for example data exposures that don’t involve a hacking event, are really deeply discussed by cybersecurity professionals. These sorts of privacy incidents are as impactful to individuals any any classic cyber attack. It’s weak solace, but recall that 20 years ago many security offices, even at large institutions, were staffed by only two or three people. At smaller schools they’re often still run entirely by one person. Staff at a university is typically grown by slow accretion, and not a big bang.
The first time I learned this was when some VIP on campus called me saying they’d been told they needed my approval on some software purchase. I was stunned because 1) no policy said this, and 2) I’m not sure I could order a pencil on my own authority. Authority is a funny thing at a university.
I do wonder if, to overload the analogy, it’s reasonable to consider the concept of potential privacy vs. actual privacy; to borrow from Rankine, (potential energy is now described as 'energy of configuration' and actual energy as 'energy of activity'); potential privacy is the privacy as configured to exist, vs. actual privacy is what’s left after implementation. See: https://www.academia.edu/89611715/What_is_potential_energy.
Perhaps a better metaphor is that cybersecurity increases the opacity of these spheres and thus obscures the view of those attempting to peer in and observe the private.