In a constantly evolving cyber-physical security landscape, the security industry needs to hold and build on its commitment to promoting sound data privacy practices. In this month’s column, the Security Industry Association (SIA) spoke with experts SIA Data Privacy Advisory Board Chair Bobby Prostko, deputy general counsel, IP and cybersecurity, and chief privacy officer at Allegion; advisory board members Sal D’Agostino, CEO of IDMachines; Daniel Krantz, managing partner at the Secure Worker Access Consortium; and Matt Vaillancourt, senior director of global MSS sales at SonicWall; and ADT’s chief information security officer, Tim Rains, and vice president and deputy general counsel, IP and privacy, Frank Cona, to learn about the data privacy landscape and how the industry can better address privacy-related challenges.

New Data Privacy Threats, Challenges & Concerns for Security Companies

A consistent theme from the panel was that the threats are getting more sophisticated and cutting-edge, with new threats and concerns emerging every day.

“Across the security industry, we’re seeing powerful technologies, such as artificial intelligence, automating and accelerating cyberattacks,” Rains said. “AI has made phishing scams and hacking more effective and convincing.”

As the technology landscape grows, so does the attack surface, which leads to new privacy concerns. Experts pointed to challenges including those around the rapid adoption of cloud computing, APIs and AI.

“There has been an explosion of identifiers and associated metadata related to people, devices and networks in general and directly in the physical security domain that directly impact security and privacy risk,” D’Agostino said. “You then combine this with the general consensus that we are crossing an AI threshold, which is a stage/phase in an ongoing and longer AI life cycle and evolution, due to the longstanding march of Moore’s law, and add in cloud; simulation and gamification; image and sensor types and resolution; along with open-source software and hardware; and you have generally available technology that can be used to do great things as well as great harms. This rings all the privacy and security, organization risk and threat bells.”

The panelists also stressed challenges with navigating and keeping up with the legal and regulatory environment surrounding data privacy. Rains shared that key concerns for companies include stricter regulations and consumer demand for increased data protection, while Prostko highlighted an increased focus on regulatory compliance, with laws such as the California Consumer Privacy Act and Europe’s General Data Protection Regulation (GDPR) setting higher standards for data protection.

“There are now privacy regulations in 19 states, and 10 more working their way through state legislatures,” said D’Agostino, who recommends leveraging the International Association of Privacy Professionals’ legislation tracker to keep track. “The same is true globally,” he said. “Everyone has heard of GDPR, but there is an even broader set of regulations called Council of Europe 108+ Protocol, which stems from the initial EU Data Privacy Directive in 1981 and is in the process of being adopted by countries around the world with a population of more than 2.5 billion people and goes into effect this year. This combines with regulations dealing with AI and biometrics. Socially, technically, operationally and legally, it is a changing and dynamic landscape.”

Another challenge companies face is making the business case for strong privacy.

“Data privacy protections increase the complexity and cost of new technology development without any positive contribution to revenue,” said Krantz, and as a result, “security companies are increasingly challenged to risk competitiveness (e.g., effectiveness, price and speed to market advantages) in support of data privacy best practices.”

How the Security Industry Can Improve

The experts shared several suggestions and areas where our industry can improve on data privacy:

• Balancing the need for robust security with the protection of individual privacy rights: “Security companies often collect vast amounts of data to enhance their services, but they must ensure this data is handled in a way that respects privacy,” Prostko said.
• Embracing the concept of proportionality: Companies must have a greater awareness of the “value of finding the right amount of data needed to achieve desired results,” said Vaillancourt, who stressed that the more data is collected, the more chances there are for it to be exploited by attackers and that “improving security postures and best practices helps not only with … privacy, but with overall security.”
• Fostering awareness and transparency: Cona recommends that companies “increase communication about the topic … and [focus] on governance and accountability,” while Prostko and Krantz urged the industry to promote greater transparency with users about how their data is used and make strong investments in operational transparency and auditing.

“[Security] and privacy are not the same and have a symbiotic relationship that, once synchronized, has benefits across the board,” D’Agostino said. “SIA and the Data Privacy Advisory Board are working to educate on the benefits of these and how they can come naturally as they reflect what would be best practice in any organization and civil society. As an industry we can adopt privacy as an operational requirement of security and begin to understand that security services we provide must support operational privacy needs.”

Security companies and professionals can access a range of new and updated resources and programs from SIA to strengthen their knowledge and practices around data. Learn more about SIA’s initiatives and offerings around data privacy here.