Cybersecurity firm Symantec's Ken Durbin is arguing for the National Institute of Standards and Technology to go beyond its current proposal for integrating data security into its upcoming privacy framework, by adopting a “plus” approach that would more closely mimic the core functions of NIST's landmark cybersecurity framework.
“I fall firmly on the integrated side,” said Durbin in arguing for one of two options being proposed by NIST for developing the privacy framework, while also urging the agency to go several steps further by integrating the “detect” and “recover” core functions of the cybersecurity framework into the upcoming privacy document.
“I think the functions of privacy and security are quickly merging together within organizations. Even a year ago, I could see an argument more for there being a separated course because privacy people were fundamentally different than the security people,” Durbin said in an interview with Inside Cybersecurity.
Ken Durbin, CISSP, Senior Strategist, Global Government Affairs & Cybersecurity
“But like I said, they are quickly coming together to where I think if we didn't do integrated in this version [of the privacy framework], 2.0 would have to integrate them. So I say let's do it from the start,” according to Durbin, who is senior strategist for global government affairs and cybersecurity at Symantec.
Durbin's comments underscore the dichotomy faced by NIST in reconciling its proposed “integrated” and “separated” core functions for the privacy framework discussed earlier this month at the third and final public workshop in Boise, ID. NIST plans to issue a revised “preliminary” draft privacy framework for public comment later this summer, with a final document expected before year's end.
Durbin was a panelists at NIST's second workshop in Atlanta in May, and was a vocal participant at the Boise meeting in urging the agency to adopt an integrated “plus” approach to cybersecurity and privacy.
“That was something that I was advocating for in Atlanta” as well as in Boise, Durbin said. “It's hard for me to understand” why the privacy framework would not include “detect” and “recover.”
“Look at respond, you look at the first subcategory. It says 'when a privacy event happens, you need to respond to it.' But nowhere in the framework does it cover how to detect when an event occurs,” Durbin noted. “So how are you going to know when to trigger your response activities, if you don't have a mechanism in there to facilitate the detection of the privacy event?” Durbin asked in making the case for including “detect” and “recover” as core functions of the privacy document.
“I don't know of anybody that thinks that you don't have to recover from a privacy event,” he said.
NIST has decided to undertake its ambitious efforts for developing a privacy framework for use across industry sectors amid the backdrop of burgeoning regulatory requirements, both domestically and abroad. For instance, California passed its Consumer Privacy Act which goes into effect this January, while the European Union's General Data Protection Regulation has been enforced since last year.
Durbin acknowledged the impact of these and other regulatory requirements on the NIST effort, while also downplaying that the upcoming framework might spur further action by regulators.
“I don't see how having the framework would spur additional legislation or regulation,” Durbin said. “I see it as organizations, who are looking for a way to assess themselves against pending legislation, it's going to give them that tool to be able to do it.”
“The comments and the input that I give, whether in a formal written response or at the workshops, is based upon what we have learned from our journey towards GDPR compliancy, and moving forward,” he said. “Also, it's from our knowledge as the world's largest cybersecurity solutions provider to make sure that aspects of security are not overlooked in the privacy framework.”
Durbin said getting ready for GDPR compliance has also helped the company in preparing for the upcoming California privacy rules under CCPA next year.
“It's helped a lot, because at the core of all of these privacy legislative actions, when you think about it, is understanding what data you have, where it is, and it's classification, how sensitive is it?” he said. “And then making sure you have appropriate controls around it.”
“Even GDPR, you don't get into any trouble, if your data doesn't leave your organization without you knowing about it,” Durbin said. “So being able to control data goes a long way towards privacy compliancy. So with that baseline, yeah, what we did for GDPR will benefit us with California, and other legislation that comes along.”
As part of Symantec's out-ahead approach to regulatory requirements, Durbin said his company would likely be one of the “early adopters” of the NIST privacy framework when it's released as final later this year.
“We haven't changed any of our internal processes because of the framework, but we are mindful of how it's being shaped, so that once it gets to a mature enough part, we may even become one of the early adopters and apply it to not the entire company, but maybe to a particular process to get a feel for how it's working,” he said, adding: “But I can say right now, I haven't gotten any negative feedback saying this isn't going to work for us.” -- Rick Weber (rweber@iwpnews.com)