One of the things I love about my blog is how readers communicate, enquire and ask questions.
This communication is what makes this blog relevant – I want to provide information the users want and need. So if you are curious or hesitant about any subject, I greatly encourage you to ask me whatever it is you want to ask. I will do my best to provide you with appropriate response.
The most recent question was through a professional connection of mine, asked on my Linkedin page . I will paraphrase for the sake of this article: ‘Which should be first, which should lead which? the Privacy and the law? or the cyber security?” in other words: which one comes first the chicken or the egg?
I find this question both important and necessary and the answer is very similar to its metaphorical counterpart – we are not 100% sure whether the Chicken or egg came first and there are convincing deductions for both.
There are equally convincing statements in the cyber security vs privacy law enquiry so in the next paragraph we’ll try and understand better by looking at it from both points of view.
The need is very clear – keep data secure and private right?
But why? why do we need to keep data secure? Why do we even care? Don’t we put all our information on social network anyway?
The answer is that ‘ a long long ago in a kingdom far far away’ some information security people realised that when personal information leaks out – it can be used for malicious purposes and cause a lot of damage to law abiding citizens. It can be in the form of forging a signature to get funds in an illegal way and can go as far as identity theft and monetary fraud (a great and fun example is the movie ‘Catch me if you Can‘). We all agree that it causes problems but information and cyber security personnel have no power when it comes to deciding whether this sort of behaviour is legal or not. The legislative organisations in different states/unions are the ones setting the bar regarding what is right and what is wrong. So according to this the Cyber security is the one which should lead right?
Maybe…. lets try to look at it from the other side.
Legislative bodies look at incidents from a very different perspective. If it was up to security personnel the laws were much harsher and it would feel like an information/internet/connection dictatorship because security people only look at security (and thank god we do – that’s the job). Legislative bodies take into consideration information that security people couldn’t care less about such as freedom of expression, freedom of press and many many more. Those legislative bodies have an impossible task of balancing out the freedoms, the restrictions, the duties, the responsibilities and setting it out for a large audience to follow.
One must remember that the law binds us all. A company can be sued, people may lose their job, can be prosecuted etc etc so the balance is very crucial.
So from this point of view – the legal is the one leading.
My bottom line is – I don’t think there is one a ‘one leads the other’ situation. I think there are two forces intertwined with each other each pushing and pulling like a tug of war. sometimes one side pulls harder and sometimes the other. This creates a healthy balance.
This is the reason why, for example, becoming GDPR compliant is something I either do with the involvement of a professional legal advisor, or not at all.
Yes, most of the action items involve me and my expertise but only the legal entity can guide me through what is required, why and how much – depending on the organisation and the data the organisation manages.
Thank you for keeping up so far, feel free to ask more questions.
Yours truely
The Green Hat
Cyber Major 