Making the (Philosophical) Case: A Privacy-First Security Approach
With the General Data Protection Regulation (GDPR) and other similar regulations recently coming into effect, the relationship between privacy and enterprise security - notably, how the two can work together to support business values and goals - has become a topic of increasing discussion and prioritization. While hefty penalties and strict compliance requirements have been the forcing function, the heightened demand for personal privacy - and security practices that respect that privacy - has organizations on alert.
More specifically, there’s been a resurgence and a redefining of the idea of ‘Privacy by Design’ (also referred to as 'data protection by design and by default' in the GDPR.) The concept is far from new, with its first iteration dating back as far as the late 1990s…but it has generated a wave of resources, guidelines, and certifications as a core tenet of the GDPR.
Philosophically, 'Privacy by Design' advances the view that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation.
Technically speaking, 'Privacy by Design' is a framework based on proactively embedding privacy into the design and operation of IT systems, networked infrastructure, and business practices.
The guidance on what comprises a ‘Privacy by Design’ approach is fairly straightforward, formally outlined via Seven Foundational Principles. And the benefits - both strategical and technological - are pretty clear-cut. Ensure compliance. Reduce the likelihood of fines or penalties. Foster customer confidence and trust. Gain a competitive advantage. Future proof your privacy and security strategy.
Since Dtex’s founding - before both the GDPR and the ‘Privacy by Design’ framework emerged, we’ve subscribed to the philosophy that a privacy-first approach is the only truly sustainable and scalable approach. But we’ve found that, even with detailed guidance and clear benefits documented, this approach - whether it’s labeled privacy-first or ‘Privacy by Design’ - requires a shift in mindset, new technology investments, and in many cases, a complete overhaul of enterprise security posture.
If the conversations we've been consistently having with our customers are any indication, one thing is clear: the collision of security and privacy has finally come to a head. And the time for privacy-first security is now.
DRAWING A PARALLEL
Let’s draw a parallel that we believe underscores the urgent and critical nature of the need for a privacy-first or ‘Privacy by Design’ approach: the evolution of website and web application design.
In a nutshell, the story goes something like this: In the early days of the Internet, web browsing was contained to the desktop computer, which was the browsing vehicle primarily available and affordable at the time. Then, as consumer mobile devices became more sophisticated, mobile networks more advanced, and WiFi increasingly ubiquitous, the possibility of accessing the Internet from a mobile device became much more pragmatic. And as mobile device traffic quickly rose, so did the need for more enjoyable – or at a minimum, less painful - mobile web experiences.
Because organizations were accustomed to designing for the desktop and only for the desktop, mobile was clearly and understandably rendered an after-thought. And rather than overhaul their entire web design and delivery approach, it was deemed acceptable - and in many cases, necessary - to deliver ‘mobile-friendly’ experiences that were essentially reorganized and watered-down versions of desktop experiences.
Eventually, however, technological innovation along with user demand for content-rich and enjoyable mobile sites was too loud to ignore. And cutting-edge businesses – or those who wished to remain competitive and maximize business value - responded, rushing to create mobile experiences that went beyond the functional. They recognized that merely being ‘mobile-friendly’ was not enough… and so emerged the ‘mobile-first’ approach.
Mobile-first goes a step beyond the bare minimum of usability and is used to describe an experience that is thoroughly mobile from its inception. While there’s always the possibility of building upward and adding more features or content for the desktop, mobile is always viewed as the default setting - ensuring an experience that is future-proof and completely sustainable, because it was built from the ground up with a core focus on being mobile.
APPLYING LESSONS LEARNED
Just as the world demanded a new status quo with the delivery of better mobile experiences - inciting a shift from ‘nice to have,’ to ‘need to have,’ to ‘core focus’ - we’re seeing the same demands being made when it comes to privacy and enterprise security.
There was a time when the sole and primary objective of enterprise security solutions was to secure the perimeter, network, and critical systems by any means necessary... even if those means were unjustifiably invasive or overly intrusive. The top priority was protecting the organization through the most accessible, affordable means available - and privacy (along with things like productivity and flexibility) was seen as an afterthought, or deemed a ‘nice-to-have,’ even in the very best-case scenario.
But that approach and mindset is quickly becoming unsustainable and unacceptable. With advances in technology and public discourse, it has become increasingly critical for organizations who wish to remain competitive to re-imagine and rebuild their approaches. And it’s time to make the leap, beyond security measures and technologies that are just privacy-friendly, to those that are privacy-first.
DTEX AND PRIVACY-FIRST SECURITY
The Dtex Advanced User Behavior Intelligence Platform is purpose-built to detect insider threats, developed from the ground up as a privacy-first solution. Designed to support 'Privacy by Design' security approaches, Dtex helps enterprises comply with privacy regulations and is deployed at Global 2000 customers doing business in countries with even the strictest privacy laws.