Security and privacy departments need to converge 11 August, 2008 By Vanessa Ho

PromoPipeline Exclusive Channel Promotions Find Out How You Can Make Money Today! ENROLL FREE! >> Underpromising William Vanderbilt - Innovative Learning Channels Services: I Can See Clearly Now Beth Vanni - Amazon Consulting Cutting the margin so many times William Vanderbilt - Innovative Learning Channels The Sign of Success - High Maintenance William Vanderbilt - Innovative Learning Channels Question for the Times: Build or Resell? Gary Bixler - AMD

"Businesses are really starting to change how they look at security and privacy," said Cowper.

He added the convergence of security and privacy is especially important as more and more people go online throughout the world.

Cowper explained that people are making better use of some of the communications channels out there and cited social networking as an example.

The recent rise in popularity of online social networks like Facebook has seen many end users appear to have loosened their trust when sharing personal information online. Whether it's making online purchases or uploading personal pictures to a communal domain, web users need to be careful with the content and details they openly exchange.

"The challenge for businesses is that individuals are now starting to post or share information on those types of sites that in many instances shouldn't be shared whether personal private information or company information," said Cowper.

He added that in many cases the use of these sites may be during company time or using company resources. By allowing an employee to use a social networking site from their computer in the office during work time that social networking site could contain potential personal private information but also, from a malicious software perspective, has access to the work computer that could be compromised. The question, said Cowper, is how companies decide whether loss of their data is a privacy issue with users posting information or a security issue in that the machine can be potentially infected with malware.

Adding to this, people often see security and privacy as two separate entities which are not intertwined.

"Those teams don't necessarily communicate as effectively as they could do with each other," said Cowper.

Part of this lack of communication is that the role of the security professional is to leverage technology to provide security for intellectual property within company systems and they are not generally concerned what that intellectual property is but more concerned where the threats are coming from and how to avoid those, Cowper explained. The privacy people are focused on things like the content of that intellectual property and does it contain personal private information and how is it treated.

"They are two sides of the same coin," he added. "We are talking about information on a computer network [and] often [privacy and security professionals] are protecting the same information but coming from different perspective."

Cowper said the best way for security and privacy to work together is if they drive towards the same goal and that is being compliant to federal regulations and processes like PIPEDA, C-SOX and other regulations imposed.

"What [companies] can do is work backwards to understand how privacy and security fit together and how to get the teams collaborating to ensure they are adhering to those processes," said Cowper. He cited the BC government as example of an organization that amalgamated their security, privacy and compliance teams into one group.

There are technology solutions available to help with the convergence. Cowper said that there are new security auditing tools that when coupled with other auditing and operations management tools help companies better understand the context around the data rather than data just being held on the system.

In terms of protecting social networking sites, it is still an area in its infancy but Cowper is seeing a lot companies leveraging technology like application layer firewalls and others to start controlling users being able to go to social networking sites.

"They are starting to understand the risk of people sharing information and potentially malicious software exploits," he added. "Companies are looking outside traditional point in time solutions to deal with a lot of those threats and see a lot of companies using training awareness and education to augment things like control tools to mitigate some of the risk to their organization."