Privacy vs. Security: A DialogueMcAfee's CPO and Intel's CISO Share Perspectives
Harkins, also the chief information risk officer at Intel, says the events of 2012 will help to foster the intersections between privacy and security professionals in the New Year. One area he sees the greatest collaboration: legislation.
"On the legislative side, there's cybersecurity legislation that's making its way in different forms, as well as increased privacy legislation," says Harkins, along with Dennedy, in an interview with Information Security Media Group [transcript below].
"In certain cases, some of those agendas might create tension, even at the legislative level, about what the appropriate level of privacy protection is in an information-sharing bill," Harkins says. "We've seen those tensions [before], and I do imagine that will continue until we can get to some appropriate balance point between security and privacy."
Dennedy sees the mobility movement as one that will bring security and privacy professionals together for productive dialogue. At issue: the delicate balance between personal and professional use of mobile devices.
"Instead of saying 'bring your device to work,' I think of it as 'bring your device to life,' because the photos I take or the voice messages from my kids while I'm on the road, on the same device that I'm using for my work environment, are really important to me as a human being," Dennedy says. "At the same time, I don't want to import any risk into my enterprise or have a lot of people able to export a lot of intellectual property outside of the environment, so we really think about this in terms of how we're developing [policies]."
In an interview about the distinct roles of privacy and security, and where they intersect, Dennedy and Harkins discuss:
- How to defuse this tension between privacy and security functions;
- The impact of mobility;
- New skills necessary to support security and privacy in 2013 and beyond.
Dennedy is chief privacy officer to McAfee, an Intel company. She is responsible for creating a privacy practice that focuses on policies, products, procedures and governance efforts. Her team supports McAfee's outreach efforts to educate and protect children, families and communities in the Digital Age.
Harkins is vice president of Intel's Information Technology Group and CISO and general manager of information risk and security. The group is responsible for managing the risk, controls, privacy, security and other related compliance activities for all of Intel's information assets.
TOM FIELD: To start with, Michelle, why don't you tell us a little bit about your particular role today at McAfee? What does it entail?
MICHELLE DENNEDY: I'm the chief privacy officer here at McAfee. I'm in charge of a lot of different things. The number one thing I do is my group is the guardian of personally identifiable information. That really is the heart and soul of privacy. We look after the regulatory needs, such as compliance needs. For example, we do business in many countries around the world. We look after the compliance standards and the things that we need to do to at least meet and most of the times exceed those standards.
I have to look after things like processing culture. We want to make sure everyone who works at McAfee and everyone who interacts with McAfee understands the value that we place upon personally identifiable information, how we go about routinely respecting that information, measuring our success in respecting that information and taking care of that information. It's a role that rides across product development, process development, contracting and internal and external communications.
FIELD: Malcolm, from the security side, describe your role to us.
MALCOLM HARKINS: My title is chief information security officer, and the vast majority of what I do is on the information security side. But it's probably more appropriate to say chief information risk officer, pretty much anything and everything information risk, whether it be security-related, application security or data protection, but also as it relates to other risk items like business continuity, disaster recovery, as well as controls and compliance for things like compliance for our systems. The corporate privacy team also reports to me and am heavily linked in with our legal organization for the compliance aspect. It's a wide range of information risk-related items.
FIELD: What's the relationship between Intel and McAfee? Do you have independent security and privacy organizations, or at a corporate level are you aligned?
DENNEDY: We're aligned. I have a CSO. Brent Conran is his name and he works closely with Malcolm and his gang. We want to make sure that, because we're a wholly-owned sub - we're independent - we want to make sure that we're doing things in line with the brand value and the ethics. There's nobody's brand that's better than Intel's brand and we certainly wouldn't want to do anything to impact that. We also have a very consumer-facing brand at McAfee so it's really a constant flow of conversation between us. We can act independently, but at the same time we're also very much aware that we're protecting the same customer at the end of the day in many cases.
Privacy & Security Connection
FIELD: Michelle, where does your role touch security, and Malcolm, where does your role touch privacy? I've got to guess going into this conversation that the distinctions are far different than they used to be?
DENNEDY: It's interesting. It's a continuum. They're different in some ways and getting closer and closer in others. We're kissing cousins is the way I look at it. For example, we serve our customers by sending them information about the latest risks in the cyberworld. If I'm doing a contract with a large enterprise environment, the contracting party may ask me how I'm complying with laws around the world. I will also partner with my CSO to make sure that all of the security requirements for that customer are in place and still valid and that he's communicating to that customer as well. That's just one example.
The most stark example is if you do have an incident or a suspected incident, where someone has either lost a device or someone has hacked into your environment and you think that personal information has been compromised, then you're really hand-in-hand with your security partner and you have to have that relationship intact before that incident occurs.
HARKINS: I think they're inextricably linked. From a definitional perspective, if you were to go into a dictionary, you would find that security would be defined as something that you're free from risk or danger, that safety perspective and that assurance of safety. You can't have privacy without security, but security on the other hand can cause privacy issues, depending upon on how you do it. There in lies the potential tension between them, but also the intimacy between them.
FIELD: Malcolm, you used the word tension, and my question for the two of you is: What are some of the natural tensions that you've seen develop between security and privacy organizations?
HARKINS: One of the things that I've seen to some extent in security organizations is security organizations or security folks are color-blind to privacy. They get the fundamentals of data protection, and privacy to a large extent is about data protection. But they misunderstand the nuances of what really is personal identifiable information and how they need to handle it in order to be privacy-appropriate with certain information, particularly when you get into logging, monitoring and those types of tracking things that security professionals want to do and to some extent need to do in order to provide protection.
DENNEDY: It's a fascinating tension, and I think when the tension works well, it's kind of like a great sitcom. You watch these people have this great tension. The tension with privacy is really interesting. I think Malcolm nailed it. There's a certain color-blindness to it or a belief that security trumps privacy. It's so much more tangible. What can I do? Are there guns and dogs at the door? Privacy isn't articulated well. A lot of people focus on some of the traditional definitions of the right to be left alone, or they look at it as Europeans do, as a human right. Human rights are very difficult to code, so when you get into the technical protection space, it's very difficult to translate.
The way that we think about it on an enterprise scale is privacy can be broken down as the authorized processing of personal information. It's in the authorization where that context of that human right, or the right to be left alone, or how much monitoring is appropriate in the work place versus in the bring-your-device-to-life space, where our phones are coming in and out of the enterprise. The tension exists because I think sometimes it's ill-defined within organizations and with our customers even. What is it exactly that we're trying to do with the privacy right?
The other side of it is communication and leadership. The privacy function has only been around for about a decade, and so it's fitting itself in, figuring out where it lives, understanding who owns this thing and then how you partner it with security, which is relatively new in the grand scheme of leadership. It's only about 30-35 years old.
Privacy vs. Security Tensions
FIELD: You're heading right where I wanted to ask. Where do you see these tensions in your organizations, and how do you address them?
DENNEDY: I just hit Malcolm really hard.
HARKINS: That sometimes works, but I think you've got multiple drivers that are to some extent going in different directions, from consumerization to personalization to my computing environment. Advertising that type of stuff, there's a drive for more and more information about me and my patterns and what I'm doing and how I'm doing it to provide me the capabilities that I might want as a consumer or I might want as an end-user in the enterprise. That's driving up more attribution information about me.
At the same time, from a security perspective, I want to know more about what Malcolm's doing, how he's doing it, when he's doing it and where he's doing it so that I can use that contextual information to validate that Malcolm is Malcolm. The more I have of that level of information, essentially a compute persona of Malcolm, to help me detect unusual patterns to see if somebody has taken Malcolm's credentials, that just goes against the grain of what would be less attribution and less specific, getting less of a footprint about Malcolm's compute behaviors, which is what privacy would want.
DENNEDY: I think there are a lot of science-fiction beliefs around what security is and what the role is of big brother and what can big brother do. Technology is actually coming up and meeting some of these scientific fantasies in the past. If you look at The Matrix and some of these other popularized movies where people are really able to hone in and track people, there are more tracking technologies and they're available. The decision-making and the ethics around using these tools is still evolving, and I think that's where some of this tension really is. We want to get more proactive with our protection. We want to make sure that only the authorized parties are most actively processing information from an internal perspective, but also from our own perspective as employees, as customers and as citizens. We want to make sure that we understand there's a certain level of transparency that needs to evolve, and I think some of this tension is relieved by not fighting between the privacy and security functions, but really joining forces in bringing awareness to the top level, the controlling product managers and the C-level suite of people understanding where are the economic drivers that are based on information flows, and do you have their buy-in. Once you do, you can create a greater transparency and responsibility for the information, and instead of this fight between two similar kissing-cousin types of discipline, it turns into this really dynamic energy where the whole organization starts to respect information and has a much better, tangible to-do list so that you can move forward instead of just moving side-to-side with tension.
FIELD: Given recent incidents that we've seen - a number of breaches, the DDOS attacks and legislative trends, particularly in other regions we're seeing privacy legislation - where do the two of you see security and privacy intersecting further as we get into the New Year?
HARKINS: It's just going to continue to grow those intersections, and with the incident trends, that will continue to fuel it as well as the legislative trend, because on the legislative side there's both cybersecurity legislation that's making its way in different forms, as well as increased privacy legislation. In certain cases, some of those agendas might create tension, even at the legislative level, about what the appropriate level of privacy protection is in an information-sharing bill. We've seen those tensions in the last round and I do imagine that will continue until we can get to some appropriate balance point between security and privacy when it comes to the legislative agendas.
DENNEDY: We're going to see more and more activity, as Malcolm says. We're seeing this from across the globe. Some of the loudest regions are Europe, but also some very interesting developments are happening in places like South Korea and Hong Kong. Australia recently updated its privacy legislation that they've had for many, many years. There's going to be a lot of activity and a lot of opportunities here for a lot more voices to come and educate legislators about what the technology does, what the technology actually doesn't do, and have more and more consumers who have been more on the neutral side or the quiet side say, "This is really how I want to use my phone," or, "This is really how I want to travel safely."
Those are the dialogues that I think need to happen. It takes a long time for a piece of legislation to make its way through the process, and by the time it comes out we have a whole new host of means of computing, and I think that's going to continue to happen as the embedded device really gets deeper and deeper into most of our environments. It's no longer a laptop or even a tablet anymore. It really is embedded in your lifestyle and how you're going to compute.
FIELD: You raise a good point Michelle because we're all carrying around our smart phones now, and I know that at Intel especially they've been advocates of the BYOD trend. How does mobility add fuel to the fire of conversations between privacy and security?
HARKINS: It can add fuel to the fire or you can look at it as a partnership, getting to what Michelle talked about, because at the end of the day we're trying to do the same thing. We want to protect the end user. We want to protect the information on the phone and what corporate resources they're attempting to connect into. If you look at them as security or security-versus, particularly when you get into cloud, bring-your-own and that type of stuff, it's the round mindset. You have to think about security and privacy. How do I deliver both while allowing this mobility and capitalizing on the benefits of mobility in the enterprise?
DENNEDY: I echo Malcolm's sentiments entirely. Instead of saying "bring your device to work," I think of it as "bring your device to life," because the photos I take or the voice messages from my kids while I'm on the road, on the same device that I'm using for my work environment, are really important to me as a human being. That's something I hold dear and I hold some ownership interest in.
At the same time, I use that same device and I don't want to import any risk into my enterprise or have a lot of people able to export a lot of intellectual property outside of the environment, so we really think about this in terms of how we're developing the backplane of information, if you will. Say the device is one thing, how do we actually plan to capture, gather, monitor and discard information throughout its lifecycle? From a privacy perspective, the name of the game is authorized processing of personal information. How long, where and what context? I think that gets us deeper and deeper into this mobility space. These things that we're learning on the mobile phones and the smart devices are just the beginning. You're going to start to see smarter and smarter doctor's offices. You're seeing pilots now of really interactive gaming happening in the educational environment from K-12. There's going to be rather intimate information exchange going on in those environments. How much belongs to the student and the parent? How much belongs to the school system? How much is publicly reported for "no child left behind" type of schema. These fundamental questions that we're testing right now with the mobile phone are just the beginning of this dialogue.
Meeting Mobile, Cloud Demands
FIELD: For organizations such as yours, which is serving both corporate and consumer customers, what are the new skills your organizations are going to need to develop to meet the mobile and the cloud demands, and others, of 2013?
DENNEDY: I'll dig in here because it's something that I've thought about and one of the things that drew me to joining the McAfee-Intel combination. I came after the combination had already happened. I spend a lot of time in school educating really young kids, K-12 kids, on cyber awareness, cyber safety, their privacy rights and responsibilities, and things like cyber bullying, for example. The newly-skilled worker is going to have to have a multidisciplinary approach. I don't think anymore we can specialize as just technologists, just ethicists or just lawyers. We really want to see people who have at least an interest and a base-level competency so that they know how to ask the person who's really deep-diving into that area how to face challenges.
When I'm collecting a lot of information and I'm a technology person, I have to be thinking in the back of my mind that this is a lifecycle decision. How do I get rid of bad data if that happens? What happens if this information is tainted? It's no longer that I can just build a PC, hand it off and be done. You have a connection to this information for a long period of time. This multidisciplinary trend and the rise of the privacy engineer themselves, knowing how to build in lifecycle protections step-by-step through the process is going to be an absolutely huge, hot new trend for computer scientists in particular.
HARKINS: I completely agree with Michelle in terms of the multidisciplinary aspect of it. In the book that I've just written, I kind of describe the skills as Z-shaped individuals. We've heard about T-shaped individuals in the IT area where they have a technical depth and a business breadth. I think in the information risk space, spanning security and privacy, you need to have a level of business acumen that spans the business that you're supporting, a level of technical breadth that spans mobility, data center, cloud, enterprise applications, mobile apps and a level of security and privacy acumen that spans the risk awareness, as well as the compliance aspect of it. It's kind of the connective tissue between your technical breadth and your business breadth in order to shape the risk dialogues appropriately and ensure the compliance of the organization to the appropriate laws.
Developing New Skill Sets
FIELD: It's a tough skill-set to find. How are you going to do that? Is it going to have to take development internally?
DENNEDY: It definitely takes development internally. You have to rotate people between roles, and within my organization we actively rotate people between roles, both at an individual contributor level, as well as a senior level. Take somebody from a security side and move them into the privacy organization. Take somebody from the privacy side and move them into security. Take somebody who has done operational work and move them into the risk management function. Take folks that have a business background to understand the business processes of the company and have them take on some more technical roles. Experiences in the different roles will develop the acumen, which means it takes time.
FIELD: Is it the same type of rotation within McAfee, or do you have a different culture Michelle?
DENNEDY: People kind of self-rotate here. I have certainly in my own career wandered extensively across the enterprise. I have always gained such valuable insight. I even did sales for a year. After Sun Microsystems was purchased by Oracle, I actually went in and helped stand up their privacy and security sales organization. It was a huge personal and professional risk for me to go from internal governance to sales. You're really literally on the tip of the spear. Gaining that discipline and understanding where they are and what they need to know and how they learn, there's always a frustration that sales people never take your compliance training. Now I know why. It's because it's planes, trains and automobiles. If you don't have an app for that, it's not happening.
Understanding how people operate, what there pain points are and how they're awarded, the rotation model has so much to offer, and the new enterprise is going to have to be nimble.
The other thing that's really important is creating this kind of sense of entrepreneurship within organizations. We certainly have that here at McAfee, looking at the 10K report, which now is the Intel report because we're wholly-owned and we don't publicly separately report anymore. I make sure everyone on my team who has the projects has read the 10K. It says very loudly what the policies and positions are. Here's where we're going, here's where we're investing and here's where we think the market is. Understanding that and being articulate in that helps you to be a much better partner with the business people with whom you interact.
Then, give those business people a little more ownership, in having a series of notes that they can play in the symphony, if you will. I don't ever walk in and say, "This is what your consent mechanism looks like. This is how long you're going to keep the data." It's always the sense of, let's do an impact assessment and risk assessment. Half of risk, really the reason of risk in a commercial enterprise, is leaning into opportunity. Don't take a risk if it's just going to cause you more risk. You take a risk because it does bring and drive new opportunity, new advancement, efficiency, or there's a positive business aspect to it. When you really lean into that, you find so many opportunities to elevate this discussion to be so much more about protecting that information as a fundamental asset.
Security vs. Privacy: Disagreements
FIELD: It's clear you two know each other well. You're well aligned on topics and agree on a lot. Michelle, where do you disagree with Malcolm?
DENNEDY: Too much facial hair.
HARKINS: Yeah, my goatee.
DENNEDY: No, I like your goatee. I think where it's tough are things like employee monitoring, which can be a challenge. We happen to come down in the same place, but in the past definitely I've run into organizations where they really believe that more is always better, and piloting things without telling employees that they're piloting things have been suggestions that they have made. Whenever I'm confronted with one of those suggestions, I say, "That's great. Let's start with the C-suite." If you're going to do quick stream capture and monitoring of phones, let's make sure you're doing it to the CEO. And if you think that's too risky, then it's probably not something that's good or is going to scale across the organization. That's where sometimes there's more tension than not, where there's always this question-mark place of how much is too much and can we have one efficient network versus a series to meet these different legal needs.
It's always challenging for anyone who's trained as a lawyer. I have separate ethical responsibilities to the bar as well as to my organization. I don't ever want to be in a position where I'm actively espousing, not following a law. Yet in privacy in particular, where you're doing business in 90 different countries, you're always espousing a position that's either a gray area or really, really on the edge of some jurisdictional law. That's where some of these tensions come in. I'm being fudgy because I really don't disagree with Malcolm on too many things because we have a good way of resolving those things as they occur.
HARKINS: I think it's because we've focused on how to work through the differences. Focusing on how to do something versus getting caught in a more esoteric dialogue that's more philosophically-based has allowed us to focus in on where the tension point is, wrestle through it and then come to an agreement and move forward.
DENNEDY: That's right. I don't think anyone likes to be surprised and so I think where anyone is considering doing something that's different from the norm, picking up the phone quickly and often is the best way to do that.
Advice for Professionals
FIELD: What advice do you offer your peers? Organizations just like yours who are dealing with the same security and privacy tensions, what can they do to work better and more effectively?
HARKINS: Get to know each other, establish trust, be completely transparent with each other and figure out where the real tension point is and then figure out how to get through it.
DENNEDY: That's the keystone, and assume integrity. Assume that your colleague has the best interest of the organization, and you, in mind. Starting with that assumption is really important because things happen really fast and you may not have the opportunity to be as transparent, bring someone into a meeting or you catch a subpoena from someone and you're already asking a couple of forensics people to go down the line before you've had a chance to pick up the phone. There are so many opportunities to fall down on this.
What I would offer to my peers in privacy is that I'm worried about the privacy profession, quite honestly. The reason is I think we're so focused on being, more and more, lawyers and some the most talented CPOs don't have legal training. It's very helpful to be a lawyer. It's a very confusing and fast-paced legal environment. It's very helpful to understand civil law versus common law and that sort of thing for sure. However, if you think for a minute that you're going to be able to contract your way out of this or have enough paper processes and documentation, you're way out of this. You're going to continue to be very, very frustrated, and I think some of this comes from a fear. A lot of people that go to law school are more verbal than math, if you will. That's not true for everyone at all. I'm making a vast over-generalization, but a lot of people fear technology, especially once you become quite senior, walking into an environment where you nothing, is a risk.
In the privacy profession, we need to take those risks and we need to get down and dirty with the technology. It doesn't mean you're going to have to sling code and come up with your apps on your own, but you do have to be conversant in the variance of encryption. What are the various huge diversities in stacks of IDM stacks, for example for identity management and role-based access? What are the limits of key stroke logging? You have to really continue to educate yourself and have that dialogue, and I could go on for a long time about that because I think this is where if the CPO profession is going to sustain itself and exist and continue to add value, we need to really stretch ourselves a bit.
HARKINS: I think Michelle is spot on. On the security side, it's a similar level of education. You can't just apply from a technical skill set. You can't just apply with looking at the ultimate aspects of protecting the system or the data on the system regardless of what it means that you're going to be doing to other things. That level of broader risk awareness, getting a level of acumen on the privacy philosophies, the privacy legislative requirements and then figuring out and working together on how you do both, I do think it's not security versus privacy. If you've got both people that are willing to learn and are willing to walk in each other's shoes to some extent, you will figure out that it's security and privacy and it's tough to reconcile them, but not impossible. The challenge of bringing the two together and to do both appropriately is a worthy challenge to figure out, and hopefully that worthiness of them coming together will cause both sets of organizations and individuals to recognize that the partnership together is stronger than divided. They will actually generate more risk for their organization and both accomplish a lot less.
DENNEDY: Yes, and its fun. That's the thing that I definitely want to emphasize. It's not always this great tension thing. This is a fascinating, fascinating area, and you know information is the great GDP generator of the future. There's no doubt. We're not going back. There is going to be more and more and more information available. How we manage it, how we want to manage it, what we devise and invent to manage is just going to get more and more exciting and interesting and cutting edge in the future. So I think leaning in is an investment well-made just for yourself too and just to have a really fun career, as well as a fulfilling and a financially fulfilling one as well.