TechTarget’s 2015 Annual Salary and Careers Survey results provided another reminder that while security is a high priority for CIOs and senior IT leaders, privacy is not. When asked to select their three top IT projects for 2016, almost one-third (27%) of the 248 CIOs, CTOs, CISOs, executive vice presidents and directors of IT polled by the survey selected security as their highest priority. Privacy, on the other hand, was dead last out of a list of more than 30 options, with just 1% of those surveyed selecting it.
Although security and privacy share a common goal — to keep sensitive or important information protected, they are often seen as distinct topics that that live on the line dividing IT and the business. According to Jill Dyche, vice president of best practices at SAS Institute Inc., security is often equated with technology whereas privacy is equated with policy, such as how enterprise data is used.
Here’s how she put it: “Privacy is more in the purview of the business in terms of policy-making as opposed to security, which is more of a technology, a platform and, arguably, a software play,” she said. Dyche said the chief marketing officer and the chief digital officer are likely two business executives obsessing over privacy policies right now. “They’re getting that opt in/opt out information in their organizations, and they have to figure out what to do with it,” she said.
Gregory Turner also wasn’t surprised that privacy and security are thought of separately by CIOs and senior IT leaders. Turner serves as the COO and default head of IT at Millennium Collaborative Care, a nonprofit organization that’s trying to better connect Medicaid patients in western New York with health care providers. As an organization that works in the health care industry, security and privacy are often defined differently by local and federal guidelines, such as the Health Insurance Portability and Accountability Act, better known as HIPAA, which regulates how health care data is guarded and used.
As such, Turner distinguishes along similar lines between the two areas: “Security is preventing unauthorized access to systems and data,” he said. “As for privacy, even though you have access to applications and systems, you may not necessarily have access to personal information related to employees or patients.” Per HIPAA’s privacy rule, health care organizations are also required to create policies that “set limits and conditions on the uses and disclosures that may be made of such information without patient authorization.”
But, Turner said, while patient identities have to be carefully guarded, they also have to be clearly communicated from one health care provider to another to ensure a high-quality care, which can require a sophisticated methodology. “The patient identifier is an important component to a solution,” he said. “But you almost have to have a mapping program that will allow another provider or a doctor’s office to say, ‘this patient under Millennium is this guy in this practice’ without sharing the identifier.”
Turner is, in essence, talking about data governance, which Dyche described as a topic that can make it easy to conflate security and privacy. “A lot of those conversations we were having five years ago about data governance are coming back in the form of data security,” she said. “If you deconstruct the security requirements, you get to platforms and access rights, you get to the data itself and the policies around that data.”