Purpleboar
  1. Home
    2.  » 
  2. Posts
    3.  » 

An Introduction to Security & Privacy

#InfoGov
#InfoSec

Information security and data protection are, depending on who you ask, either critically important disciplines that underpin modern organisational life, or the people who turn up to meetings and say no to things. After a fair few years working in the field, I have some sympathy with both positions. This is the first post in the Security & Privacy section of Purpleboar, and it seemed worth taking a moment to explain what I write about here, how I approach it, and why I think it still matters, even to people who’ve been in the industry long enough to be thoroughly tired of the same conversations.

My Background

I will likely cover this in a post eventually, but a quick whistle stop of how I came to be here. Like many in my field, my route to Information Security and Data Protection was roundabout to say the least. Academically, I studied History, medieval history in particular. I went on to complete a post graduate qualification, worked for a while in several fields landing in IT. Then went back to Uni and completed my teacher training to be an Lecturer, before another left turn took me back to IT. After some time in IT support and training made successive moves to Information Management > Information Security > Data Protection to where I am now, wearing all three hats!

What the Job Actually Is

Information security and data protection are related but distinct disciplines that have a habit of being conflated, misunderstood, or handed to the same person with insufficient budget and an unrealistic deadline. Security is broadly concerned with protecting systems, data, and infrastructure from threats, whether that’s a ransomware group with ambitions above their ability, an insider doing something inadvisable, or a misconfigured server quietly broadcasting things it shouldn’t. Data protection is concerned with how personal data is collected, processed, stored, and ultimately disposed of, and whether the people whose data it is have been treated with appropriate respect in that process. In practice the two disciplines overlap considerably. A security incident frequently becomes a data protection incident. A poorly designed data processing system is often also a security risk. The organisations that handle both well tend to be the ones that treat them as complementary rather than competing priorities. The ones that handle both badly tend to generate the kind of headlines that make the rest of us wince.

The Compliance Problem

Here is a frustration I suspect most practitioners share: compliance is not security, and security is not compliance. This seems obvious when stated plainly, and yet an enormous amount of organisational energy goes into achieving compliance with frameworks and regulations whilst leaving the underlying security posture largely unexamined. You can pass an audit and still be thoroughly compromised. You can have a GDPR policy document that runs to forty pages and still be processing personal data in ways that would make a data protection officer quietly despair. I’m not dismissing compliance, frameworks exist for good reasons and regulatory requirements matter. But treating them as the destination rather than a useful waypoint is one of the more persistent problems in the industry, and one I’ll return to more than once in posts here.

The Human Part

Underneath all of it, the frameworks, the risk assessments, the incident response plans, the audit trails, there are people. Real individuals whose personal data is being processed, whose systems are being protected or not protected, who will be affected when something goes wrong. It is remarkably easy to lose sight of this when you’re three hours into a gap analysis or arguing about whether a particular control is adequate. I find it useful to periodically remember that data protection in particular exists because someone decided that individuals deserved rights over their own information, and that those rights are worth taking seriously even when they’re inconvenient. That’s not a particularly radical position, but it’s one that occasionally needs restating in rooms where the conversation has become entirely about liability.

What to Expect Here

Posts in this section will cover both security and data protection, technical topics and regulatory ones, practical guidance and the occasional opinion piece when something in the industry warrants comment. Some posts will be aimed squarely at practitioners. Others will attempt to make the subject accessible to people who aren’t in the field but probably should understand more of it than they do. If you work in security or data protection, welcome, I hope something here is useful or at least provokes a thought. If you’ve arrived here from the wargaming section and are wondering what any of this has to do with painting miniatures … the answer is absolutely nothing, but do feel free to stay.