NIST’s new framework: Riding the wave of re-imagining privacy
Let me set the scene for you: Everyone is stumbling around in the dark, trying to figure out what the heck “privacy” really means and what they should do about it. Right now, we’re living in a gray, soulless world of privacy compliance … which doesn’t involve much independent thought or risk-based decision making.
All of a sudden, our hero — the National Institute of Standards and Technology (NIST) — rides in with its Privacy Framework. And all is right in the world again. The sun is shining, birds are singing and the flowers are blooming. Oh, and all the characters in this story are now off and running to develop their own meaningful and fulfilling privacy risk management program.
End scene and cue the happy music.
Sure, this movie might not ever make it to the big screen, but for security nerds like us the development of NIST’s forthcoming Privacy Framework is pretty award-worthy. It’s going to revolutionize how most of us think about privacy.
What’s the NIST Privacy Framework solving for?
Many companies are only starting to come to grips with privacy thanks to new privacy regimes like the EU’s GDPR and California’s CCPA. And when you come to grips with a regulation, it typically looks a lot like compliance. “What boxes do I need to check in order to be compliant?” you might ask yourself. And once you’re compliant, you’re Good Enough™ and you move onto the next problem.
While taking a compliance-driven approach might feel like the equivalent of hitting an “easy” button, there’s one big problem: It leaves gaps in your org’s privacy posture that you’re probably not even aware of. The “compliance = security” mindset has been a problem for years, and industry analysts and journalists love reminding us after every breach that simply being compliant isn’t enough.
Turns out that privacy is no different.
Enter NIST and its forthcoming Privacy Framework. You’ve probably heard of NIST’s Cyber Security Framework (CSF) — it was developed a few years ago in response to an Executive Order issued by former President Obama. Many organizations use the CSF to get their security house in order; it’s an open document, it’s comprehensive, it’s approachable and companies of all shapes and sizes can use it. NIST recognized that privacy is a domain that needs a similar framework to help guide orgs big and small to better outcomes. So they’ve taken it upon themselves to create a Privacy Framework modeled after the CSF.
And when I say “modeled,” I mean both in process and in form. The original CSF was constructed through a series of workshops held around the country where NIST solicited feedback on various work products and refined the CSF with the public’s involvement until we landed where we are today. They’re using the exact same process with the Privacy Framework. A draft document was released earlier in May and I just returned from Atlanta where they held their workshop to discuss the draft. The next workshop is happening in July in Boise, with more interim products and documents likely to be released in the coming months.
In form, the draft document looks very similar to the CSF. There are five core functional areas, and each functional area is broken down into categories and sub-categories. Three of the five CSF core functional areas — “Identify,” “Protect” and “Response” — are the same as the CSF, but in the Privacy Framework they’ve rounded out the list by adding “Control” and “Inform.”
When you read the sub-categories, you’ll see that many were lifted directly from the CSF and the word “security” replaced with “privacy.” This is an overt recognition that security is an integral part of privacy and vice versa. These two frameworks will be intertwined in their structure and their execution within organizations.
How orgs will use the NIST Privacy Framework
This new effort from NIST is a comprehensive framework that anyone can use to build a true privacy risk program, not just a compliance program. This means you can use the Privacy Framework to take a holistic approach to privacy instead of playing whack-a-mole with various controls in different regimes. And the integration with the CSF opens the door to bringing together a diverse group of stakeholders in your org to participate in strategizing about both security and privacy. Lawyers, data scientists, security professionals, privacy engineers, social scientists and executives will need to (and should) come together to address privacy at an organizational level.
This Privacy Framework represents the democratization of privacy in the same way that the CSF brought security risk management to the masses. It demystifies a complex subject and allows smaller, less technical organizations to transact on privacy in a meaningful way.
As a result, I believe we’re going to see a wave of privacy risk management programs created throughout private industry. These programs will be tightly tied to cybersecurity activities but will have a focus on privacy and include a wider group of stakeholders in the development process. Organizations will be able to better protect an individual’s privacy (w00t!) and continue to comply with various regulatory and industry requirements.
The bottom line
The Privacy Framework is still a work in progress — and as it stands isn’t perfect. There was lots of constructive feedback shared at the Atlanta workshop and I’m sure there will continue to be. (By the way, if you’ve looked at the draft and want to share comments, you can email your feedback to email@example.com).
NIST will continue to refine the Privacy Framework and their goal is to have a final draft published by the end of 2019. I’m optimistic that the final version of the Privacy Framework will be well harmonized with the CSF and allow organizations to rapidly adopt it as part of a broad and comprehensive privacy risk program.
That will be the moment when privacy is re-imagined. The transformation of privacy from compliance to risk in a way that is attainable by organizations both big and small will be a big win not just for those orgs but also for all citizens.
Cue the applause and roll the credits.