Reworking Framework's Privacy ApproachWhat Works for Gov't Won't Necessarily Work for Businesses
"One of the key concerns here is that the framework, when finalized, will be something the organizations pick up and use," Pearson says in an interview with Information Security Media Group. "Organizations will not pick up and use something that is not simple, straightforward and in ... keeping with what the consensus standards are."
The cybersecurity framework, proposed last February by President Obama, is a set of voluntary best practices aimed to secure the information technology at the mostly private operators of the nation's critical infrastructure (see NIST Issues Preliminary Cyber Framework). The National Institute of Standards and Technology is marshaling a government-industry collaborative initiative to create the framework, which is set to be published in February.
A former chief privacy officer at IBM, Pearson says the preliminary framework's privacy methodology incorporates privacy controls published in NIST Special Publication 800-53, which primarily target federal government agencies. She says the NIST guidance won't necessarily help businesses to assure privacy in their systems.
Developing a Consensus
Pearson, a partner in the Washington office of the law firm Hogan Lovells, says the framework should reflect a consensus of what industry sees as an effective approach to protecting privacy - a consensus she contends is being formulated but has yet to be finalized.
She says various business sectors are working on developing a consensus for an outcome-oriented approach to privacy, which would ask if an enterprise has considered privacy in its approach to cybersecurity and if it has a process built around it. Also needed is a consensus on how businesses should incorporate privacy in their approach to information sharing and monitoring for cyberthreats, she says.
In the interview, Pearson explains:
- Why she sees the privacy methodology in the preliminary version of the cybersecurity framework as a burden to businesses;
- How a consensus is building among various business sectors on an approach to privacy protection; and
- Why NIST likely will accept businesses' recommendations on altering the framework's approach to privacy.
Before joining Hogan Lovells in 2012, Pearson worked at IBM for 19 years, most recently as vice president, security counsel and chief privacy officer, leading global initiatives in public policy, cybersecurity and data privacy. From 2007 to 2010, Pearson also taught a graduate seminar on security, privacy and trust at Georgetown University.