0:03 if you aren't paying for it you are the
0:05 product not the
0:08 customer that's true in almost
0:11 everything think about your social media
0:13 go ahead and try to call customer
0:15 support do you know the number I'll give
0:18 you a minute to look it up okay you
0:20 can't find it you know why you didn't
0:23 pay for it that means you are in fact
0:26 their product and products don't get to
0:29 call customer support so are you getting
0:32 a good deal as a product of for this
0:34 free service that's what you have to
0:38 decide and that's a question of privacy
0:41 and are is that organization giving you
0:43 enough value for the information you're
0:45 giving to them and how they're
0:47 monetizing that and in particular do
0:49 they have the security mechanisms in
0:52 place in order to ensure that privacy
0:54 security and privacy are really
0:56 important in all of this what's the
0:58 relationship between the two sometimes
1:00 people use the terms interchangeably are
1:03 they the same thing are they different
1:05 are they at opposite ends of the
1:07 spectrum let's take a look at that in
1:09 this video and understand the
1:12 relationship between security and
1:14 privacy okay let's take a look at this
1:16 relationship between security and
1:19 privacy and see what we can learn so
1:20 let's look at a number of different
1:22 factors here first of all the principles
1:24 that are involved in security versus
1:26 privacy well in security as you've if
1:28 you've seen my videos before I do a lot
1:30 of talking about this thing called the
1:33 CIA Triad where its
1:37 confidentiality its Integrity uh and its
1:39 availability and these are the three
1:41 things that we're doing in security all
1:43 the time we're trying to make sure that
1:46 only authorized people can read
1:48 sensitive data we're trying to make sure
1:50 that the data has not been modified that
1:52 it has integrity and we're trying to
1:53 make sure that the system is up and
1:55 available to the people who are supposed
1:57 to have access to it so CIA
1:59 confidentiality integrity and availability
2:00 availability
2:03 that's the concern of security privacy
2:06 also adds to that uh some other factors
2:09 things like notice in other words if I'm
2:11 going to be using your data I should let
2:13 you know about that and I should make
2:17 sure that you provide consent you agree
2:20 to my use of the data and that it's
2:22 informed consent not just one of those
2:24 things where we've got thousands and
2:25 thousands of words and you can't read
2:26 through it or understand on the
2:28 agreement you just say yes please take
2:30 me through but real informed consent
2:32 that's what would be involved in real
2:34 privacy told you what I'm going to use
2:37 your data for you've agreed to it and
2:40 then that there is
2:42 transparency in the system in other
2:45 words I want to make sure that uh the
2:48 way the data gets used is in fact
2:50 verifiable and these are the kinds of
2:52 things that add to your confidence and
2:55 add to your sense of privacy in a system
2:58 how about the Target in other words what
3:00 would an attacker be after
3:01 that we're trying to guard against from
3:03 a security standpoint well it would be
3:05 digital crown jewels it would be things
3:07 like intellectual property that the
3:09 organization has like patents or plans
3:11 or things like that uh business plans as
3:14 I just mentioned uh it could be pricing
3:17 could be customer databases this kind of
3:19 stuff that's what we're really focused
3:21 on from a security standpoint typically
3:24 with organizations now over here on this
3:26 side what are the things from a privacy
3:28 standpoint well uh we're going to be
3:30 looking at things like personal health
3:32 information uh or personally
3:35 identifiable information your name your
3:37 address uh your date of birth your
3:40 social security number national ID
3:42 number uh credit card numbers things
3:45 like that uh these could all be part of
3:47 what we're trying to guard against in
3:49 terms of privacy now let's take a look
3:51 at threat actors so who are the people
3:53 we're trying to guard against over here
3:55 well we've got these bad guys these
3:58 attackers and they want to try to get
4:00 into the system so it's basically
4:01 hackers that we're concerned with we
4:03 tend to think of them as Outsiders they
4:06 could be inside attackers but in in
4:08 other words these are the attackers that
4:11 we see over here on the Privacy side not
4:14 only do we have the threat that of
4:16 hackers that I just mentioned from a
4:18 security standpoint but in fact we could
4:21 even experience an attack from within
4:24 the organization that is collecting all
4:26 of our information so that company
4:28 that's collecting all that information
4:30 how are they using your information
4:32 they could in fact be the bad actor if
4:35 we're not careful if these policies and
4:38 procedure are not really followed well
4:40 how about regulations well there are
4:42 industrywide regulations and it depends
4:45 on what Market what industry you're in
4:48 as to what regulations will apply to you
4:50 but in particular uh for instance the
4:53 credit card payment system PCI pedit
4:57 card uh the payment card industry data
5:01 security standard is a well-known global
5:03 standard that must be followed if
5:05 organizations are going to process ped
5:08 uh credit cards some other things uh a
5:11 us specific example sarbanes Oxley is
5:13 something that involves companies that
5:15 are publicly traded and that their
5:17 information has to be secure and
5:19 verified there are a lot of other
5:21 examples now how about regulations on
5:24 this other side on privacy well in
5:26 Europe in particular there's the
5:28 generalized data protection regulation
5:31 gdpr and I say in Europe but in fact it
5:34 affects companies all around the world
5:35 uh you should talk to your lawyers to
5:38 find out whether you are subject to this
5:40 but I'll just say just because your
5:42 organization doesn't operate in Europe
5:45 doesn't mean you're free from from the
5:47 the responsibilities of gdpr and they
5:49 are extensive and the penalties are
5:51 extensive for instance one of the things
5:54 gdpr in uh introduces is the right to be
5:57 forgotten that is all of my information
5:59 that I've given this organization if I
6:01 later change my mind and say pretend I
6:03 never was here forget you ever knew me
6:05 they have to get rid of that and all the
6:07 people they've shared it with have to be
6:09 able to do the same thing that's not
6:11 necessarily an easy thing to do uh We've
6:16 also got things like in the US uh the
6:18 Hippa uh the health information
6:20 portability uh act don't remember the
6:23 full acronym but that's what it's about
6:25 health information and trying to
6:27 preserve that there are other examples
6:30 but you see that there regulations on
6:32 both sides of this
6:35 equation now what's the primary target
6:37 of the attacker over here on this side
6:39 when we're dealing with a security case well
6:41 well
6:43 it's basically the business trying to
6:45 look out for their own bottom line
6:46 they're trying to make sure that their
6:48 information is not stolen that puts them
6:51 out of business and that the their
6:53 competitors don't have their information
6:55 and things like that so they're looking
6:58 to maintain operations however over here
7:01 on this side the privacy side of this
7:05 the real primary concern is in fact the
7:07 individual in other words I'm concerned
7:10 about my privacy the business may not be
7:11 as concerned about my privacy they're
7:14 concerned about security so it tends to
7:17 be that businesses need security and
7:20 individuals need privacy but hopefully
7:22 you have understood from looking at this
7:24 that there is a relationship between the
7:28 two of these and in fact security is the
7:30 Baseline that we need need and we build
7:33 privacy on top of that so it's not
7:36 security versus privacy it's Security
7:39 Plus privacy because I can't have these
7:41 things if I don't have these
7:44 things so let's take a look at a couple
7:46 of different business models when it
7:49 comes to security and privacy so one
7:52 model is basically this it's your data
7:55 equals our business what does that end
7:57 up looking like well you've got some
7:59 person here and they're going to send
8:03 their data into a service again this
8:05 could be social media this could be an
8:06 e-commerce site it could be a lot of
8:09 different things they send their data in
8:12 but then this organization also
8:14 interacts with other organizations and
8:16 they forward that data to a lot of these
8:19 other organizations why do they do that
8:21 well because they're getting money back
8:24 in each one of these cases so in that
8:26 case your data that you're putting in
8:28 you're paying nothing for this but
8:30 they're monetizing Ing and being able to
8:33 pay for this on the back end by selling
8:35 your data to other organizations so
8:39 that's the your data is our business and
8:42 uh not so good for this guy unless he's
8:44 fully aware of everything that's
8:46 happening in that case now another
8:49 business model is basically this your
8:53 data equals your data in this case our
8:57 user sends their data into a service of
9:00 some sort that service uses the
9:02 information but doesn't send it on so
9:03 how are they able to support their
9:05 business well it's because you're also
9:07 having to probably pay for that so
9:09 you're putting something in but in
9:12 exchange it's your data remains your
9:15 data the bottom line is Enlighten
9:17 businesses understand that protecting
9:20 customer privacy is in their best
9:22 interest even if they have this type of
9:25 model they still should follow
9:27 procedures and policies that protect the
9:29 user's information because as you from
9:32 this security and privacy are very
9:35 important both to the business and to
9:38 users and enlightened businesses realize
9:39 they need
9:41 both if you like this video and want to
9:43 see more like it please like And
9:45 subscribe if you have any questions or
9:47 want to share your thoughts about this
