An effective privacy program is a critical element of a strong cybersecurity program, and where that privacy program sits within an organization often dictates its success, said Peter Sand, director of privacy technology at Homeland Security Department's privacy office.

"Being part of the director level, being part of the leadership level in the organization forces the privacy discussion to happen in an effective and honest way," Sand said during a Feb. 22 panel discussion at the AFCEA Homeland Security Conference in Washington, D.C.

"Some organizations tuck privacy into an IT department or into another department. I can understand how that would be interesting because a lot of privacy issues are about technology, but I think to make it more effective, privacy needs to be a thing unto itself. It needs to have the stature of leadership in the organization."

Agencies are still trying to understand how privacy issues mesh with cybersecurity, said panelists, and that's why privacy programs are not given the prominence they need to be effective.

Twenty years ago, cybersecurity was a foreign concept with no budget line and no staff, said Jerry Hanley, chief privacy officer at the Energy Department. "In my view, privacy is where cybersecurity was 20 to 30 years ago, in terms of the importance of having an effective privacy program," he said.

Two areas of focus for cybersecurity departments are on Hanley's privacy radar: Supply chain management--especially with mobile technology--and social media use. "One privacy incident can bring an organization down to its knees, in terms of visibility, congressional hearings," warned Hanley.

As new technology emerges the privacy department needs to be by its side through the entire process. Einstein, DHS's intrusion detection system that will later mature into an intrusion prevention system, has undergone privacy impact assessments regularly since 2004, said Sand.

As DHS develops ways to better detect and prevent cyber threats it has to also consider its values and responsibilities, and privacy risks and mitigations, he said. "It's very tricky, it's very exciting and we're taking our best shot at it so far."

It's also publishing the results of those cybersecurity assessments to the public. At DHS.gov/privacy the agency publishes the DHS programs currently running, the privacy impact assessment and the results of that assessment.

Related Articles:
Gen. Alexander: CYBERCOM structure will ensure seamless response to cyber crisis
FBI investigation authority could lead to info overload, says law center
When appliances spy: Privacy concerns over the smart grid