Cybersecurity becomes more and more important as data moves into the cloud, meetings move online or develop online elements, some of which are likely to remain into the future. A primary consideration of cybersecurity is privacy. Privacy issues affect consumer choices; a good reputation can draw customers, whilst a data breach is very likely to drive them away. This is a particular concern for industries, such as healthcare and financial institutions, that handle large amounts of personally identifiable information (PII). Customers are placed at real risk when that kind of information is released into the wild, and it is of considerable financial value to criminals.
As the cybersecurity industry matures, new disciplines come to the forefront in the quest to defeat the hackers and protect customers and employees. One of these newer disciplines is privacy engineering. Let’s take a look at how this is important for cybersecurity.
What is Privacy Engineering?
Privacy engineering is the technical side of privacy within cybersecurity. It is about integrating privacy considerations into product design. There are some arguments about exactly what it entails, but essentially privacy engineers look at the privacy concerns and the technology and bring together the perspectives of both business and legal considerations and technical issues including product design and software development.
Privacy engineers work to create products that protect privacy and reduce the opportunities for human error without making systems harder to use or complicating business concerns. They exist at the intersection of law and compliance with new developments such as multi-cloud SaaS, remote workforces, and agile development. Privacy engineering is primarily technical and touches relatively lightly on social aspects such as employee training, but it can inform how employee training should occur and what the human risks are (it’s worth remembering that the majority of data breaches involve social engineering or some form of human error).
Why does Privacy Engineering Matter for Cybersecurity?
As an approach to cybersecurity, privacy engineering brings significant advantages. By designing privacy at the base level, it reduces the number of expensive upgrades that need to be done whilst being much more effective at protecting your customers. This also protects your company’s reputation and improves your bottom line.
Privacy engineering is not required by name for compliance, but the GDPR’s Article 25 uses the phraseology “privacy by design and by default,” which is essentially the same philosophy. Privacy engineers can help ensure that problems do not ensure because lawyers don’t understand the technology and engineers don’t understand the law. A privacy engineer can also work with and audit third-party vendors to make sure companies only buy software that has privacy concerns built-in. The National Institute of Standards and Technology has released a paper on privacy engineering that provides a framework to help companies develop best practices and integrate across disciplines.
New technologies and the growth of software-as-a-service also bring privacy engineering to the forefront. It is no longer possible for larger companies to ignore the cybersecurity field, and smaller ones must often resort to purchasing outside expertise.
Privacy engineering does not provide one-size-fits-all solutions, but rather an approach that allows a company to design and adjust technology to suit their specific privacy needs. Compliance and customer expectations both figure highly into the level and type of protection needed.
How Should Privacy Engineering Affect Investment Choices?
With privacy engineering vital to cybersecurity and compliance, investors should be sure that companies they invest in have good privacy engineering practices. In 2014, Marriott’s Starwood database was hacked, affecting 500 million records. The hack was not discovered until 2018. The breach caused negative publicity and, unsurprisingly, a decline in share prices. Investors know to ask basic cybersecurity questions, such as asking if somebody has ever experienced a breach.
However, they seldom go beyond that. Investors should consider a full privacy audit of any company in which they plan on making a significant investment. This should include security monitoring, what applications and third-party vendors are being used, and, of course, business context. When investors do due diligence, they often don’t involve cybersecurity professionals, but also look at things entirely from the business and financial perspective. This means cyber risk is not properly evaluated.
Not only do investors need to know what privacy engineering practices a target company engages in, but they might want to consider engaging a privacy engineer during the due diligence stage. A privacy engineer can cross-reference cybersecurity practices with business needs and help investors establish a reasonable risk level. All investments are risky, but due diligence can reduce that risk. Past data breaches are not often a good gauge as to risk going forward, especially if the company appears to have learned from it. Rather, you should look at what a company is doing to prevent future breaches. This includes privacy engineering and employee training, including an understanding of the privacy engineering steps taken demonstrated by employees.
You should also think about your own privacy engineering, and ensure that any software you use is properly designed to protect your data and that of anyone you work with.
Should You Invest in Privacy Engineering Companies?
Another option for investors is to put their money into privacy engineering itself. As smaller companies often cannot afford to hire the kind of expertise needed, many must resort to hiring consultants. This is a key growth area; as companies realize that privacy engineering is vital to their business the demand for the expertise will grow. It may grow even further with more people working from home and teleconferencing; although these changes are in part temporary, it is definitely possible some workers will never return to the office.
Twitter has already said they will be keeping a policy that allows employees to work from home if they choose. Remote work has its own privacy concerns and remote work applications such as Zoom have been scrambling to deal with privacy issues that stem from not having done their own privacy engineering homework.
As always, do your homework. Many privacy engineers are small companies and sole proprietors and few have, as yet, reached the stage of offering an IPO. A consultant may, however, be looking for an angel investor to help them get their company off the ground. Seed investment in this area is likely to be key for the next few years, and right now may well be an excellent time to look into investing in privacy engineering companies as the field is only going to grow.
What About Software-as-a-Service?
There will also be an increased demand for software that has been properly engineered with privacy as the default moving forward. Trends in working from home and cloud storage are accelerating. Subscriptions have become the default, although there is now a certain amount of pushback against them. This pushback is primarily in the home use sector and often relates to forced upgrade practices.
Because software-as-a-service is relied upon by the smallest businesses to support privacy concerns, it too needs to be designed with privacy engineering at its heart. Investors should consider this both for the software they choose to use themselves and for targeting investments. A phrase to look for is “privacy by design,” This is a concept that should lie at the heart of any software that might carry personally identifiable information, whether it is a database for customers or a teleconferencing app.
Also, look for companies that offer high levels of customization and/or bespoke options for cybersecurity. As privacy engineering requires the ability to be agile and develop software for a business’ specific needs, it is likely that this will become more important for many applications. Some applications can be standardized (teleconferencing comes to mind), but databases and cloud storage need to be designed to ensure compliance and suit the financial and privacy needs of the business.
You should also apply these standards to any software you subscribe to yourself.
As with privacy consulting, new companies may arise to fill gaps where software is not readily available for specific use cases. However, you should be careful to ensure that any seed company you invest in has a viable product and the expertise to make it happen.
Are There any Things You Should Not Invest In?
For the most part, the privacy engineering field is a definite yes for further investment. As mentioned, though, you should make sure that any company you invest in has a solid business plan and a product that is likely to face demand.
The key is, as with every investment, risk management. Another issue is that many companies cannot afford to fix privacy problems that may be embedded in legacy software. The truth is, though, that you should avoid investing in any company that is not engaged in privacy engineering or at the very least aware of the issues and moving towards solutions.
Privacy engineering is not a buzzword, but rather a concept that all companies, especially those that handle large amounts of confidential information need to be working towards an understanding of.
Cybersecurity is going to change over the next few years, and privacy engineering is a key part of that. As investors, you should keep a finger on this pulse and look for opportunities to get involved in this growing field. It’s worth talking to a specialist in cybersecurity investing, who can help you choose which privacy engineering and software companies deserve your interest.