Just how an organisation uses data has become a pivotal strategic issue in the 21st century. The importance of data has also shone a light on the pivotal role of privacy and security, which are now subject to ever more onerous regulation.
Just how important data management has become is apparent when one considers just how much of it is out there. Consumers are expected to generate around 180 zettabytes by 2025 according to IDC1 and harnessing the power of that data can mean the difference between organisational success and failure.
Companies that deal in large amounts of data are today under enormous pressure to ensure privacy of the data that they manage, as well as securing that data from unauthorised access. Both of these issues have become core organisational challenges.
These twin challenges mean that data privacy and security are increasingly closely related, so the question begs to be asked – why are these two functions different pillars and areas of responsibility in most organisations?
Information Security Officer vs. Privacy Officer?
Information security policies and processes cover confidentiality, integrity and availability as well as serving to protect data, systems and networks. Privacy is different. Privacy concerns revolve around a collection of principles and rules that govern how individual information, as well as the information on legal entities and groups is protected. It follows that good security and privacy practices depend on each other. Privacy is simply not possible without technology safeguards. So why are the two functions often divorced from each other in day to day operational activity and strategic planning?
Although the gatekeepers of the two functions interact on a regular basis due to compliance and good governance requirements the intersection is very rarely optimised. In the face of increasing risk associated with data breach and the ever widening influence of the ‘Internet of Things’ and associated privacy concerns is it not time for companies to explore a unified function? In fact merging the two functions would go a long way toward a new paradigm in data security and privacy.
The merging of two previously separate domains may enable organisations to create a culture of trust and assurance around data. The result could be fewer privacy related incidents as well as products and services which are engineered from the ground up to be both security and privacy-centric2.
So is the way forward a new function – that of the abovementioned Chief Security Privacy Officer (CSPO), an executive who would be open to learning and driving a convergence of privacy and security roles and responsibilities from the very top of the organisation – and reporting directly to the CEO.
Data Privacy Asia spoke to a Fortune 500 CSPO to get his thoughts on the issue.
[Data Privacy Asia]: There seems to be an increasing crossover between the duties of a corporate privacy professional and the traditional Information Security Manager. How do you see these roles evolving, or is a combined function the wave of the future?
[CSPO]: Yes, I very much believe, and witness across industries, organisations combining the Cybersecurity and Privacy roles together. My company is a vivid example of this trend.
[Data Privacy Asia]: While some believe that information security and information privacy belong to different domains, there is also an argument for combining these two different functions as they are in a sense complimentary. Is there a clear benefit (or competitive advantage) for the organisation by combining the two functions?
[CSPO]: I would strongly disagree that information security and information privacy belong to different domains. Actually, I would start by vehemently disagreeing that information security should sit within Information Technology. For the simple reason that information security (or cybersecurity as it is being called these days) spans across all the verticals of an organisation, very much like privacy protection does. Both cybersecurity and privacy have to deal with the risks induced by the digital revolution most organisations have undergone. These changes have provided new classes of risks. Cybersecurity and information privacy responsibilities fit very well together.