Just how an organisation uses data has become a pivotal strategic issue in the 21st century. The importance of data has also shone a light on the pivotal role of privacy and security, which are now subject to ever more onerous regulation.
Just how important data management has become is apparent when one considers just how much of it is out there. Consumers are expected to generate around 180 zettabytes by 2025 according to IDC1 and harnessing the power of that data can mean the difference between organisational success and failure.
Companies that deal in large amounts of data are today under enormous pressure to ensure privacy of the data that they manage, as well as securing that data from unauthorised access. Both of these issues have become core organisational challenges.
These twin challenges mean that data privacy and security are increasingly closely related, so the question begs to be asked – why are these two functions different pillars and areas of responsibility in most organisations?
Information Security Officer vs. Privacy Officer?
Information security policies and processes cover confidentiality, integrity and availability as well as serving to protect data, systems and networks. Privacy is different. Privacy concerns revolve around a collection of principles and rules that govern how individual information, as well as the information on legal entities and groups is protected. It follows that good security and privacy practices depend on each other. Privacy is simply not possible without technology safeguards. So why are the two functions often divorced from each other in day to day operational activity and strategic planning?
Although the gatekeepers of the two functions interact on a regular basis due to compliance and good governance requirements the intersection is very rarely optimised. In the face of increasing risk associated with data breach and the ever widening influence of the ‘Internet of Things’ and associated privacy concerns is it not time for companies to explore a unified function? In fact merging the two functions would go a long way toward a new paradigm in data security and privacy.
The merging of two previously separate domains may enable organisations to create a culture of trust and assurance around data. The result could be fewer privacy related incidents as well as products and services which are engineered from the ground up to be both security and privacy-centric2.
So is the way forward a new function – that of the abovementioned Chief Security Privacy Officer (CSPO), an executive who would be open to learning and driving a convergence of privacy and security roles and responsibilities from the very top of the organisation – and reporting directly to the CEO.
Data Privacy Asia spoke to a Fortune 500 CSPO to get his thoughts on the issue.
[Data Privacy Asia]: There seems to be an increasing crossover between the duties of a corporate privacy professional and the traditional Information Security Manager. How do you see these roles evolving, or is a combined function the wave of the future?
[CSPO]: Yes, I very much believe, and witness across industries, organisations combining the Cybersecurity and Privacy roles together. My company is a vivid example of this trend.
[Data Privacy Asia]: While some believe that information security and information privacy belong to different domains, there is also an argument for combining these two different functions as they are in a sense complimentary. Is there a clear benefit (or competitive advantage) for the organisation by combining the two functions?
[CSPO]: I would strongly disagree that information security and information privacy belong to different domains. Actually, I would start by vehemently disagreeing that information security should sit within Information Technology. For the simple reason that information security (or cybersecurity as it is being called these days) spans across all the verticals of an organisation, very much like privacy protection does. Both cybersecurity and privacy have to deal with the risks induced by the digital revolution most organisations have undergone. These changes have provided new classes of risks. Cybersecurity and information privacy responsibilities fit very well together.
[Data Privacy Asia]: What would the particular challenges be for a professional handling the portfolio of both Chief Information Security Officer (CISO) and Chief Privacy Officer (CPO)? For example the mind-set of these professionals (and their skillsets) can differ remarkably. Information-security practitioners often don’t understand the human side of privacy as they have been geared to think of their universe in a very measured way – while privacy has a very human face.
[CSPO]: Once again, I would strongly object to this characterisation. Information security is first and foremost a human problem – not a technological one. It is by understanding the culture of the organisation and finding ways to get everyone focused and motivated to keep information assets safe that we build an effective cybersecurity program. Technology and, bits and bytes are secondary to this goal. A good CISO is a CISO who forgets about technology and focus more on human and business aspects.
[Data Privacy Asia]: Does this mean that business requires a new breed of professional?
[CSPO]: Yes. Or more precisely, we need an evolution. Typical cybersecurity professionals come from a strong technical background, typical data privacy officers come from a legal background – nothing wrong with this, except that by retaining their expertise, they tend to have difficulties in communicating effectively with the senior leadership, or the board. What is needed are cybersecurity and privacy experts who can elevate the discussion to a business context, and be clearly understood, and supported, by non-experts.
I have, over the past few years, seen too many CISO’s and CPO’s confining their operational contributions to a narrow band of performance within their technical areas of expertise, and I’ve often wondered why nobody is paying attention…
[Data Privacy Asia]: What is your advice for information security professionals attempting to expand their role as privacy officers?
[CSPO]: A new function would be two sides of a same coin. This requires that professionals open up, look at the risks, look at what could go wrong and the impacts on the organisation, prioritise and elevate the communication outside of your sphere of expertise – and make sure you are understood by non-practitioners. Focus and think your way through the issues in order to be understood.
There can be no argument against the fact that the privacy and security landscape is becoming ever more challenging. The real question is whether or not an organisation can afford to keep the functions of CISO and CPO separate in the face of the rapid convergence of the two roles. Increasingly industry opinion seems to indicate that a change in approach and perhaps mind-set is required.