Over the past few years, as the position of privacy officer has emerged and evolved, I have discussed the responsibilities and activities of privacy officers and information security officers with many of these professionals at various meetings, conferences and seminars. Something that has concerned, and continues to concern, me is how these two positions often seem to be at odds with each other.
Some of the things I have actually heard privacy officers say include the following:
- "Information security is a necessary evil…you have to include them even if they make things harder than they need to be."
- "All I need to be concerned with are the privacy laws; I couldn’t give a s**t about firewalls or viruses."
- "Our CISO seams to speak a different language! It’s easier to just avoid him than to try and figure out what he’s talking about."
Some of the things I have actually heard information security officers say include the following:
- "It’s not my job to know the laws. If I need to know something, Legal will tell me. Otherwise, I don’t worry about it."
- "We’ve had a privacy officer for a couple of years, but I’ve never met her."
- "I don’t worry about the Privacy Rule…I only need to know about the Security Rule."
Yes…I carry an old-fashioned little note pad with me to capture these nuggets…don’t worry, I never write down names…and my handwriting is like a form of cryptography… 🙂
Do these comments sound familiar? It’s very likely there are some major compliance gaps, information security risks and vulnerabilities, and privacy infractions in organizations where CPOs and CISOs do not work together. They have far too many overlapping issues to address to not work together.
Of course, the fact that most CPOs are at much higher levels within the organization than CISOs creates an environment that does not support collaboration. However, in the best interests of the company, and of customer and employee privacy, these areas MUST work as a team for their shared goals. And there are many.
- CPOs and CISOs BOTH must address how to safeguard personal information in all forms
- CPOs and CISOs BOTH must ensure that privacy and information security protections are built into all the organization’s applications, systems, and processes
- CPOs and CISOs BOTH must ensure all personnel and business partners with access to the organization’s information recieve appropriate training and awareness
- CPOs and CISOs BOTH must ensure all privacy and information security activities support the business, and must make a business case for their requirements
- CPOs and CISOs BOTH must comply with applicable laws, regulations and contractual requirements
- CPOs and CISOs BOTH are managing risks related to information
- CPOs and CISOs BOTH must establish a program that is effective, justifiable, and fits in with the rest of the business frameworks being used
- CPOs rely upon CISOs to implement the security protections to meet privacy law requirements
- CISOs rely upon CPOs to help justify the safeguards put in place
- And many others…
And, in some organizations, the same person, sometimes coming from an IT background and sometimes coming from a legal background, is given responsibilities for both CPO and CISO duties. Such a role must know the issues involved with both types of practitioners, not just one.
After much discussion and thought with several practitioners about these overlapping responsibilities and the need to harmonize activities throughout the organization to be most successful and provide business with true process improvement, I had the fortune to create a 2-day workshop with Christopher Grillo, Director of Information Security at Medica, who has also put much thought into these issues. We will next be giving this workshop June 10 – 11 in Scottsdale, AZ. We have put literally hundreds of hours of time into the tools, frameworks, content and methodologies we will be providing within this workshop. I’m really excited for this workshop to be offered; so many issues are critical, such as making sure the frameworks used within the business address privacy and security, and that they are understood. Also the typical hierarchy of the privacy and information security responsibilities within the organizations. I am confident the concepts, tools, reference materials, and case studies we provide truly will help privacy and information security practitioners more successfully meet their program goals.
Can you tell I am passionate about this topic? 🙂
Well, I truly am. If these are issues you are dealing, struggling, or coping with, I would look forward to seeing you in AZ.
Technorati Tags
corporate governance
training
IT compliance
personal data protection
information security
privacy