Five Things Every CSO Needs to Know About the Chief Privacy Officer

CPOs and CSOs need to cultivate common ground between security and privacy

The CSO and CPO are necessary, if sometimes uncomfortable, bedfellows. Although they may be at odds when it comes to issues such as surveillance and background investigations, they rely upon one another in a fundamental way: the CPO for help protecting information that the company has promised is private, and the CSO for help articulating the need for information assurance. Looking at one another is a little like looking in a funhouse mirror. The image, though familiar, is distorted. Understanding the nature of these distortions is a key to both groups' success.

Here, then, are five things about the role of chief privacy officer that every CSO should understand.1. The CPO's history parallels the CSO's own emergence.Flash back to the mid to late 1990s, when businesses first started hiring CPOs. The new position was hailed as a sign that corporate America was going to start paying attention to the privacy of both employee and customer information. Somebody finally gave a damn.

Sound familiar? That's because the emergence of the CPO has much in common with that of the CSO.

Back then, the privacy provisions of the Gramm-Leach-Bliley Act for the financial services industry were just taking effect. In health care, the privacy rule of the Health Insurance Portability and Accountability Act even stipulated that organizations had to name a privacy officer. Hiring a CPO became either a regulatory necessity or a way of sticking a flag in the ground that said, "Customer data protected here."

Then, however, the role seemed to falter. Starting with a souring economy and culminating with the aftermath of the 9/11 attacks, companies began diverting money away from privacy and toward security and risk management.

"The abundance of resources simply dried up," recalls Alan Westin, the well-known cofounder of the think tank Privacy & American Business, which founded a trade group, the Association of Corporate Privacy Officers (ACPO). "When we would talk to many of the privacy officers that had been active, they would come in and say their budget had been cut; their staff had been cut."

Now, however, observers such as Westin are optimistic of a second coming for CPOs. Growing concern about identity theft is bringing privacy to the forefront, and lawmakers are responding. Meanwhile, the International Association of Privacy Professionals (IAPP), created when Westin's group merged with another privacy association, has issued the profession's first certification. The test covers everything from legal compliance to workplace screening to website disclosure. It's not a technical certification, but it does require a basic understanding of how data is handled by IT systems.