Five Things Every CSO Needs to Know About the Chief Privacy Officer

CPOs and CSOs need to cultivate common ground between security and privacy

"This field is coming to a certain maturity," says Harriet Pearson, the CPO of IBM, who became a certified information privacy professional in the first-ever IAPP test. Now, she says, "You can add CIPP after my name."

Of course, not all the people earning this certification or serving as privacy officers are true strategic privacy executivesjust as not all those with CISSPs, CPPs or the "security officer" moniker are true strategic security executives. But for Pearson, that's beside the point. She points to IAPP's membershipalmost 1,500as a positive sign.

"To me, that's a heck of a lot of people who've declared that they want to join us," Pearson says. She, for one, thinks privacy professionals are here to stay.2. The CPO role is as much about business as privacy.So who exactly are these chief privacy officers, the CSO's brethren in information protection? Even as the CPO role takes root, it is not evolving as many privacy activists hoped it might. Rather than acting as staunch protectors of privacy at any cost, CPOs are finding that in order to be successful, they must instead be savvy negotiators, navigating the conflicting interests of business needs, customer expectations and legal requirements.

Whereas security officers are positioning themselves as experts on risk rather than security, CPOs are positioning themselves as mediators, not protectors, in regard to privacy.

This means that in the CPO, security executives will find an ally who has similar concerns about gaining a reputation as someone who always puts the brakes on business.

Consider for a moment Sandy Hughes, the global privacy executive for the consumer goods giant Procter & Gamble. Hughes is spending a lot of her time these days talking about radio frequency ID tags, or RFIDs. That's no surprise, since there's no more contentious topic in privacy circles right now than the uses and possible misuses of these inventory tracking devices. Hughes's goal, however, isn't to determine whether Procter & Gamble should use RFIDs. It's to find the right way for P&G to use RFIDs.

Part of that involves reassuring the public. "Nobody yet that I'm aware of is planning any widespread use of these tags on any consumer products, but still you see the concern about [companies doing things like] tracking consumers by satellite," says Hughes, who's involved with EPCglobal, a nonprofit industry association developing standards for the use of RFIDs for electronic product codes. "That's not even in the plan, but [customers are] concerned about it. And because they're concerned about it, we have to address it."