Five Things Every CSO Needs to Know About the Chief Privacy Officer

CPOs and CSOs need to cultivate common ground between security and privacy

"Procter & Gamble has to move forward for competitive reasons and implement RFIDs," explains Stephanie Perrin, a senior fellow for the Electronic Privacy Information Center (EPIC), a watchdog group. "If Sandy Hughes says, 'We're not ready for this RFID thing,' that's going to get nowhere with the board."

Hughes's mission, then? To help her company formulate a business strategy that takes those concerns into account.

CSOs have heard that sentiment somewhere before.

Here's another snapshot. At E-Loan, an Internet startup that sold $153 million in loans in 2003, CPO Tess Koleczek says she is focused on solutions, not problems. She can't just say no.

"If something comes up that might compromise our policy, I can't go in and say, 'You can't do that,'" Koleczek says. "I can't be a cop. I have to come up with a couple different solutions."

For instance, if a business partner is asking for information about customers, Koleczek says it's her job to try to find another solution. "I say, 'Why do you want all that information on a specific customer?'" she explains. "They say, 'Oh, we don't. We want the information on what [customers in general are] doing.' Then I might say, 'Why don't we give you that aggregate information?' You just have to get to the core of what they're asking for. Why do they want the information and how can we help them get what they need out of it?"

As with the CSO, the success of the CPO depends on his or her ability to make a business case for the protection of information. "There have been some CPOs who have really done a very good job in showing how privacy affects the bottom line," says Ari Schwartz, associate director of the Center for Democracy & Technology, a consumer advocacy group. "Those have been the ones that have been most successful."

But this business focus has made some in the CPO community wary even of calling themselves "privacy advocates."

"'Advocacy' seems to be sometimes like protesters or flag-burners," P&G's Hughes says carefully when asked how she views her mission. "But [I'm an] advocate for doing the right thing, absolutely."

Perhaps for the survival of the role, that's a necessary caveat. "Privacy officers aren't necessarily civil rights activists," points out Brian Tretick, who leads privacy services for the Americas at Ernst & Young. "These are businesspeople, business executives, who are looking out for the success of the company. And if that success requires the use of information, they want to make sure it's done according to policy and the rights and obligations of its subjects."