Five Things Every CSO Needs to Know About the Chief Privacy Officer

CPOs and CSOs need to cultivate common ground between security and privacy

CPOs are working within the system.3. In the data world, security and privacy go hand in hand.Not only have the roles of cpo and CSO grown up in similar ways, within the narrow confines of the information technology world, the two disciplines are tightly intertwined. As they say, you can't have privacy without security. It doesn't do much good for a company to promise, for instance, that it won't sell customer information to a marketing company if hackers can access all the files anyway.

But this close association leads to confusion. "It's a bit deceptive because sometimes privacy will surface as a security error," EPIC's Perrin says. What's more, the privacy officer's job often begins with a focus on IT, and morphs from there. That's what happened to Jay Cline, anyway, when he first took over as data privacy officer at the Carlson Cos. The Minneapolis-based company, which operates Radisson Hotels, had Cline's job located within the CIO's office, and his focus was on information technologies. The company had determined that strong information security was a core foundation of privacy.

"Data privacy and data security have one thing in common: data," Cline says. "For us, what that meant was, we needed to find out where the data was and who was responsible for it."

Now that the company's information security program has matured and Cline knows the answers to those questions, he is part of the audit function rather than the IT department. But Cline's manager, Director of IT Audit Blake Pool, is responsible for auditing information security as well as data privacy, and both men still see the disciplines as closely aligned.

"Ultimately you're striving for the same thing: to find the right way to optimize the use of information for the betterment of the business," Pool says. "[Security and privacy] may have different angles, but they're really trying to arrive at the same answers. If there is a tension, I think it's a healthy one."

"We [security and privacy] work closely together still," Cline says. This is especially the case on issues such as creating the company's security and privacy policies and vetting vendors to ensure that they will adequately protect information.

But Cline's prediction, at least, is that the more mature both security and privacy get, the more separate they are bound to become. "Once the company knows where the data is and who's responsible for it, the overlap between the roles will start to diminish," he says.