Five Things Every CSO Needs to Know About the Chief Privacy Officer

CPOs and CSOs need to cultivate common ground between security and privacy

By Sarah D. Scalet

Page 6

Maybe the easiest way to think of all this is that security is just step one to privacy.

Or a component of it, anyway. For instance, when E-Loan decided to send some of its loan processing to offshore outsourcers, CPO Koleczek worked on developing a policy that would give consumers the option of keeping their data in the United States. Meanwhile, Steve Abatangle, director of information security, worked on tying down the information that did go overseas as much as possible so that workers in other countries could only view, not copy, customer data.

"A good chunk of privacy is about securing the information, even a little more broadly than we allow our CISOs to secure information," Ernst & Young's Tretick says. "We want the CISOs typically to protect access to information, and to allow access only to people who are authorized. But [with the CISO], we never get to the granularity of: What is appropriate use?"

The more the CPO gets into issues of fair use, the more his job veers away from security. And the more the CSO focuses on security, broadly writ, the more vivid the differences between security and privacy become.4. Outside of the data world, security and privacy are tough to reconcile.Let's riff on this point for a minute. Suppose that an employee is about to be fired. And suppose that employee may have spent the better part of the past week copying files off the server and onto diskettes. Is it a violation of the employee's right to privacy to monitor how he's spending his megahertz? Or is it a risk to the company's security stance not to know that the employee has been stealing corporate secrets?

Oh, and what if the employee isn't in the United States, but in a country with stronger employee protection laws?

In scenarios such as this, the philosophical divide between CPOs and CSOs really begins to manifest itself.

"You get into a lot of discussions," acknowledges Boston Scientific's Mattice, after posing the preceding scenario as an example of the kind of conversation he might have with his legal department over privacy issues. (His inclination, by the way, is that if employees are using company resources, why shouldn't the company be able to monitor what they're doing?)

Mattice, and others, insist that in their own particular case, the relationship between security and privacy is amiable. "These are business issues, and there's certainly nothing personal," he says. "I hope they're not contentious discussionsalthough I'm very passionate about what I do, and I love to debate."