Five Things Every CSO Needs to Know About the Chief Privacy Officer

CPOs and CSOs need to cultivate common ground between security and privacy

But it would be naive to think that such relationships are always harmonious. The fact is: CSOs and CPOs come from very different cultures. While many CSOs have a background in law enforcement, CPOs tend to come up through marketing. The two don't always see eye to eye.

"Security officers are a bit like lawyers in that there's no piece of information they don't think they should have," EPIC's Perrin says. "They want to know what's going on. If they have video surveillance tapes, they just want to keep them in case they need to know what's going on. A privacy person will look at those videotapes more from the individual's point of view. Security goes in the opposite direction of privacy in many respects."

Yet many in the privacy community are trying to find common ground between security and privacy, even in these murky spaces. This is especially true in the government, where CPOs find themselves under a steady barrage of attacks from observers who believe that the government is trampling on citizens' privacy in the name of national security. Indeed, the topic is one of O'Connor Kelly's favorite talking points.

"I'd like to strike the word balance from everyone's vocabulary," O'Connor Kelly says passionately, when asked about the inherent conflicts between security and privacy. "I don't think privacy and security are an either/or position. People always view the dichotomyis it privacy or security?and I say it's not about one or the other."

For instance, much of O'Connor Kelly's attention in the past year has been on DHS's controversial US-Visit program, which uses biometric identifiers to screen foreign visitors to the United States. The program has been lambasted by civil rights activists as an invasion of privacy. But O'Connor Kelly thinks that the privacy department, by being involved with the program, can actually help improve the effectiveness of the system from a security perspective.

"I'm not positioning the privacy officer as against any collection of information, but I think the collection of information has to be well-thought-out, limited and relevant to the information at hand," O'Connor Kelly says. "We're actually helping fine-tune programs to make better decisions for privacy, and to make better programs themselves. We can be enhancers of the business."5. Security and privacy executives will depend upon each other for success.One thing is certain: going forward, the two executives will continue to be dependent upon each otherhowever that future may look.

"It's my contention, frankly, that the role of the CPO will transition, and we won't recognize the CPO of the future in the way we will today," says Richard Purcell, a former CPO of Microsoft who went on to found a consultancy, the Corporate Privacy Group. "Security and information management and legal compliance will combine into a differently structured role than we see today. I think that the two groups not only have to work together but that they will become a single group." This may happen under the umbrella of emerging risk management departments.