Five Things Every CSO Needs to Know About the Chief Privacy Officer

CPOs and CSOs need to cultivate common ground between security and privacy

1 2 Page 2
Page 2 of 2

Or a component of it, anyway. For instance, when E-Loan decided to send some of its loan processing to offshore outsourcers, CPO Koleczek worked on developing a policy that would give consumers the option of keeping their data in the United States. Meanwhile, Steve Abatangle, director of information security, worked on tying down the information that did go overseas as much as possible so that workers in other countries could only view, not copy, customer data.

"A good chunk of privacy is about securing the information, even a little more broadly than we allow our CISOs to secure information," Ernst & Young's Tretick says. "We want the CISOs typically to protect access to information, and to allow access only to people who are authorized. But [with the CISO], we never get to the granularity of: What is appropriate use?"

The more the CPO gets into issues of fair use, the more his job veers away from security. And the more the CSO focuses on security, broadly writ, the more vivid the differences between security and privacy become.4. Outside of the data world, security and privacy are tough to reconcile.Let's riff on this point for a minute. Suppose that an employee is about to be fired. And suppose that employee may have spent the better part of the past week copying files off the server and onto diskettes. Is it a violation of the employee's right to privacy to monitor how he's spending his megahertz? Or is it a risk to the company's security stance not to know that the employee has been stealing corporate secrets?

Oh, and what if the employee isn't in the United States, but in a country with stronger employee protection laws?

In scenarios such as this, the philosophical divide between CPOs and CSOs really begins to manifest itself.

"You get into a lot of discussions," acknowledges Boston Scientific's Mattice, after posing the preceding scenario as an example of the kind of conversation he might have with his legal department over privacy issues. (His inclination, by the way, is that if employees are using company resources, why shouldn't the company be able to monitor what they're doing?)

Mattice, and others, insist that in their own particular case, the relationship between security and privacy is amiable. "These are business issues, and there's certainly nothing personal," he says. "I hope they're not contentious discussionsalthough I'm very passionate about what I do, and I love to debate."

But it would be naive to think that such relationships are always harmonious. The fact is: CSOs and CPOs come from very different cultures. While many CSOs have a background in law enforcement, CPOs tend to come up through marketing. The two don't always see eye to eye.

"Security officers are a bit like lawyers in that there's no piece of information they don't think they should have," EPIC's Perrin says. "They want to know what's going on. If they have video surveillance tapes, they just want to keep them in case they need to know what's going on. A privacy person will look at those videotapes more from the individual's point of view. Security goes in the opposite direction of privacy in many respects."

Yet many in the privacy community are trying to find common ground between security and privacy, even in these murky spaces. This is especially true in the government, where CPOs find themselves under a steady barrage of attacks from observers who believe that the government is trampling on citizens' privacy in the name of national security. Indeed, the topic is one of O'Connor Kelly's favorite talking points.

"I'd like to strike the word balance from everyone's vocabulary," O'Connor Kelly says passionately, when asked about the inherent conflicts between security and privacy. "I don't think privacy and security are an either/or position. People always view the dichotomyis it privacy or security?and I say it's not about one or the other."

For instance, much of O'Connor Kelly's attention in the past year has been on DHS's controversial US-Visit program, which uses biometric identifiers to screen foreign visitors to the United States. The program has been lambasted by civil rights activists as an invasion of privacy. But O'Connor Kelly thinks that the privacy department, by being involved with the program, can actually help improve the effectiveness of the system from a security perspective.

"I'm not positioning the privacy officer as against any collection of information, but I think the collection of information has to be well-thought-out, limited and relevant to the information at hand," O'Connor Kelly says. "We're actually helping fine-tune programs to make better decisions for privacy, and to make better programs themselves. We can be enhancers of the business."5. Security and privacy executives will depend upon each other for success.One thing is certain: going forward, the two executives will continue to be dependent upon each otherhowever that future may look.

"It's my contention, frankly, that the role of the CPO will transition, and we won't recognize the CPO of the future in the way we will today," says Richard Purcell, a former CPO of Microsoft who went on to found a consultancy, the Corporate Privacy Group. "Security and information management and legal compliance will combine into a differently structured role than we see today. I think that the two groups not only have to work together but that they will become a single group." This may happen under the umbrella of emerging risk management departments.

Or it may be that the CPOs themselves morph. O'Connor Kelly, for one, already wonders if "privacy" might be too confining a concept for what she does.

"Years ago, people said privacy might be the wrong word, [that] it's really about information management," she says. "I think more and more that may be the right way to look at it. I wouldn't say that privacy is the wrong word, but I think that privacy may be limited. We're looking at bigger issues of the responsible use of information."

That's a conversation that the CSO certainly doesn't want to miss.


Copyright © 2005 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline