CPO and CISO: A Comprehensive Approach to Information

Nuala O’Connor Kelly, the former chief privacy officer for the U.S. Department of Homeland Security, now serves as chief privacy leader with General Electric. O’Connor Kelly, along with GE’s Chief Information Security Officer, Grady Summers, recently partnered to launch a GE Information Governance Council. The council, according to O’Connor Kelly, combines the strengths of IT and legal, and looks at information management and policy issues holistically across the data life cycle. The effort also marks what O’Connor Kelly says is a distinct change in the role of a CPO—one she predicts many companies will eventually adopt. She spoke with CSO about the future of the CPO. (Also see Richard Power’s article To Govern or Not to Govern on new Cylab research highlighting gaps in privacy and security governance.CSO: Give me little background on your role with GE and how this convergence between privacy and information security began.

O’Connor Kelly: I started in the company three years ago as chief privacy leader and senior counsel for privacy and data. Over the course of the last year, we have congealed a vision around information governance; issues such as information management and data strategy. The new vision very much reflects a change in the CPO role to a more holistic approach to data.

With the CPO role, there has been a long-running debate about whether it belongs in legal, or in IT, or in risk or compliance. I wouldn’t say we’ve settled all of the structural issues, but in terms of what information governance is, it’s really about how we create information, how we keep it safe and secure and accessible during its lifecycle, and how we thoughtfully dispose of it. So we’ve brought in document management and data lifecycle, data retention, e-discovery and a whole bunch of other disciplines, under the information governance umbrella.

Now I lead information governance in legal and the information governance council, which is half legal and half IT. I’ve partnered with a team from the CISO’s office as well as with the CTO. The idea is to create a multidisciplinary approach to data and both operationalize it and create a sustainable policy on the IT side.

What were some of the driving factors that lead to this change?

It really was driven by data breach security laws. We had to respond quickly to data security issues and the increasing amount of regulation in that area.

The other real driver is the changing workforce, and the changing expectations of today’s workforce. We have 13,000 GE employees who are self-identified on Facebook as GE employees, sometimes using their GE e-mail address and putting up GE monograms to create discussion groups and so forth. This is happening whether we like it or not. Our employees are voting with their feet about what kind of collaborative networking tools they will use and this presents some real legal and organizational challenges.

Based on your success with this model at GE, how influential do you think this convergence will be for other companies?

This is very much where I see this going for other companies as well. As the economy gets tighter and jobs get tightened, things are going to converge, teams are going to have to work together. More of us are going to have more roles and multiple duties.

Second, privacy has always been to me a very reactive and negative term in corporate America. People think ‘Oh it’s a privacy officer. He or she is going to tell me what I can’t do.’ I like information governance because it’s creating good rules and policies and structures that allow us to get our jobs done. It creates both the internal information sharing environment so that our employees can find data and information resources and also creates the good lens though which we judge how our information is touching sales products as well. We have a huge healthcare IT division, a huge security IT division and a whole bunch of folks doing products offerings in this area.

If more companies were to adopt this kind of model, what might a future CPO look like?

An understanding of technical systems and technical assets is going to be crucial. As we see our data and information holdings transform from a paper base, more and more of our assets are held electronically. Will that person need an understanding of the regulatory environment? Sure. But I’ve always felt strongly that a privacy officer doesn’t have to be a lawyer. Understanding process, risk management and quality systems in some ways might be more important because I’ve always felt we need to operationalize the values around data privacy and data security.

A good reading of the law is essential, but a more sustaining model is somebody who understands how to inculcate those values in both technical assets and also in the education of our employees. So human behavior, as well as systems behavior, are going to be more important than being a lawyer and having to write memos.

If more CPOs are asked to take on this holistic approach, might some view these additional duties as just another thing they have to worry about?

That is certainly something we hear from legal and compliance folks. ‘Oh, yet another thing we need to worry about.’ But that’s probably what people said about privacy ten or 12 years ago.I don’t see it that way. I see it as congealing of a vision of information as a legitimate asset of companies. Instead of being reactive, and to a certain extent being embarrassed about data holdings or uncertain about how to create a regime around information and vital assets, I think it’s a recognition that in the information age, information is one of biggest assets of any institution. And it needs to be dealt with in a very holistic approach. It needs to have a soup to nuts approach about both physical and technological protection around it: Education of our employees, all of those are assets of good data management in a security program, including how long this stuff is kept.

How long stuff is kept is typically a back-room function of document managers. But it is actually incredibly important when you look at the cost of keeping things, both electronically and on paper. So if it hasn’t been a lens through which an organization has been looking at things, I think it’s actually a great growth opportunity for folks who have been toiling away in the shadows and doing work but not getting credit to elevate their role and also find some synergies in folks across the room, both in IT and legal.

Here, I think we’ve found great strength in numbers. Folks are flocking to our vision of a comprehensive approach to information. Right now we’re doing a lot of projects around federated search, data cleanup, some real basic human factors. Our end-state vision is a collaborative work space; a collaborative, online, real-time, global environment where GE employees, wherever they are, can get to the right information at the right time. Obviously access control and data control around who gets to what container is important, but also important is the reduction of time to get to the right data point, as well as expulsion of useless information that is weighing us down and muddying the waters of clarity.