Merging Privacy and Security RolesIntel's CISO on Interdependence Between Two Disciplines
Intel Chief Information Security Officer Malcolm Harkins, who now doubles as the chipmaker's chief privacy officer, sees having one leader handling IT security and privacy responsibilities as essential. "At the end of the day, there's a level of common objectives," says Harkins in an interview with Information Security Media Group [transcript below].
Unfortunately, he says, IT security professionals typically approach privacy incorrectly. "A lot of security folks are, what I would say, color blind or tone deaf to privacy," Harkins says. "They think that if you have security or you just do good data protection, you therefore have privacy."
But that's not always the case. "The security organizations need to recognize that potential blind spot in their acumen, and they need to partner with and work very heavily with their privacy organization," he says.
Not joining the two areas together within an organization in the long term is a disservice. "It's a disservice to both the privacy and the security teams," he says, "as well as a disservice to the organizations that they work for."
In the interview, Harkins:
- Explains why the chip and IT wares maker combined the roles of chief information security and chief privacy officers into a single position, which helps manage risk;
- Furnishes an example of how security and privacy needs could clash and how having a single organization address both helps resolve the conflict;
- Offers advice to other organizations on coupling information security and privacy into a single executive position.
Harkins is vice president of Intel's Information Technology Group. Before becoming Intel's first chief information security officer, and now first chief information security and privacy officer, he held positions as the profit and loss manager for the flash products group; general manager of enterprise capabilities, responsible for the delivery and support of Intel's finance and human-resources systems; and in an Intel business venture focusing on e-commerce hosting.
Combining CISO, CPO Positions
ERIC CHABROW: Why did Intel decide to make you its CISO and chief privacy officer?
MALCOLM HARKINS: I've had the CISO role, as you know, for a number of years, and recently in the past couple months the company asked me to take an expanded set of responsibilities, to become Intel's chief privacy officer, inclusive of my CISO responsibilities as well. We did that because we recognize there are risk issues that the company faces and they need to be worked out together. There's a level of inherent interdependency between different aspects of security in terms of our IT security in the traditional info-security role, the physical security element, and some of our security on the lifecycle efforts that cut across the company for things that we do.
Independent of that, but also very intertwined with it, is privacy aspects in terms of where the company's going with products and services in our business. It's a large aspect of a large multinational enterprise, and the growing legal and regulatory compliance items, as well as growing potential risk issues from a privacy space, that as a large multinational organization you have to handle appropriately. They're all a level of risk issues, and they need to be worked together and understand where there should be separation between them, but also where you can bring them together for maximum effect to do the right security while also driving a preservation of privacy in the activities we're doing.
Approaching Security and Privacy
CHABROW: Can you give an example of this common approach with information security and privacy and how that all blends into risk management?
HARKINS: It's a good question and it's interesting. I had this dialogue with some peers back in December who were looking at doing a level of monitoring for trucks. It was a large organization that has trucks that drive around and drop off and deliver things as a part of their service organization. They inherently were having struggles between the security desires, or the logging and monitoring of the driving activities and the delivery activities. At the same time, they need to do that for security reasons and efficiency reasons. They were running into challenges from a privacy perspective. To me, that was a great example of where there's potential conflict between the two goals, but I think in that conflict there's a resolution around it. The discussion I had with that peer was, "How do you approach the collection of that information, the use of that information, in a way that would still preserve the privacy and respect of the individual, the employee, but give you the insight that you need to protect the security of them, the trucks and the goods that are in it?
In the dialogue, I suggested an approach to them around potentially giving that monitoring information to the driver in the truck so that they actually are the ones in charge of that information to help be more efficient in their route and to help protect the trucks and the deliveries so that if they walk in, as they back in or something, and they leave the truck for a while, they maybe get alerts that something's going on with the truck. Potentially you might have some monitoring capability that you have triggers where the central security team might get alerted if you go outside certain parameters, that way there's not almost a Big Brother watching all the time, but you set a category, a threshold, that has met a certain criteria that you can have that dialogue with people. You're trying to protect the driver. You're trying to protect the truck and the contents of it.
But I suggested a dialogue that's not an all-or-nothing. It's how do you actually do that level of monitoring that in many ways you could argue makes sense, but in many ways could be intrusive, and get it into a dialogue where it can be productive, and figure out what the thresholds are and what are the data you really need to monitor, how long do you need to keep it, and then who decides when you take additional potential risk issues what additional controls you're going to put around it. You're still preserving the privacy of the employee and the individual in that case. To me, that was a great example of where you can have things that are at odds with each other or you can figure out how to reconcile those differences in a productive fashion, where it's appropriate and not appropriate to collect and monitor certain things.
Evolution of Security Roles
CHABROW: Do you see this as additional responsibilities or do you see this as more of an evolution of how this job is changing in adding the chief privacy officer responsibilities?
HARKINS: I think it's a combination of both. For me personally, I think it's an evolution because I've always had a wide-angle role around information risk within the company, spanning traditional info-sec stuff to business continuity and disaster recovery to some of these items that you work in conjunction with legal to make sure that we're doing the right compliance activities and pulling together a broader view of this across Intel fitting together aspects in our system, our products and services in terms of how they're developed, as well as some of our supply chain and the physical-related items. There's an interdependency of certain key controls in each of those layers within the company that need to be thought through so that you can manage appropriately the risk, as well as make sure that you're not over-controlling in a way that encumbers the business.
CHABROW: Does Intel have a chief risk officer or a chief information risk officer, or is the chief information risk officer part of your job?
HARKINS: It's part of my role. You could argue when I was chief information security officer that a more appropriate title may have been chief information risk officer. We certainly have a general manager infosec director in the IT organization focused on those primary roles, and they're part of the broader scope cutting across the company. I'm pulling different aspects of people who have done security and privacy-related items together so that we can have that larger, overarching view and collectively manage those risks that need to be managed in order to steer the ship, so to speak.
CHABROW: That director level position you just referred to, is that someone you report to or does that person report to you, or are they parallel?
HARKINS: Parallel reporting into our IT organization, as well as myself.
CHABROW: So that person reports at least dotted line to you?
CHABROW: With this additional responsibility for privacy, are you reporting to someone new or does that structure remain the same?
HARKINS: The reporting relationships have evolved as I've taken on the broader set of responsibilities and scope, and I'm now reporting in to one of our executive vice presidents and no longer reporting in to our CIO, because I have that wider vantage point across the company.
The CIO, CISO Relationship
CHABROW: Let me ask you then about the responsibilities of the CIO and the CISO. If you're not technically in the same organization anymore, is that showing a certain kind of evolution of information security and privacy going into its own domain?
HARKINS: It's a good question. I think the information risk elements, the information security items and a lot of privacy items at most organizations are inextricably linked to the IT organization because the systems are essentially the central nervous system of the company. I don't think you can fully separate that type of stuff. I do see that IT has a very prominent role in that. My interdependence with IT is very strong and will remain very strong, both with the folks that it sends to me as well as in some partnership with the CIO. It's organization-dependent. I know many peers - whether they're called chief security officer, chief information security officer or chief information risk officer - the vast majority of them report through the CIOs, but some of them report into other operating units. In one case, one individual actually reports up through the human resources organization, but that's also where they have their collection of other security items. Some of them report into the general counsel. It's company-dependent based upon the sector they're in and how security, risk and privacy grew up within that organization. I think that's really how it's evolved.
CHABROW: As you assume these new responsibilities, did you have to learn new things or was this something you already knew about? Are there new skills that you need to have?
HARKINS: To be honest, I'd say I've never stopped learning since I've been in the security/risk/controls/privacy space for the past 11 and some years. For me, much like the threats, vulnerabilities, legal, regulatory and things that affect this stuff continue to evolve, I need to continue to learn and evolve along with it. There are a large number of things that I need to dig into that I've dabbled [with] in the past and increase my acumen in order to fully do those in the appropriate fashion.
CHABROW: Are your days longer?
HARKINS: Not necessarily longer; certainly different. Some of the day-to-day items that I would have been more involved in on the IT side [I'm] letting go of but still [I'm] keeping awareness so that I can put my focus in other parts of the company to grow my acumen, grow the influence and then figure out how to align all of the security and privacy activities across the company with a common purpose and overarching set of objectives and deliverables, even though each part of it will have their unique vantage point and the unique things they need to work on. There's a commonality and a linkage across that from some decision-making to some process structures we'll need to figure out over time.
Advice to Organizations
CHABROW: What advice would you give other organizations that may contemplate combining the CISO role with the chief privacy officer?
HARKINS: The one thing that I would advise most security folks - and some security folks don't like to hear this from me when I say it - [is] a lot of security professionals are what I would say color blind or tone deaf to privacy. They think that if you have security or you just do good data protection, you therefore have privacy. That's not necessarily the case, and it's much more nuanced than that. The security organizations need to recognize that potential blind spot in their acumen, and they need to partner with and work very heavily with their privacy organization, because at the end of the day there's a level of common objectives that I see too frequently when I talk to both privacy professionals in many companies as well as security professionals in many companies. [There's] that coordination and that common ground. They're not working together on those items, and I think that in the long term is a disservice to both the privacy and the security teams, as well as a disservice to the organizations that they work for.