Privacy Leadership: What it Takes

Today's Threats Require a New Breed of Privacy Officer
Privacy Leadership: What it Takes
When Kirk Herath, chief privacy officer of Nationwide Insurance Companies, heard about the recent Sony and Epsilon data breaches, he felt an immediate, gut response. "I'm glad it wasn't me."

Yet, he also recognizes that incidents such as these are now shaping the privacy profession, evolving the role from data protection into data governance. This new role also requires a new focus on integrating privacy with information security and legal requirements in how an organization uses data. When he started in the profession 10 years ago, Herath focused on developing high-level policies based on the Gramm-Leach-Bliley Act. Today, he needs to understand his organization's use of personal information by increasingly participating with individual business units in the implementation of a data governance process including data access, storage and use. And he needs to accept that no amount of preparation or policy makes an organization breach-proof.

"A breach can befall you regardless of how good your privacy policies and data governance are," Herath says. "So, I focus on playing an instrumental role in handling and preparing for such incidents effectively."

'When Things Go Wrong'

"Just securing the data is no longer enough," says Trevor Hughes, head of the International Association of Privacy Professionals. "Privacy professionals, in addition, need to prepare for what happens when things go wrong."

In his role, Hughes increasingly sees organizations using privacy professionals to interact with consumers, regulators, congressmen and attorneys to ensure that their post-breach response plans are effective.

Additionally, he finds that emerging technologies such as mobile devices and social media are clearly exceeding the current system of laws, regulations and systems, thereby creating instability in how privacy is addressed within organizations.

"Extreme deployment of technology has made privacy controls no longer particular to either the location of information or group of individuals," says Frank Smith, chief information officer and senior VP at Booz Allen Hamilton. "It comes down to making the concept of privacy clearly understood and adopted by a population for whom privacy is not necessarily a primary function, but they need to think about it."

Today's Challenges

Managing privacy has clearly transitioned from information held within the organization to information held by individuals.

"Privacy's focus is increasingly on transparency now," Herath says. "This is fundamentally creating new challenges for professionals in their approach toward privacy and data protection."

For instance, the new generation of workers blurs the lines of personal and professional communication in their use of social media, and the type of information that is collected by these sites is often not in the control of an organization. Moreover, it can be used to cause reputational or fraudulent damages.

"We are dealing with a generation of people that value information sharing much higher than having relationships with their own families," Smith says. The chief privacy officer therefore struggles with "the ability to get the concept of privacy in a culture that holds different views on what information can and cannot be shared about self and others."

Historically, enforcement of privacy legislation was inconsistent or nonexistent, officers say. Today, governments worldwide are getting on board with breach notification requirements and additional privacy regulations that directly address protecting personal information and enforcement of tougher penalties against organizations for failing to secure this information.

Recently, Mexico - a significant outsourcing destination - joined 50 other countries in adopting a broad privacy regulation: The new Federal Law on the Protection of Personal Data Held by Private Parties focuses on the private sector and will likely impact many large U.S.-based companies operating in Mexico, as the law impacts collecting, processing, using and disclosing personally identifiable information both within and outside Mexico.

"It is incredibly difficult to navigate a safe path through all this," Hughes says. "This is really a job for someone who can assess hundreds of different variables and distill them into the best and safest possible way for an organization to move forward."

The turbulent and complex global regulatory environment is further pushing privacy professionals to specialize in law in order to cope with all these changes more effectively.

The Value of Law

As legal issues drive privacy and data security, an increasing number of privacy officers are embracing legal degrees and becoming attorneys.

"A decade ago, there were a handful of privacy officers who were lawyers - the majority were policy makers," says Lisa Sotto, a privacy attorney and managing partner of Hunton & Williams New York office. "Today I see a reversal in their roles."

Sotto points out that in the past privacy officers were hired to meet ethical obligations of an organization, as legal requirements were not stringent. Today, however, privacy officers need to understand legal considerations and operate within a complex global regime.

For Paulo Zeni, senior corporate privacy counsel and an attorney at Symantec Corporation, having a law degree gives her an edge in this profession by helping her understand the compliance requirements - especially those that apply to different jurisdictions globally. For instance, there are different policies globally for encrypting data and systems, and in such cases it's the lawyer's background that helps frame more effective strategies around privacy.

"A legal degree for privacy officers is key in creation of trust with vendors, customers and senior management," Zeni says. "It provides them comfort in dealing with contractual and legal elements and is immensely useful in partnering with legal advisers that address the jurisdiction around the world."

Herath, also an attorney, finds that a privacy officer's response in the event of a breach or incident is far better handled when the leader has legal expertise.

"What is or isn't a breach is very technical under law, "Herath says. "A lawyer's background is helpful for handling both the public relations and the political side in the event of such incidents."

New Skills

Beyond a legal background, aspiring privacy officers must develop new skills to effectively hold growing career opportunities in privacy related functions, including legal, audit, compliance, information security, fraud prevention and disaster recovery. Among the new skills:
  • Interpersonal - The concept of privacy by design is being implemented by certain government and private organizations, where privacy professionals are called upon by different business units to embed privacy into new technologies and business practices from the beginning as part of the system or product development life cycle. Privacy officers here need to be more conversant in translating their privacy requirements into business terms, Zeni says. "Ability to support the product development teams across different business units is an added layer of responsibility to the CPO role requiring strong communication skills."
  • Contractual - Privacy professionals need to increasingly focus on contractual elements and negotiation skills with third-party engagements, especially as organizations decide to move data to cloud services. "We ensure we sign vendors who have an understanding of the security and privacy implications of the exchange of information they are participating in," Smith says. Privacy officers need to develop policies and contractual terms that address the risks associated with sensitive data and regulatory requirements, including where the data can or cannot be transferred, what data retention policy is followed and where the data will be stored.
  • Analytical - One needs analytical skills to monitor individuals who are authorized to access and use sensitive information, as they are increasingly found at the center of high-profile incidents. Besides, investing in data loss prevention tools, professionals need to learn the effective monitoring and analysis of personal information residing in databases, repositories and an organization's network to prevent effective losses.

"Our challenges change about 360 days a year," Smith says. "So privacy management is essentially demonstrating due diligence to ensure you can create that trust to protect the data."

About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.