How CPOs and CSOs Coexist

Posted by Jeff Pelliccio on Aug 3, 2018 9:00:00 AM

In ICS insights, Job Trends, Candidate

A strong company needs both a Chief Security Officer (CSO) and a Chief Privacy Officer (CPO), although they sometimes have opposing tasks. These leaders may disagree on how to handle surveillance and background checks, but they depend on one another in other areas. The CPO needs help safeguarding people's private information, and the CSO needs help communicating the importance of data assurance. Understanding the different roles is the first step to preventing obstacles and misunderstandings.

Here are five concepts related to the CPO role that every CSO needs to know.

Rise of the CPO and CSO Positions

The rise of the CPO position parallels that of the CSO. In the mid to late 1990s, businesses hired the first CPOs. The new position represented a trend in corporate America to safeguard the privacy of clients and employees. The CSO position follows a similar timeline. 

At the time, the Gramm-Leach-Bliley Act began to impact privacy requirements in the financial services industry. Meanwhile, similar requirements hit health care, where the privacy movement was fueled by the Health Insurance Portability and Accountability Act (HIPAA), which requires organizations to name a privacy officer. Firms began hiring CPOs due to new regulations or as a signpost that they took data privacy seriously.

Somewhere along the way, the role went out of fashion. The economy took off, and the nation was reeling from the 9/11 attacks. Companies diverted attention to security and risk management and away from privacy.

Observers have predicted a rise in the number of CPOs thanks to identity theft. Lawmakers are answering calls for help in this area, and the International Association of Privacy Professionals (IAPP) has developed a professional certification for privacy officers and employees. The test verifies knowledge of legal compliance, screening and website disclosure. This nontechnical certification does require an understanding of IT and data processes. The certification doesn't signify that these individuals have experience as strategic privacy officers. However, it does indicate a fundamental understanding of the laws and rules regarding corporate policy requirements.

Who Becomes a Chief Privacy Officer?

The CPO role combines business acumen with a firm's privacy policies. So, who becomes chief privacy officers? The CPO role hasn't developed the way privacy advocates originally hoped. Instead, CPOs have to find a middle ground between protecting privacy and negotiating with conflicting interests as well as customer expectations.

Security experts position themselves on their knowledge of risks. However, CPOs acts as mediators to resolve disputes over privacy. Within the CPO's department, security executives have an ally with similar concerns. No one wants to be known as the person who stalls business procedures. The ability to succeed in this role depends on an individuals' ability to convince others that protecting information is of paramount importance. Many CPOs are superb negotiators who do very well when it comes to showing how privacy impacts a business's bottom line. These are the ones that will be most successful in the long run.

Privacy officers do not lobby for civil rights. They are businesspeople looking out for the corporation's bottom line. If privacy is compromised, it's their job to bring that to the attention of stakeholders, but the ultimate decision lies in other hands. In this way, we can see that CPOs work within the system, which is far different from advocating for change.

Security and Privacy are Intertwined

In the world of data, privacy and security are intricately connected, so it's no wonder that the CPO and CSO roles have evolved together. When you speak to executives in these disciplines, you find that, within the tight corridors of information technology, they interweave. A company can't promise not to sell customer information to marketers if hackers are able to get to all the files anyway, for example. If either position drops the ball, security and privacy will both suffer.

Unfortunately, this close association isn't easily understood by outside forces and decision makers who want or need to place security and privacy in separate buckets. Sometimes, error messages display a security error when the issue really has to do with privacy.

It can get confusing. Data security and privacy overlap because they operate on the same data and, often, the same parameters. It can be difficult to isolate properties for privacy without affecting security, and vice versa.

Once a company's data set has matured, it's easier to segregate data so that security isn't compromised by privacy considerations. Sometimes, the CPO role starts out as a core IT function, due to the need to get the data loaded, validated and productionalized. Later, it might be possible to move the CPO role to an audit capacity.

If you are angling for a way to preserve data integrity, security and privacy, chances are you'll strike the middle ground that gets you to all three goals. Security and privacy go hand-in-hand. Once policies mature and a clear line of responsibility is available for all departments, the roles have less overlap. In the meantime, communication is the key to avoid misunderstandings that can lead to data leaks, hacker attacks, and other risks. In a sense, security is another step on the path of securing privacy for clients and employees.

The more the CPO gets into issues of fair use, the more his job veers away from security. Furthermore, the more the CSO focuses on security, broadly writ, the more vivid the differences between security and privacy become. Rarely can security professionals articulate the differences between security and privacy. Privacy involves the ability to safeguard sensitive data that can be used to identify individuals. Protection is a security component, but the two cannot be separated for long since they operate on the same data.

Understanding How the CPO and CSO Role Differ

When you step outside the world of data, it's still hard to delineate a line between security and privacy. Let's take a look at this with a real-world scenario. Imagine that you have an employee who's going to be let go, but is still working at the company. The employee copies data off of servers onto private drives and into the cloud. This employee is putting the company at risk and may be committing a crime. However, you can't figure any of this out unless you monitor his activity. So, is it a violation of his rights to monitor what he does in his last week with the firm? These are the types of ethical and operational dilemmas faced by Chief Security Officers that can put them at odds with the purview of the Chief Privacy Officer, whose goal is to defend privacy in all its forms.

Here are some questions that can help clarify the conundrum:

  • Does the activity pose a risk to the enterprise's security?
  • What will happen if the security department foregoes monitoring the employee who's likely stealing corporate secrets?

In scenarios like the one above, the difference between the CPO and CSO starts to become clearer. Hopefully, the relationship can be amicable, but there are business issues that can cause a divide between privacy and security associates, especially if they're passionate about what they do.

So, the question is, what do you do when this relationship sours? Well, it doesn't hurt to have a regular forum where differences can be aired, such as a meeting with a senior executive responsible for both departments. CPOs tend to be promoted through marketing, while the CSO probably has a history in law enforcement. However, although the CSO and CPO offices are coming from different and potentially conflicting areas of responsibility, there's always some common ground.

For example, the privacy community reaches out to build common ground for security and privacy professionals. This is particularly true for areas of the government; CPOs in these organizations may find themselves undergoing a barrage of attacks due to a common belief that the government stamps on the right to privacy for individual citizens' privacy. It's true enough to assume that this is at least true in issues of national security, where individual rights take a back seat when it comes to securing government offices.

Security and Privacy Execs Rely on One Another

Security and privacy (CPO and CSO) execs are co-dependent when it comes to the success of both departments. You can count on at least one thing for certain. In the future, these two officers will have to rely on one another to keep company data secure while looking out for the privacy of clients, employees, and other individuals.

The role of the CPO, in particular, will most likely undergo a change. There will be a transition that may make the office unrecognizable with the way it's handled today. This is due to the relationship between security and information management and how this impacts the legal compliance of a corporation. It's likely that the role will not be the same one you see in today's organizations. The roles of the privacy and security teams are likely to merge and become one group. One department that it would make sense to see either or both groups is a risk management department.

CPOs already have some strong opinions about how the good of the business should have priority, even if some tenants of the privacy policy suffer. However, that's a discussion for another article. The truth is that these roles have been around long enough that tech-savvy leaders have a lot of insight into how they think the two roles should interact.

Learn to Coexist

If you are thinking about going into security or privacy, these are some of the questions you can expect to come up at some point in your career. Understanding this can help you reach the right conclusions when you are in similar situations.

Looking for new opportunities as a CSO or CPO? Contact ICS. We have plenty of roles open for top talent. Click below to see our open jobs and start applying. 

Search Jobs