As reported in our last issue, a recent survey by the International Association of Privacy Professionals and the Ponemon Institute stated that privacy is still "maturing" as an industry. And while companies are beginning to hire chief privacy officers, many spend less than half their time working on privacy issues. Similarly, few firms have yet modified their corporate structures to allow their CPOs to cooperate or exchange feedback with their chief security officers.
Such firms may want to take a page from the playbook of software giant Oracle. The Redwood Shores, Calif.-based company established full-time CPO and CSO positions several years ago. While their offices operate independently, both senior-level executives occupying these posts assert that they closely coordinate their efforts and that the work of each office aids the other in tackling privacy and security issues.
Oracle's CPO Joseph Alhadeff and CSO Mary Ann Davidson affirm that privacy and security will always be closely related. "Security is not privacy, but it's necessary for privacy," they say. "The lack of adequate technical security measures -- or a fault in a product -- may result in a privacy issue, as personally identifiable information is breached."
Alhadeff and Davidson collaborate most frequently when they are able to address privacy requirements through solutions deployed to tackle security concerns, such as access controls, audits and definitions of roles and privileges. The two issues are also increasingly linked in legislation and regulations at both the federal and state level, with laws such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act laying out both privacy and security requirements.
It was necessary to establish the two positions separately, they say, because of Oracle's size, its need for individual specialization and expertise, and the nature of its business. "The CPO is more grounded in the policy and legal requirements of privacy, while the CSO is more grounded in the potential and deployment of technology," they explain. Davidson's position required even more specialization because it focuses largely on the creation and delivery of software, Oracle's core business.
"We complement each other's skills, serve as warning systems for each others' issues and have a joint point-of-view on the objectives," says Alhadeff, adding that Davidson's role in product development and technology expertise ensures that "privacy functionality is a development as well as a compliance issue." In return, the CSO appreciates Alhadeff's insights into the "security implications of privacy legislation," and how he makes product development teams aware of such market requirements.
Alhadeff's responsibilities revolve around the protection of personally identifiable information, and include addressing compliance issues, conducting appropriate policy advocacy, and consulting on emerging business models and technologies. Alhadeff also serves as Oracle's VP for Global Public Policy.
Davidson drives Oracle's security-related product direction, improving the security of company products through upgraded development processes and independent validation, addressing Oracle's own IT department's security needs, and using its IT expertise to build better products.
In the future, Alhadeff sees the CPO's role becoming increasingly significant as regulatory frameworks and customer preferences offer more guidance on privacy, making it a more important driver of emerging business models. Moreover, he predicts that privacy-security solutions will become more collaborative as the issues evolve from specialized areas of concern to company-wide issues cutting across many products, business units and industry sectors.
Davidson believes CSOs will face many of the "same old security problems" in the future, despite the evolution of technology. For example, the latest "cool technology" may be rushed to market without thinking about security basics, such as the user's identity and how to protect data transmission from interception.
To read more articles like this one, visit Peppers and Rogers Group's Web site at www.1to1.com.
All materials copyright 2003 Peppers and Rogers Group - 1:1 Marketing.