Is It Time to Merge Privacy and Security Roles?

Nine years ago, SC Magazine posed an interesting question: How do you combine the traditional responsibilities of chief information security officers (CISOs) with additional data privacy responsibilities? In the years since the answer has been simple: You don’t.

Most organizations today keep privacy and security functions separate. CISOs typically have a computer science or other technical background, and they focus on identifying and assessing risks and protecting the organization against digital security threats. They often report to the chief information officer (CIO), or increasingly they report to the board directly. Companies such as Booz Allen Hamilton have even flipped the traditional structure and have their CIO report to the CISO.

The Internet of Things: An Emerging Torrent of Business Threats

Chief privacy officers (CPOs) are typically lawyers or other legal professionals whose role is to understand various government and regulatory laws around how personal information can be collected, disclosed, retained, and destroyed. Their jobs often relate to data security issues, but privacy concerns such as notice and consent also extend outside the boundaries of traditional data security. While some are calling for CPOs to be elevated to C-level status, they most often report to the compliance or legal department of the organization.

Although traditional business structures keep them separate, it is plain to see that there is overlap and interdependence in privacy and security functions. After all, information security policies are designed to defend data and networks, but they also need to protect employee and customer privacy. And defending individuals’ privacy is not possible without IT safeguards.

In 2013, Intel experimented with combining the two responsibilities by naming Malcolm Harkins as chief security and privacy officer. Instead of reporting to the CIO as a CISO likely would, he reported to an executive vice president. His responsibilities also expanded to including privacy responsibilities such as legal and regulatory compliance.

Harkins said, “a lot of security professionals are … colorblind or tone-deaf to privacy. They think that if you have security or you just do good data protection, you, therefore, have privacy. That’s not necessarily the case, and it’s much more nuanced than that.”

He added that he sees privacy and security professionals at many companies “not working together,” and “I think that in the long term is a disservice to both the privacy and the security teams, as well as a disservice to the organizations that they work for.”

It is worth noting that Harkins was Intel’s chief security and privacy officer for only two years and five months—before moving to Cylance, where he was first hired as a CISO before being promoted to chief security and trust officer, where once again he is in charge of security as well as privacy policies.

Could Unifying Privacy and Security Benefit Organizations?

There are many reasons to believe that unifying privacy and security domains could benefit organizations. For one, efficiencies that could lower overall privacy- and security-related costs would be likely. Merging the two fields could raise the profile of both, leading to full C-level status where it does not already exist. In addition, combining the functions could give professionals on each side greater visibility and enable them to do their jobs more effectively.

As Steve Pomroy, chief technology officer of Camouflage Software, wrote recently, “It’s been my experience that many organizations simply don’t know where their sensitive data is insufficient enough detail to know how to begin protecting it. That presents a big problem when it comes to prioritizing security spending. How can you protect something if you don’t know where it is? Or what it is?”

Harkins—who combined privacy and security functions at Intel and now Cylance—was quoted recently as saying that merging the two domains “enables enterprises to create a culture of trust and assurance around data, with fewer privacy-related incidents as well as products and services which are engineered from the ground up to be both security- and privacy-centric.”

For now, most organizations continue to keep privacy and security separate, despite the fact that data protection depends, first and foremost, on a thorough understanding of what sensitive data exists and where it is located. As pressure keeps rising to protect data while also defending consumer and employee privacy, it’s hard to imagine the two functions will remain siloed for much longer.

The Internet of Things: An Emerging Torrent of Business Threats