Well, if that set of responsibilities was not broad enough, now many CSOs, particularly in the mid-market space, are being tasked with building and maintaining a data privacy program.
Since confidentiality has always been part of the security arena, I view the merger of the information security and data privacy responsibility as a positive evolution. Why? Because there are many aspects to both the information security and data privacy processes that can be leveraged to create a program that is stronger than the indivual pieces.
But, how do you combine the traditional responsibilities of today's CSO with the addition of the data privacy responsibilities?
First, the CSO should rely on the advice and counsel of the firm's legal team, as their assistance in the interpretation of the various state privacy laws will be vital to success. This is because each country, state and region has unique and complex requirements for transmitting and protecting personal data, and the various state laws have different breach notification requirements.
After you determine what privacy regulations apply, you must gain an understanding of where sensitive data is located. In addition to understanding where the sensitive data is located, you have to determine what elements create sensitive combinations and how the data is moving in your organization. Without this knowledge you will be hard-pressed to create a program that will both protect the data and ensure that privacy is maintained.
And, how do you find the data? This is where the convergence of the security and privacy role is really leveraged since the privacy program will rely heavily on the security work that has been done around data classification and information management.
As well, the combined role of security and privacy is beneficial to the organization because the security controls will be properly aligned to the data and potential exit points.
Remember that the goal of the CSO is to manage information risk by utilizing a combination of people, process and technology. By embracing the data privacy responsibilities, you will have another set of tools to use in the protection of your information assets.
30 seconds on...
Sorting through data is the first step in aligning operations, says Earl Porter of Transamerica Reinsurance. The data classification process, will identify the public, proprietary and company confidential data elements.
In addition to identifying the data elements, the convergence of security and privacy roles requires that the information flows be identified by both the media type and the direction of the information flow, says Porter.
The information gathered will allow you to adapt your security program to include the necessary choke points to ensure that your firm's sensitive information is not leaving the organization via a mobile device or other method.
Theft protection biz
With new breaches being announced every week, ID theft protection is a burgeoning business. Public disclosure is the result of state laws that requires companies to alert victims of data theft if their info is leaked.