-
Russell Mickler, Principal Consultant, has over 17 years of professional experience leading and managing IT organizations.
In Consideration of the CPO
Written on January 11, 2007
Leave a Comment
|
The CPO – Chief Privacy Officer
Privacy has become a principle concern to organizations given the problems of regulatory compliance, the potential for negative press, and the looming aspects of corporate liability associated with identity theft. Inasmuch, the CPO – Chief Security Officer – is rapidly becoming a familiar IT specialty role in the corporate executive team.
The CPO joins a litany of other IT executive specialties – the CIO, CTO, CSO, CKO, and CCO. Already, the CPO has had welcome corporate acceptance through corresponding trade associations like the International Association of Privacy Professionals (IAPP), the privacy mandates in the US derived from HIPAA and GLB, and the EU regulatory mandate passed in the late 1990′s requiring corporations to have a designated privacy compliance role. Perhaps it is the sheer presence of a CPO which provides the most benefit: installing a strategic role concentrated on privacy sounds good in a positive-PR-kind-of-way doesn’t it? It says, “We care so much about the consumer that we’ve installed this high-ranking corporate ombudsman to fix privacy problems.” Hmmm tastes great, less filling. Indeed, some of the material I’ve read actualy labels the CPO as serving the consumer interest in strategic decision-making.
So the CPO must understand a breadth of discipline ranging from regulatory law and technology to marketing and public relations. But ultimately one must question the benefit to segregating strategic privacy decisions to a specific executive rather than making privacy a concern for the whole executive team. Whether or not the presence of a CPO diminishes the ability for a CIO, CTO, CCO, or CSO to execute a privacy policy on their own could probably come up to debate; I picture a bunch of executives around a table trying to craft a policy by consensus. I can see a lot of contention between IT executives on authority: what changes could be exercised by the Chief Compliance Officer; does the CPO have authority to bypass the CIO; is the CPO a routine consult on executive decisions concerning HR or Operations?
I found an article on the CPO on the web concerning this very problem of power sharing among the CPO and other executives. Sandy Hughes, the CPO for Proctor & Gamble interjected as a consumer advocate in the decision to deploy RFID tags. The article suggests that Ms. Hughes’ role was to “determine the right way” for P&G to use RFID’s. Truly, the CPO’s involvement must frustrate those accountable for RFID execution who have a technical and operational picture of that “right way” without Hughes’ involvement. Certainly, can IT be executed if the consumer privacy interest is constantly leering over your shoulder? Does it limit P&G’s use of RFID or strain its competitive advantage?
The CPO looks good on paper and we must admit that it’s probably a proactive, visible gesture useful to a positive spin, especially when the chips are down and there’s a real problem to contend with. However, I find it difficult to imagine the CPO being useful to IT execution – yet another party that must be negotiated with if you’re trying to improve business processes, or, release a new product to market on-time. An interesting analysis would be to resolve which company is more nimble: one where a privacy policy guides the activities of its executive team, or, one where a CPO is interjected into the decision-making process, seemingly diminishing the authority of the other IT executives, who’re supposedly versed in the nature of privacy and security anyway.
R
Russell Mickler works a technology consultant in Battle Ground, WA, USA. With over thirteen years of experience, Mickler holds a CISSP, MCSE, a Masters Degree in Information Technology, and is pursuing his Doctorate at Walden University. His website can be found at www.micklerandassociates.com; he can be contacted at mickler@micklerandassociates.com.