Wanted: A chief security privacy officer


23 October 2016
Lim Wei Chieh of Data Privacy Asia

The growing amount of data and the complexities of protecting it are forcing organisations in Singapore and the region to re-evaluate how they approach issues of privacy and skillsets and the organisational frameworks that are necessary to cope with these developments.

Old school management processes and the way professional skills have been deployed may no longer suffice for many organisations today. Gone are the days when legal counsels and data protection officers stood apart as the sole gatekeepers of information. Today, there is a new breed of information security professionals who also have to be intimately familiar with the privacy and data landscape and the ramifications of new legislation and regulation on this space.

A question frequently being asked now is whether traditional information security and data privacy functions should continue to remain as separate silos – or whether a new approach is required.

Compliance with new and constantly evolving legislation and regulation will be problematic for organisations which do not have a forward thinking attitude towards data protection and privacy.

Just how important data management has become is apparent when one considers just how much of it is out there. Companies and consumers are expected to generate around 180 zettabytes (ZB) by 2025 according to IDC and harnessing the power of that data can mean the difference between an organisation’s success or failure. At the same time, organisations are under enormous pressure to ensure the privacy of individuals and protect the data that they manage.

Both of these issues have become core organisational challenges. They also mean that data privacy and information security are increasingly intertwined. This begs the question – Why are these two functions different pillars and areas of responsibility in most organisations?

The shifting landscape requires a new type of information security and data protection professional – one that can take a more holistic view of the issues that surround security, operational imperatives and data privacy. It makes sense to have a new role that combines both the functions of the chief security and privacy officer, or for these functions to be amalgamated.

Information security policies and processes cover confidentiality, integrity and availability as well as serving to protect data, systems and networks. 

Privacy, however, is different. Privacy concerns revolve around a collection of principles and rules that govern how individual information, as well as the information on legal entities and groups is protected. It follows that good security and privacy practices depend on each other. 

Privacy is simply not possible without technology safeguards. So why are the two functions often divorced from each other in day to day operational activities and strategic planning?

Merging the two previously separate domains will help organisations to create a culture of trust and assurance around data. The result could be fewer privacy-related incidents as well as products and services which are engineered from ground up to be both security and privacy-centric.

The way forward requires a new function – that of the chief security privacy officer (CSPO) who will report directly to the chief executive officer and drive the convergence of privacy and security roles and responsibilities from the very top of the organisation.

Typical cybersecurity professionals come from a strong technical background; and typical data privacy officers come from a legal background. By keeping these sets of expertise seprate, there will be difficulties in communicating with each other and with the senior leadership or the board.

What is needed are people who can frame cybersecurity and privacy discussions within the business context. This requires a professional who is open, able to look at the risks, understand what could go wrong and realise the impact of these risks on the organisation. He can prioritise them and elevate the communication outside of his sphere of expertise, and make sure he is understood by non-practitioners.

There can be little argument against the fact that the privacy and security landscape is becoming ever more challenging. The real question is whether or not an organisation can afford to keep the functions of chief information security officer and chief privacy officer separate in the face of the rapid convergence of the two roles. Increasingly industry opinion seems to indicate that a change in approach and mindset is required.