I also saw and knew that obtaining customer trust was necessary for successful online business, and that you could not keep that trust if you could not safeguard your customers' personally identifiable information (PII) to effectively protect their privacy. I convinced executive management that we needed to address privacy and post a privacy policy on the site, even though at the time law did not require it, along with ensuring that safeguards were implemented that supported privacy. They were happy with that decision following the launch of the bank site; it was a marketing differentiator for which customers expressed their appreciation. I was happy to take on the information security and privacy responsibilities; they are inter-related in ways that require the security and privacy issues to collaborate on an ongoing basis.

Fast forward to today...

So far this year I've attended and spoken at 7 seminars and conferences in 6 months. In the last 6 months of 2007 I attended and spoke at 4. The attendees at those 11 events were of a very wide range, including technical IT, information security leaders, privacy leaders, lawyers, auditors and a few other assorted folks with related responsibilities. I've been taking notes of interesting comments that I've heard by speakers and attendees during those events.

At one of the events I attended a session presented by a CPO from a large international company. He said he had been in his role for around 1 year. He was speaking on what CPOs need to do to have successful privacy governance programs. During his presentation he spoke for a few minutes about privacy breach response. I was very surprised when he said, "Incorporating a privacy response plan into an existing security incident response plan is usually not a good idea."

HUH??!!!!

He also said, "You usually do not need to get the Information Security area involved with privacy breach response."

WHAT???!!!!

Incredible.

Thankfully there were not many in his session to hear this nonsense.

I spoke briefly to him after his session.

"Do you have any IT or information security experience, background or training?"

CPO: "No, I come from the compliance office."

"Why do you think you don't need to include the Information Security folks in breach response, and make sure your plans complement, and do not conflict with, each other?"

CPO: "The most important person to involve is your privacy lawyer; he or she knows the law. Information Security has no legal experience, and probably no knowledge, of laws and privacy breach issues."

AAARRRGGGHHHHHH!!! [inside my head, not to him]

No need to detail the rest of our conversation. Suffice it to say, this relatively inexperienced, young man, fresh out of college just a very few years ago and likely in his mid-20's based upon what he told me, appeared to have no understanding of the information security safeguards that support privacy.

You cannot have privacy if you do not implement information security appropriately. Privacy and Information Security practitioners MUST collaborate for the convergence areas of the associated overlapping responsibilities.

These convergence areas and collaboration activities are the focus of a class I co-created with Christopher Grillo, CISO at Medica, and have been giving for the past 4 or so years.

On July 23 and 24 we will be giving this 2-day class, "Executive Summit: Security and Privacy Convergence and Collaboration" hosted by the Charlotte, North Carolina ISACA chapter.

For around $250 (members) or $300 (non-members)...early-bird price...this is a really inexpensive way to get not only 16 continuing professional education hours/credits, but also a great amount of information and a HUGE amount of tools that we will be giving attendees to take away with them and start using right away in their work.

Folks, you can't have privacy without close partnership with information security.