Don't let differing authority levels damage info sec, privacy & compliance collaboration
I first realized the need for information security and legal compliance areas to closely collaborate on converging issues in the mid-1990's while establishing the information security and privacy requirements for one of the first online banks. Over the past 5+ years I've been actively evangelizing through my 2-day classes, conference and meeting speeches, and many articles and other publications about the need for information security, privacy and legal compliance areas to collaborate, and pointing out the areas where these responsibilities converge.
One of the challenges that must be addressed within organizations is having these positions (e.g., CISO, CPO, Legal Counsel, etc) with converging responsibilities at differing levels within the organization. These practitioners must get over their perceptions of having "trump" authority over the others and realize that they must collaborate in a productive manner; giving considerate and respectful attention to the expertise and opinions of the others.
Consider an actual example...
A few years ago a large manufacturing organization created a Chief Privacy Officer with enterprise privacy responsibility within the Law office, reporting directly to the CEO. The information security responsibility was many levels down in the organization, with the Information Security Officer (ISO) at the manager level, who reported to the director, who reported to the CIO, who reported to the VP of Operations, who reported to the CEO.
The ISO was worried about the proliferation of laptops being used for business processing, particularly for processing the orders from both individuals and other companies. She did a risk assessment and submitted the resulting report with a recommendation to require full-disk encryption on the laptops. The ISO's recommendation was denied because, according to the CPO in the Law office, no laws (at that time) explicitly required encryption, and the expense to implement encryption would not be necessary, in his opinion, to advance the business.
The Law office had not even discussed the matter with the ISO. Information security risks were not considered in this decision; it was based purely on the letter of the law, even though most data protection laws then (as now) required consideration of risks to be the basis for security decisions.
Do I need to say what happened approximately 11 months following this blind denial to implement laptop encryption?
Yep! A laptop was stolen, with clear text customer information on it, and a full blown privacy breach response and subsequent notice activities ensued. Costing several times more than the encryption solution would have cost.
Thorough understanding of information security risks is key to determining how to implement safeguards that meet compliance requirements that must be risk based. Close collaboration, and mutual respect, between the areas is necessary for effective information security and privacy programs.
Folks, just because you may be at different levels of authority within the organization, you must still be open to thoughtfully considering the opinions of the subject matter experts and practitioners at all levels of the organization. Don't make an information security, privacy, or compliance decision based purely on the "letter of the law" and without consideration of the associated risks!
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine