See the prior blog entry regarding the differences between the Privacy and Information Security disciplines.

 

Many CEOs place the responsibility for strategic enterprise information security management in the hands of IT and the responsibility for privacy risk management in the legal department.  Typically, these two functions do not work together.   Unless the legal resource is a dedicated, empowered Chief Privacy Officer with program and process management experience as well as people skills, the primary privacy objectives (discussed in the prior blog entry) will not likely be achieved.  

Many renown security experts agree that information security professionals often struggle to build and establish effective information security programs.  As a result, their programs have gapping holes that leave their organizations vulnerable.  Privacy breaches are being reported almost daily by organizations with "formal" information security programs.  Why is this so? 

A Certified Information Systems Security Professional (CISSP) is considered one of the top information security certification credentials.  It is a great certification for comprehensively understanding the tactical implementation of information security.  However, the Official Guide to the CISSP CBK (Common Book of Knowledge) only devotes two of its over 700 pages of core text to privacy laws.  All too often, the individual directly responsible for an organization’s information security program is a technologist who does not have a working understanding of the laws, typical enforcement actions, and privacy breach costs and impacts.  Such a technologist finds it difficult to get the commitment from C-level executives for the development of the organizational privacy strategy and appropriate resources, including people and budget, to support the implementation of the strategy enterprise wide.  In addition to being a CISSP (or CISA, CISM, GIAC, etc.), the technologist could also become a Certified Information Privacy Professional (CIPP) to better enable appropriate communication and engagement with C-levels to secure the top down commitment that is the foundation of every successful information security program.  The CIPP text and exam devotes two of its five components to privacy law / compliance and workplace privacy (laws). 

However, the technologist must also have the competencies to develop and maintain policies, train people, assess and manage risks, and partner with functional (non-IT) senior managers to achieve enterprise information security.