Converging Role of a Chief Privacy OfficerInterview with Brian Dean of Key Bank Brian Dean is Senior Vice President in the Privacy Department at Ohio-based Key Bank with assets under management of approximately $102 billion. A privacy professional for over eight years, Dean has long worked with Key management to begin the convergence journey. He refined this vision as an adjunct professor at a local college and while preparing for various speaking engagements on the topic. As recently as 2006, he orchestrated a reorganization to gain traction with convergence. Current management embraced the concept and has taken it to a higher level.
Upasana Gupta: CPO role is a convergence of privacy and information security; can you explain?
Brian Dean: The title is really to be determined and will differ based on industry and company. I see companies moving toward something more generic, such as Chief Security Officer; encompassing the traditional chief privacy officer, chief information security officer, and physical security officer roles. These traditionally distinct areas are seeing their controls beginning to overlap, with the ultimate objective of protecting information assets. Information security seeks to protect information (e.g., keep out hackers, put up firewalls, access control). Privacy's role is more business need to know/access (e.g., a teller may need to access the information of all the clients who walk into a branch, but that teller should not use that access to look up friends, families and/or famous people who may bank at that financial institution), and physical security is an extension of information security (e.g., access control at the physical control level). These teams should be interrelated -- so much so that many teams may find it advantageous to begin converging roles. This allows for a single strategic blueprint for meeting corporate safeguarding objectives.
Gupta: What factors have led to development of this new role?
Dean: The nascent role of the CPO (seeking an identity, as recent as 18 months ago, IAPP, the world's largest professional privacy organization, had a contest to try to define what a CPO is) grayed the lines, but ultimately technology and increased regulations seem to be the primary impetus. The three aforementioned roles have the same primary objective: protect assets. Today breach law, consumer demand and improved data-mining algorithms suggest that data now is considered an asset. So essentially, all three areas are trying to protect information assets with significant overlap in responsibilities. And with evolution of these roles there is also a significant overlap in technologies. For example, this morning I used a pictured ID badge to identify myself to physical security, I then used the card to "swipe" into the building. The next logical extension is to use the same card to log into my computer with proximity technology that automatically locks down the computer when I walk away from my desk (clean desk control). Only a few years ago, these disciplines were considered disparate and therefore managed separately.
Gupta: What can a banking institution do to begin the adaptation to these converging roles?
Dean: The areas need to mature. If weak controls exist in each of these disciplines, combining will exacerbate security problems. However, financial institutions with relatively effective controls can begin the process with a comprehensive risk assessment which should manifest itself in senior management's security blue print or roadmap covering all of these areas. In other words, make a comprehensive list of vulnerabilities, their inherent risks, the controls, the control effectiveness, residual risk (i.e., the risk the company is managing), and the tests of the controls. There will be significant overlap. Areas can then look for ways to improve the efficiency, trim costs, and most importantly work together to implement cross-discipline enterprise solution. At this stage, a single voice, a strong leader, can orchestrate the convergence process. It will be a natural progression as everyone is working from the same playbook.
Gupta: What are the typical challenges? How will a bank go about implementing the convergence model? What are the steps involved?
Dean: The first step is to align the areas tasked with protecting and maintaining the integrity of the company's information assets. For example, physical security (protecting access to the building and ultimately data assets -- or keeping unauthorized individuals from entering the building and carrying off hard copy confidential data), information security (tasked typically with putting controls in place to protect against unauthorized access to data -- or access control models, fire walls), privacy (tasked with putting controls in place to limit employee/vendor access through a "business need to access" lens), data governance (tasked with managing the amount of data collected, which data elements, data format, the integrity of the data, retention periods), business continuity and recovery (tasked with backing up data; e.g., redundant sites -- and getting the business running in the event of a catastrophic event -- such as a fire), and the often overlooked vendor management (while all of these disciplines may have very effective controls within your organization, giving data to a outside company with poor controls opens the company to their vulnerabilities).
Gupta: What benefits (e.g., cost/investment) can a bank expect?
Dean: The real benefits are improved management of controls. If logical information security does a great job with access control, but physical security has poor perimeter protection, a disgruntled employee or person outside the company can breach the security and carry off large quantities of sensitive data. So, these areas must coordinate. Better yet, if they are managed within the same management chain, not only can the controls be managed, but their blue prints will coincide vs. overlap or possibly conflict. A residual benefit may eventually be less management overhead, but these resources are initially needed to validate control effectiveness. Effective controls can reduce information loss, regulatory scrutiny, fines, loss of good will, lawsuits, attrition of employees, attrition of clients, etc. At the end of the day, it makes good business sense to align these roles and ultimately adopt the convergence model.