Differences between CISOs and CPOs are subtle, but important

Here’s another clear indicator that the issue of data privacy is a top priority of today’s leaders and on the same level as information security: 

Yesterday, Washington Governor Jay Inslee announced that Alex Alben has been appointed as the state’s first chief privacy officer. Alben, the author of Analog Days—How Technology Rewrote Our Future and the former general counsel at Starwave Corporation, will work in the Office of the Chief Information Officer.

Washington is only the third state in the U.S. to appoint a CPO. Even in the private sector, where pace of adoption is much faster than in tightly budgeted government offices, a CPO is still a relatively new position– the earliest known appointment occurred just 16 years ago. However, multiple data thefts in the news have sharply re-focused executive priorities on data security and privacy giving rise to a role uniquely suited to address those risks. 

“But we have a CISO already.”

While there is some overlap in their areas of work, a CPO has different duties than a CISO. While a CISO focuses on data operational security, infrastructure security and employee identity and access management, a CPO informs the executive team of legal and regulatory obligations a company must meet in data handling– particularly customer data. A CPO can answer questions such as, “What kinds of data can we collect?,” “Where can we store data and what is required to secure it?” or “When are we required to delete data?” Should the worst happen, a CPO can advise the legal team of the organization’s responsibility to disclose a data loss event, preventing or mitigating costly situations or catastrophes.

Additional value

A CPO may create and disseminate privacy policies to employees and develop training to ensure compliance with applicable laws. And if you’re served a subpoena, a CPO will work with your legal team to determine the extent of your cooperation.

Discussions regarding data privacy are a daily occurrence in today’s boardrooms. More organizations (and state governments) are putting someone at the table whose responsibilities are to avoid digital risk, answer questions about privacy obligations and issue directives that carry the full weight of executive authority.