Ask The Security Policy Expert

Question:

How would you assess the overall awareness of senior management with regard to the privacy issues faced by their organizations? What are some of the common problems?

Answer: From Rebecca Herold, CISSP, CIPP

There is not a simple answer to that question. There are several factors involved, such as the industry for the organization, whether or not the organization is a multi-national company dealing with strict privacy requirements such as those in the EU, Canada, and Japan, the size of the organization, and the management style of the executives.

That said, generally I have seen the executives within financial and banking industries to probably be the most aware. I have seen the leaders of healthcare providers (hospitals, etc.) who know they must protect personally identifiable information (PII), but often justify substandard safeguards in the name of patient health without even realizing how they can do a good job for both protecting information privacy while they are protecting the health of their patients; these are not mutually exclusive goals.

A large problem is that business executives often depend upon the advice and guidance of their legal counsel for privacy issus, when often their legal counsel are looking at the letter of the law and do not understand all the issues involved with information technology and the associated threats and vulnerabilities. That is not to say all lawyers give bad advice regarding privacy issues; quite to the contrary. I've met some lawyers who are not only information security savvy, but are more up-to-date on data safeguards and risks than their information security officers!

Ultimately information security and privacy leaders and practitioners must ensure their business executives...the CEOs, CFOs, COOs, and others who ultimately set the course for the organization...know and understand the privacy issues the organizations must address. That is part of your job as an information security and/or privacy leader; to educate those at the helm of your business. You are the subject matter expert (SME) for information security and privacy, not your executive management folks. Establish ongoing communications with them. Send them regular, such as quarterly, reports of your organization's privacy health, challenges and successes. Let them know how you are working with your legal counsel to work on regulatory and contractual requirements. Send them messages about incidents that could happen within your organization, and let them know how your organization can avoid being in the same type of headlines. Take them to lunch and tell them what keeps you up at night regarding privacy within your organization. And so many, many more ways...

I cover this in detail in a couple of my books. For more detailed information on managing your privacy program, get The Privacy Management Toolkit. For a vast array of ideas for communicating the information security and privacy issues to your upper management, as well as throughout your entire organization, get Managing an Information Security and Privacy Awareness and Training Program published by Auerbach.

Biography of Rebecca Herold, CISSP

Related Resources and Information

Information Security Policies Made Easy, Version 10.0 contains over 1400 pre-written information security policies, including security awareness and training policies.