It's an increasingly familiar scene: The IT manager lingers after a meeting with the chief privacy officer (CPO) to see how he, too, can become involved in privacy, the defining issue of the Information Age. Why is this happening in my company and others? Probably because IT pros know better than anyone how personal data needs to be protected, and they're motivated to make things right. But before you make the big leap from IT to privacy, run through this checklist to see if the move is right for you.
Step 1: Find out if you'd actually like the daily tasks.
The mission to protect people's privacy can be very inspiring—but the reality within your company may be quite different. The privacy function where I work encounters a great variety of challenges because we operate in many industries and countries. But if your company serves a single industry—such as finance or health care—and you have offices only in North America, your job may be limited to routine compliance tasks that are more distant from the mission of protecting people's privacy.
What makes up the daily life of a privacy professional? The best sources of information on the profession are the International Association of Privacy Professionals (IAPP) and the Ponemon Institute. Their 2005 joint survey discovered that privacy officers spend roughly half their time on three activities: responding to incidents, developing and implementing policies, and advising the organization on proper privacy practices. (For a breakdown of the results, see the table below.)
 |
Privacy Professional Key Duties
Managers involved in IT governance may find several familiar tasks in a privacy job, but some tasks – such as analyzing privacy regulations and providing privacy consulting to the company – are likely to be new territory.
| Core activities |
% of total time |
| Responding to incidents |
19 |
| Developing and implementing policies and guidance |
14 |
| Advising/consulting the organization |
13 |
| Administration (personnel and budget) |
9 |
| Developing and performing training and communications |
8 |
| Developing privacy strategies |
7 |
| Analyzing regulations |
7 |
| Performing risk assessments and data inventories |
5 |
| Monitoring and measuring compliance (enforcement) |
4 |
| Reporting to management |
2 |
| Other |
12 |
Source: International Association of Privacy Professionals and the Ponemon Institute's 2005 survey of 224 privacy professionals
|
|
Step 2: Find out if you'd have direct C-level support.
Everybody wants top-level support for their projects. But for a function as new and undefined as privacy, it's essential. Without it, you could easily find yourself in a career cul de sac, spending years in the bureaucratic wilderness without meaningful results. How can you tell if privacy is valued by your company?
First, look at who the privacy leader reports to. Ideally, it's directly to the CEO, so that the privacy perspective has an equal and independent voice in the boardroom. It's still a strong sign if privacy reports to a C-level board member.
Second, if privacy doesn't report to the CEO, look at where it's positioned in the organization. Ideally, it'll be in the marketing or risk departments so that it takes a strategic approach. If privacy is in the legal, compliance or technology departments, its role in your company will probably be narrow and more tactical.
Finally, scope out the resources allocated to privacy. If you're in a Fortune 500 company dealing in customer information, the privacy function will need at least a few full-time equivalents and a budget sufficient to fund a few enterprise-scale projects. An ideal privacy team would include an attorney, a technologist, a marketer and a project manager to reflect the skill sets most often needed to produce privacy solutions.
Step 3: Map your next two career steps.
In IT, you're probably familiar with a predictable career path that ultimately leads up to being CIO. But in privacy, there's no such thing as a career path. Most U.S. companies are still in their first generation of chief privacy officers, and few of the CPOs I know have moved on to other roles. As a result, their staffers aren't moving up and becoming CPOs. Why isn't there more movement in the privacy ranks?
I think the main reason is that companies don't really know yet how to think about the privacy function and where it fits in their overall business strategy. As a result, there isn't a clear logical next step for the CPO. Until the CPO becomes the overall customer information strategist-responsible for not only protecting information, but also helping to formulate the strategy for collecting and using that information-your privacy career path may be limited. So ask yourself if there is a realistic opportunity for you to make two career moves in the privacy function-first into a full-time staff position, then taking over as CPO.
Step 4: Do you have the right skills?
Many privacy pros have come from the IT ranks, but to progress in the profession, you'll need to acquire a comfort level with legal concepts and processes. You'll need to be able to read an opaquely written law, interpret whether it applies to your company and determine what steps you'll have to take to comply with it. You'll need to be able to detect whether a change in a law or a lawsuit resolution represents a significant development deserving your further attention. If you work for a multinational company, you'll need to understand the different legal and legislative processes in the countries in which you do business. You'll also want to put on the mind of a lawyer when assessing a new project or system for overall privacy compliance.
Unfortunately, there's no shortcut to building these skills outside of daily on-the-job experience. For starters, though, participate in the IAPP's training and testing process to become a certified information privacy professional (CIPP). This is the best general training available to gain a working knowledge of the most important privacy laws and concepts.
How to make the move
The good thing about making the switch from IT to privacy is you don't have to do it all at once. The CPOs I know are always eager to get temporary help on specific projects such as privacy audits and privacy awareness campaigns. Many CPOs have also formed networks of privacy champions across their companies who have their bosses' approval to devote a portion of their time to tasks defined by the CPO. And even if this checklist has raised some doubts in your mind about a total jump to privacy, remember this: I've never met a person with "privacy" on his resume who was out of work. So what've you got to lose?
|
