Editor’s note: Dave Bowden, CISM, CIPT, CIPM, PMP, CSM, VP - Information Security, Data Privacy, Compliance & Information Technology, Zwift, Inc., and a member of ISACA’s privacy advisory group, recently visited with ISACA Now to discuss the state of the privacy field and how different stakeholders in an organization can come together to create comprehensive privacy solutions. The following is a transcript of the conversation, edited for length and clarity. For additional ISACA privacy resources, learn out about ISACA’s new Certified Data Privacy Solutions Engineer (CDPSE) certification and join the privacy conversation on Engage.
ISACA Now: Nearly 9 in 10 respondents to a recent ISACA survey expressed interest in growing their privacy skills. Why do you think that is the case?
It comes as no surprise that such a high number of ISACA survey respondents want to increase their privacy skills. With all major countries in the world creating their own specific privacy laws, the field of privacy is one that will continue to increase over time and impact many teams and areas within a company. Understanding privacy, the principals of privacy by design and the technical implementation of privacy policies, controls and tools will be increasingly crucial.
ISACA Now: What is missing in training and certifications currently available to IT professionals in the privacy space?
Ninety percent of the training materials and content is geared toward legal professionals. Oftentimes the privacy industry forgets that while the legal aspect of privacy is important, it takes technicians and engineers to make all of this work. Having content specific to technical professionals that helps them understand the what, why and how of all that needs to be done to address privacy challenges, followed by requirements or best practices, would help technical privacy professionals work hand-in-hand with their general counsel, compliance and other privacy counterparts. There is a huge gap in the legal aspect and the implementation of technology to facilitate the legislative requirements. Anything we can do to close that gap helps.
ISACA Now: How should IT pros decide which privacy certification is right for them?
In my mind as a practicing privacy professional, I see three primary types of practitioners, each having their own specific track to certification and training. There is the legal professional, whose focus is more on the legislative requirements and the understanding/application of the law as it pertains to the company’s business. There is a technical privacy professional (often an infosec practitioner), whose role is to implement technical policies, procedures, systems and protections as they pertain to the law and the business. Finally, there is the hybrid role that can do both.
Each of these roles have overlapping certification and training requirements and each has areas of specialization where the training and certification can go deeper in their respective areas of training and specialization. I think all privacy pros should decide what role they want to focus on and then seek training, mentorship and coaching to work and grow in that category. Personally, I have been coding since 1979. I know hardware, software, compliance and now legal. So, I have focused on the training and certification that allow me to work in the hybrid role so I can be a bridge between the legal aspect of privacy and the technical aspect of privacy. Lawyers and infosec professionals at times have a very hard time communicating and understanding each other. Being able to bridge the gap – understand the legal and the technical aspects of the “how” – is a truly valuable position. Fortunately, ISACA with its new privacy certification and its focus on technology, risk and information security, is very well-positioned to offer the training and certifications to help individuals grow in what is a very needed and important role.
ISACA Now: How can technical and legal professionals complement each other to create comprehensive privacy solutions?
First and foremost, In my experience the key to success is that the C-Suite must make privacy a priority, bring the right people from the right teams together and create a corporate initiative that is endorsed and empowers these people to be successful. Communication and relationships, followed by trust, are key. The legal arm largely doesn’t understand the technical implications nor the complexity associated with some of the legislative asks that come with these privacy laws. Conversely, IT/infosec professionals don’t necessarily understand some of the vague requirements these laws impose and oftentimes misunderstand the nuance of the law. Being able to communicate with each other and understanding that all members of a privacy practice at any company are working together to achieve the same goal is key. To me, this is a collaboration and not a hierarchy – meaning, both roles are equal and important to the success of the company and its privacy practice. One role is to interpret the law and its application to the company (requirements); the other is to consume those requirements and implement them in a manner that achieves a level of compliance that is acceptable to the company from a risk perspective. In my experience, the key to success is that the C-suite must make privacy a priority, bring the right people from the right teams together and create a corporate initiative that is endorsed and empowers these people to be successful. Anything less takes significantly longer.