November 10, 2022

Last Updated on January 15, 2024

Data privacy has a legal and regulatory compliance aspect that is outside the comfort zone of most information security practitioners. If you’re dealing with privacy challenges from an information security background, what are best practices for embracing this specialized area?

To share ideas on how to move from information security into the privacy space, a recent episode of The Virtual CISO Podcast features Rosemary Martorana, CPO at Corning. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show as usual.


Leverage legal counsel

Coming from a physical security background, Rosemary knows firsthand about the challenges of dealing with privacy legal interpretations.

“When I took this role [at Corning], the first thing that came to mind was I am not a lawyer, nor do I ever intend to be a lawyer,” says Rosemary. “But the great news here at Corning is we do have fantastic in-house legal counsel. A multinational corporation like Corning also has in-region counsel that we can lean on. And I lean on them every day for interpreting those regulations and helping to put up guardrails as to what we can and shouldn’t be doing.”

“While lawyers are great at telling you about regulations and interpreting those regulations, they aren’t necessarily the tacticians on how a corporation is going to confine itself to those regulations—which is where I tend to thrive,” continues Rosemary. “So, Corning chose someone with more project and program management skills who really wants to be in the trenches.”

While experience looking at regulatory requirements is useful for a CPO, soft skills like good communication skills, intellectual curiosity, problem-solving ability, and analytical skills are also key.

“If you can surround yourself with those lawyers, you really don’t need that [yourself] to be successful in a position like this,” summarizes Rosemary


Talk to the business

Making a privacy program work takes more than good legal advice. It’s also critical to align with corporate objectives within the context of privacy and security goals.

“One of the things I always tell my team is that we will never say no to an ask from the business,” offers Rosemary. “But what we will ask them to do is help us make sure we wrap that security bubble around them. We know the teams want to move quickly. So how do we then ensure that they have the appropriate security controls in place to be successful?”

That’s why conversations between the privacy team and business leaders should happen early and often.

“We’re a part of those initial conversations, so we can architect things appropriately so they can move forward and advance the corporation,” Rosemary clarifies.

John calls it a “we’re not going to be a speed bump” approach to partnering with the business. And that’s largely about clear communication.


What’s next?

To listen to this podcast episode in its entirety, click here.

Looking for privacy lead? This blog post shares a short list of talents to consider: Skills SMBs Should Look for in a Privacy Lead

ISO 27701 Certification Guide

Discover what you need to achieve ISO 27701 certification! You are 6 simple steps away from "provable" compliance with every Privacy regulation.