November 7, 2022

Last Updated on January 15, 2024

Back in the day, privacy and information security were separate functionally and organizationally. Now they’ve increasingly merged. What does that look like for forward-leaning orgs? Where are the trending convergences and divergences?

To talk about privacy programs from both launchpad and leadership perspectives, a recent episode of The Virtual CISO Podcast features Rosemary Martorana, CPO at Corning. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.

Why sweat privacy?

Rosemary acknowledges that SME cybersecurity pros charged with standing up new privacy programs often have some trepidation. But she questions whether that’s fully warranted.

“It breaks my heart a little when I hear people hesitate or get uncomfortable when we talk about privacy,” Rosemary shares. “Because when you think about it, at its most basic level, information security is protecting against the unauthorized use of information and then mitigating those risks. Now let me just tweak that statement slightly and say, ‘protecting against the unauthorized use of personal information.’ Now you’ve just crossed into the world of privacy.”


3 things to get right

To get privacy right, Rosemary advises nailing these 3 things, first and foremost:

  • Build strong collaborative relationships with your key partners, such as your security and legal teams
  • Understand your company’s risk tolerance
  • Understand your company’s business objectives

Unless you’re aligned with the business, you can’t effectively focus on what it looks like to comply with a specific privacy regulation or other guidance.


Like love and marriage

In Rosemary’s view, physical security, cybersecurity, and privacy are all intertwined now at the level of implementation.

“You can’t have one without the others anymore,” sums up Rosemary.

So, where is the unfamiliar privacy territory? It’s the heavier emphasis on the legal and compliance components.

“With these regulations come some pretty hefty fines that make people wary,” Rosemary observes. “They’re not sure always how to interpret the rules that are set forward. And again, those rules can be nebulous. Those regulations are not always written with the utmost clarity that a lot of our information security professionals would like. So that becomes the uncomfortable space people find themselves in.”


Back to business

But Rosemary restates that the real secret to success in the privacy arena is relational not operational. “Having a healthy business model and then working closely with those business teams is going to be critical to success in the privacy space,” Rosemary notes. “It’s a nascent space. People are still trying to navigate and find their way.”

“I think we’ll see the privacy skillset grow in information security practitioners, whether they like it or not,” adds Rosemary. “And I think you’ll start to see more people becoming Certified Information Privacy Professionals (CIPPs) and things of that nature.


What’s next?

To listen to this podcast episode with Rosemary Martorana, click here.

Is your business in the market for a privacy lead or Data Protection Officer (DPO)? This blog post shares advice on skill requirements: Skills SMBs Should Look for in a Privacy Lead

ISO 27701 Certification Guide

Discover what you need to achieve ISO 27701 certification! You are 6 simple steps away from "provable" compliance with every Privacy regulation.