Since stepping down as the CIO of a global media network, I have spoken to and worked with more than 70 companies across four continents, all sizes, structures, and in numerous industries, and examined the security and privacy program competencies of many of these. To varying degrees most have made investments in advancing their privacy efforts. They have worked through specific obligations as defined under varied law, adhered to frameworks, invested in supportive platforms, and have begun documenting their processes, relationships, and data collection practices. They have posted needed disclosures. They have worked through policies and agreements as required by the varying laws to which they are required to comply. They have developed procedures to address requests or redress issues on behalf of individuals with respect to their processed data. Some have conducted training. These are all significant efforts, loosely defined but still what is mandated under the articles of the varied laws. Ownership was typically tasked to one or more operational or administrative departments, Legal, IT, InfoSec, Risk, Marketing, or a designated Privacy Office. Most were supported by solutions providers, implementation professionals, or external counsel with varying participation from impacted business units. Progress varied.
It is said that privacy is a journey not a destination. But we have a lot of roadmaps. And we have had considerable time. Still, we are not where we need to be. Many companies remain deficient or are struggling. Some are paused or uncertain as to direction. Few companies have fully matured and operationalized their privacy programs. Less than few have internalized them as a core value.
But can the privacy journey be successful
- If treated as a checklist of mandates required to comply with one or more laws
- As tasks assigned to siloed specialists lacking the mission, reach or influence needed to impact the core values and culture of the business
- If existing laws are frequently challenged or change, opinions conflict, and new laws continually emerge
- Business, markets, data, risk, and workforces are all in flux
- Unless integrated to the business
- If not a stated imperative for leadership
There Are Structural Barriers
- Many companies struggle with the effective flow of policy, process, and message across lines of business. They struggle with silos, reach, distractions, resistance, weak uptake, and poor adoption.
- For some the issues are duplication and derivation. Departments establish their own programs, describe like processes and data differently or inconsistently, perform similar or redundant processes, replicate, enhance, transform, or silo similar data to or from varied media, different places, disparate platforms, and for varied purposes and uses.
- Enterprise structures change and vary. Lines of business grow, are sold, acquired, straddle multiple industries, geographies, markets, operate under differing regulation, or in different roles, B2B or B2C.
- And then there is language. Stakeholders often hear the same words differently, and approach problems from very different views. Protective measures are contracts to attorneys, but something different to operations and to technical security teams and even more so to the business data owners.
Any of these are issues that can impede the operationalization of a privacy or data protection program across an enterprise or the observability of its data. But little of the above is addressed in any meaningful way by most privacy programs.
These are all imperatives to address, issues that produce discordance in operations and compliance. But they are structural issues. It is only corporate diligence and the authority of recognized leadership, by whatever title and wherever in the company it is held and voiced, and vocabulary, and clear message, that together can bring down these barriers, dictate structure, shape culture, create common purpose, and is what is needed to advance privacy as a core corporate value.
There is a Clear Goal
Without doubt the intent amongst privacy regulation architects and thought leaders globally has always been to permeate business with privacy as a core value. To embed a respect for the interests and expectations of employees, consumers, and all others with whom we interact while doing business. A consideration to do unto others, take from others, impose on others, or ask of others only that which we would of ourselves in every business transaction, communication, authentication, establishment of privilege, or other ways in which we interact. A respect for the care and value of the data about them that we hold and process. One would be hard pressed to believe that any architect of the laws sees the semi-prescriptive requirements and formats mandated as anything more than a tactical minimum. Or absence of clarity, continual challenge, reinterpretation, and revision as anything but complicating adoption. Clearly privacy by design aspires not just to introduce privacy earlier and intrinsically in the development process but also to embed the principles of legality, fairness, transparency, purpose limitation, data minimization, accuracy, limits on retention, accountability, and other good and ethical principles in our day-to-day activities and operations. This is the privacy enabling of a company culture.
Only Leaders Can Influence a Company Culture
Integrating privacy as a core value to the culture of a company is accomplishable only by leadership.It is accomplished through demonstrated action and a consistent tone. Clarity that leadership cares about privacy and the rights of individuals. That these rights express their personal values, and those of the company, its markets, and the communities they serve. It is about message, motivation and incentives, each advocating and espousing that privacy as a core value makes us a better company, that it is representative of our brands, and is an important element of our corporate culture, a value that we should all embrace. The power of a CEO stating “This is important to me personally and for all of us as a business” cannot be overstated in its ability to bring down barriers and define a path forward. Absent this, structural barriers are often insurmountable, adoption is difficult, and programs are an uphill climb. Whether for privacy, ethics, respect, cooperation, inclusion, diversity, equity, excellence, or establishing a shared expectation of how business should be conducted, only visionary, exemplary, and responsible leadership has the power to shape the culture of a business. I can offer an example from experience.
Over my career as a CIO, I had the opportunity to work for, and with, many very good people. I had the privilege to lead a very great team. When discussing culture, one CEO, Nick Davatzes, now passed, stands out more than any other in his efforts to foster a community, a culture, and as an exceptional leader. He led a company based on strength of character and concern for people.
He made this paramount. It was simple things. He would start each day by walking every floor to say good morning. It was a small thing, and a small company at that time, so covering the floors in an hour was certainly doable. But it was the message being sent, the signals, and the response from the staff that were telling. He cultivated a sense of belonging. A sense of shared interests. His message was one of ethics. He would say, and I paraphrase, ‘I’d rather that we walk away from business, than do business in a way that we wouldn’t be proud of’’. It was a tone that he wanted more from us than just business, he wanted business we could respect. Whatever any other did, he wanted us to stand apart and above in that way.
He wanted a company of leaders. He would deliver a message of individual importance and shared contribution. All roles were important, and all roles were respected and valued. He would periodically stop at an office or desk at random and strike up a conversation. He wanted a feel of openness and community and conveyed an importance and value in his employees. He was establishing a culture, and it was immediately felt in how individuals worked with each other, and how departments worked together, and how we were perceived by the industry and business partners. And as the company grew globally, of course there were no more walks, but that culture of contribution and pride in belonging persisted. So, did the message of ethics. So, did the pride in leadership and participation that he instilled. It was a privilege and an education to have worked for him.
How do we define the culture and values we want in our business? Each of us as leaders will confront the questions of language, and culture, and grapple with what that means regarding controls, the guardrails of our corporate culture. Which of them we select to implement, and how we implement them. Where does ethics sit in governing our actions? How do we balance oversight and trust, or the interests of security and privacy? These will set our priorities as we define our teams and establish relationships across the enterprise.
There are many excellent leaders in business. More than any selected platform or approach, it is a tangible corporate vision, and a commitment made by leadership to a culture that embraces excellence and common interest that defines success in corporate governance. Only leadership can advocate for:
- A culture of ethics, and a concern for people and their interests as individuals.
- A commitment to responsibility, accountability, and observable enterprise values.
- The right tone set at the top, executive and line of business, messages sent, and clarity of signals.
- The breaking down of barriers to excellence
Each of these alone are attributes worth pursuing, and together the building blocks of a better protected and more effective business. This is true regardless of size of company, industry, name recognition, or any other parameter. These are signs of maturity in a well-run company. The best of companies strives to attain these qualities.
Tone From the Top
Business leaders know the formula. It is about advocating a culture of respect, responsibility for our decisions and actions, a shared objective incentivized, and a concern for the company and each other. About cultivating a culture of concern for people and caring about their interests as you would your own. A clear message that wherever we are now, we are going to be better, focused on excellence, our people, what we do, and the way we do it, demonstrable of the core values that our brands represent.
For too many companies though, privacy has been delegated an issue of lawyer ship, not leadership, a focus solely on the law. Or it has been delegated to specialists or as a peripheral concern to CISOs. But privacy is not only a legal issue to an operating business, nor is it one of technology, or addressable solely by focus on security and security process. It is not just a regulatory exercise, or a checklist, or for compliance alone. It is about cultivating a culture and community that accepts, adopts, and internalizes its principles. And it is only through leadership and message, the advocacy of a language and culture of ethics, respect for the rights of people, a sense of community and common purpose, and acceptance of the importance of data and its proper use and care, that privacy as an element of culture can be embodied to the core values of a company.
Martin Gomberg can be reached at mgomberg@cyberite.com.