Larry Ponemon is an information privacy guru who champions the idea of privacy as a driver of business performance. A consultant, professor at Carnegie Mellon University, and chairman and founder of the Ponemon Institute, a think-tank devoted to the ethical use of information, Ponemon has done extensive research on privacy and shared his findings with some of the largest corporations in the world. One product of his research is a list of eight critical steps to take to raise the level of awareness of privacy issues, which he has presented to select gatherings of top information executives. Here, Dr. Ponemon offers exclusive commentary on his ideas for CIO Insight.
1. Understand information risks and prioritize key vulnerabilities.
"That means laying out the potential dangers in every areabusiness risk, technology risk, and cultural or organizational problems."
2. Ensure that senior executives see the value of establishing a common ethics-based framework to control privacy and protect data.
"Every CIO needs the buy-in of other stakeholders across the company. A marketing executive, for example, may need to catch up on the business reasons for allowing customers to opt out of loyalty programs. Sell it as a value proposition for the business, not just something to fear."
3. Establish a governance structure that is aligned with accountability and with organizational culture.
"This is a matter of aligning all parts of the company so that everyone is working from the same plan, then coming up with ways to hold people accountable for following that plan. Choose methods of accountability that fit your company's culturewhat works at a bank might not be a good fit for a retailer."
4. Develop key performance indicators to ensure long-term success of information security policies and procedures.
"Be honest with yourself and stick to goals that deliver on the value proposition of privacy. Don't set goals that you can easily meet, like a low opt-out rate, because that may actually have a negative effect on business performance."
5. Create an enterprise-wide understanding of the need to protect sensitive and confidential information.
"Privacy issues involve everyone, from the CEO to the call-center employee in India. Push activities to create an understanding of privacy goals across the company, and common sense will accomplish about 90 percent of your mission."
6. Monitor and measure performance against well-defined privacy plans.
"Generate a scorecard or find some comfortable way to determine if the company is following the indicators discussed above."
7. Assess how well you are mitigating information risks and vulnerabilities in an objective manner.
"Create a picture of privacy goals and results from the data you collect. It's a form of risk analysis to see how well you are reducing the problems identified."
8. Obtain constructive feedback from senior executives, the board of directors and outside stakeholders to improve privacy management practices and policies.
"Keep top leadership informed and in touch, and reaffirm that what you are doing is consistent with the broader mission of your company. Tell management the story of privacy and its business value on a regular basis."