My thesis is that there needs to be a concerted effort to develop a
liaison group involving people that feel comfortable in both areas of Privacy
and IT Security. These people should understand how data is used within the IT,
and what expectations Privacy places on the organization.
SO let’s explore
In the vast majority of enterprises, (those that have a IT department and
also are concerned by privacy, as all companies should be) there are Privacy
and the IT personnel whose function it is to enhance/maintain/deploy process to
Secure the network assets from the 'bad guy'
But before we delve into this much further, let’s explore some of the foundations
of these two organizations.
Privacy requirements come from various requirements, regulations, laws. They
are formulated/created, either by gov't or professional organizations. Examples
include: the PCI DSS, SOX, GLBA, PIPEDA, EU Directive, to name but a few.
These regulations/laws, for the most part are drafted by lawyers, civil
servants, professional committees. I transgress with a quick joke. What is a
camel? A horse designed by a committee.
The point is that, as written, these regulations are not written for the 'common
man'. They deal with the legal aspects of privacy and as such, written in
'legalize'. So to be able to interpret them, create processes to address them,
and ensure compliance with the same, it requires individuals that can
understand those same rules. That is, one with expertise in the legal and/or
Security comes from the technical world, the idea of what kind of security
appliances are needed to monitor/secure the systems/network/infrastructure that
are in place within the organization. The understanding of networking
protocols, threats and vulnerabilities etc. needs someone who understands the
technical complicated the Security realm
So far so good.
We also understand that to have Privacy, one must have Security, or otherwise
the organization’s public reputation, never mind its ability to function under
gov't rules and industry regulation oversight may be in jeopardy. (IE
data breaches etc).
However, how many Privacy officers know anything about a 'DMZ' or DLP
appliance (to name but two Technical Security phases/gobbledygook).
That is the Security guy’s responsibility, right?
How many security personnel understand the ramifications of a stolen laptop
with an encrypted disk, with PII from Customers in the US, or if the PII is
from those customers that are located within the EU. That is the privacy
So that is the dilemma. Each department’s needs to 'use' the other’s
expertise. But is there is no common language? One group doesn't know what it
does not know and the other assumes that everything is addressed. This scenario
is a problem waiting to happen.
So let’s take an example. But please note that the following example is only
being used to highlight my point. It is an over simplification of the issues.
A new network is being developed to support an application that is being
rolled out shortly. This application contains PII/PHI information. In one of
the meetings the CPO makes it clear that this type of information needs to be
protected/secured. The Security guys go to the back room and incant some
magic spells over a rack of computers/servers (sorry I could not help myself)
and POOF, out comes a Security policy/procedure etc. plan for the roll out.
The plan contains the proper role based security rules(RBAC), checks, logs
etc. The Security guys go out for a drink to celebrate the culmination of
designing a 'fool proof' Security envelope (as if there was such a
The Privacy person figures out that the proposed process meets the needs and
regulations and goes home with a smile on his/her face. The only people who are
authorized to see the information will have the ability to view the PII/PHI
However, did anyone look at how support is going to done for this
application? The Privacy professional is not a techie and does not know what
the 'normal' infrastructure for support/maintenance development for an
application is. And why should he/she? Right?
The CPO has no idea that during the development and support phases of the
project, that copies of the real data may be created to provide a more
realistic test bed for QA/ regression testing.(see my previous blog entry
for a further discussion concerning this issue).
Did anyone look at the possibility that there may be data leakage within the
test/regression system? (PII info that can be emailed in the clear from a
developer workstation)? Did the person
responsible for Privacy understand the need for a possible Security hardware
deployment within the test environment to prevent data leakage. And where should
that hardware be deployed? How do third parties access the data for
testing? Should they be able to see the test (or Production data)? Should this
be considered with a BCP (business contingency planning) document?
The people responsible for Security understand the basic Security 'triad'
(CIA. Confidentiality, Integrity and Availability) and have created a process
that addresses these requirements. In this case the Security personnel, and may
be the network administrator, have designed a comprehensive plan to secure the
network where the new application will live on.
But what do they understand about issues like: if a disk drive goes missing,
even if it is encrypted, they may still need to notify gov't authorities (EU
directive)? And this must be detailed in any contingency planning.
Do they know that they need to talk to the Privacy department to look
at how test data is used and abused?
The above mentioned questions are rather over simplified. And of course during
the normal working day, the Security department and the Privacy department
would talk to each other. BUT
The old adage is very relevant here. 'I don't know what I don't know' or in
the case of the Security personnel they don’t know enough of the Privacy
realm to make sure everything is addressed. And the Privacy officer does not
know how the data is used, to the point that she/he would not know to look into
areas that are not obvious IE Test Bed, Third party issues etc..
So what is the answer? Cross train personnel. (Easier said then done).
Have the security department take a course like the CIPP, offered by the
International Association of Privacy Professionals. This will allow for the same
individuals some insight into the issues pertaining to privacy.
Have the Privacy personnel take a certification course like the SECURITY+
offered by CompTIA. However this may be more problematic because there is an
assumption that the person taking this course (or one that is similar) has some
basic knowledge in networking and IT in general.
Failing that, Have the people in the CPO office at least try to get the basis
of Security down, so the next time the two groups meet they can at least talk a
common language. And this would help in reducing the chance of something being
missed, and projects coming in on time.
Tuesday, July 9, 2013
Sunday, July 7, 2013
Mobile: 416-876-2979 · Email: firstname.lastname@example.org
Over seventeen years of experience as presales engineer and consultant in the software industry, combining high-level sales and marketing knowledge with deep operational experience, technical savvy and cross-functional communication abilities. Extensive experience supporting sales initiatives, managing customer relationships, handling customer service calls and consultations, and maximizing client ROI on software solutions.
Areas of Strength
COMPUWARE 1996 to 2013
Leading provider of IT software, services and best practices to deliver peak performance for technologies worldwide.
Sales Engineer & Consultant
- Provided technical analysis concerning Data Privacy to facilitate completion of RFI and RFP responses for various clients, with 85 percent success ratio.
- Delivered high-impact presentations to clients leveraging strong technical skills.
- Managed interoperability and alliance between software solutions and customers’ strategic business plans.
- Helped potential clients understand, compare and contrast several IT solutions.
- Collaborated with sales to develop cost justifications, business proposals and responses to RFI/RFPs.
- Engaged and coordinated post-sales implementation engagements.
- Helped close a minimum $2 million dollar sales 13 years in a row.
- Anointed to learn, support and sell two entire product lines, due to the unique requirement of both English and French support and sales.
- Contributed to a team that achieved a minimum 97 percent maintenance renewal.
- Liaised with Product Development and Marketing departments, perform client sales management, and report on industry/market trends, competition, and needs.
- Maintained extensive and specialized knowledge of COMPUWARE’s products, customers and competition, to enhance customer service ability and stay current on company offerings.
- Produced detailed phone support, personal product demonstrations and on-site evaluations of clients’ current software solutions.
- Responded to requests for information or pricing in an efficient manner and prepared sales package proposals.
- Trained and lectured clients, staff and executives on various solutions, including Data Privacy and Application Auditing.
- Facilitated customers and partners, as well as on-site professional services support such as installations and configurations upon deployment of software.
- Created, updated and disseminated training materials for 10 different software products on both mainframe and mid-tier/distributed environments.
- Served as Project Manager/Team Lead developing and updating training material with a specific timeline and with the participation of 10 team members.
- Gained proficiency in MS Windows, MS Office, Salesforce.com, and Data Privacy Solution Mainframe.
- Was one out of two people chosen (out of 24) to be a mentor for the Professional Development Program, training non-IT professionals to be support personnel.
- Worked in various realms, including ETL, Data Privacy in the testing space, Data Management and Data Optimization for both short-term and long-term sales cycles.
MONTREAL TRUST / BANK OF NOVA SCOTIA 1984 to 1996
Premier financial institution providing personal, commercial, corporate and investment banking services to individuals, small and medium-sized businesses, corporations and governments.
Principal Analyst & Team Lead
- Oversaw the team responsible for financial systems, including general ledgers, accounts receivable and accounts payable within the Trust Unit.
- Apprised management of more efficient methodologies to ensure better business decisions.
- Provided guidance, instruction, direction and leadership to the team to achieve key results for clients.
- Coached and matured the skill level of direct reports in order to continue their long-term development and ensure solid succession planning and departmental success.
- Liaised with Payroll, HR and Executive Offices as a subject matter expert.
- Gained proficiency in COBOL, IDMS, and IBM Multiple Virtual Storage
- Created “What if” scenarios and provided support for non-technical end-users.
- Designed major conversion project for Pension Plan Changes/Acquisition (BNS).
- Worked with the Finance Team to determine the ongoing business needs and requirements for the reporting of all assets, sales, redemptions, management fees, trailer fees, and advisory fees.
- Knowledge of security concepts, tools, and procedures to react to security incidents, to ensure that security personnel are anticipating security risks and guarding against them.
CIPP/C: Certified Information Privacy Professional/Canada
- Demonstrates understanding and application of Canadian information privacy laws, principles and practices at the federal, provincial and territorial levels.
- Requires completion of Certification Foundation Exam and CIPP/C Exam.
CIPP/IT: Certified Information Privacy Professional/IT
- Entails understanding privacy and data protection practices in the development, engineering, deployment and auditing of IT products and services.
- Necessitates completion of Certification Foundation Exam and CIPP/IT Exam.
IBM Certified Database Administrator – DB2 9 DBA for z/OS
- Validates capability of performing intermediate to advanced tasks related to database design and implementation, operation and recovery, security and auditing, performance, and installation and migration/updates specific to the z/OS operating system.
Concordia University, Montreal, Québec
Bachelor of Commerce, Accounting (1979)