Corner office of the CPO

Become a Data Privacy Hero and Earn a Corner Office as Chief Privacy Officer

Information Security experts and experienced IT professionals, you stand at a career crossroads.  Whether you realize it or not.   The ground is shifting under the workforce management foundations of the IT and tech sector.  Those savvy professionals who understand the shift will be able to capitalize on their perspicacity, becoming heroes within their organizations and potentially tapping into rock-star-level financial benefits.

Want to become a hero in your organization/industry, and be ahead of the curve when it comes to the next wave of rock star job growth?  Take measures to become a privacy expert.  The role of Chief Privacy Officer (CPO) is a newer executive job description and its quickly become one of the most important given the current information security environment. 

A CPO is not the same as the more traditionally known Chief Information Officer (CIO) or Chief Information Security Officer (CISO) roles.  There is a reason why, despite the best efforts of CIOs and CISOs – and despite the significant budget allocated to these leaders to guard against data breaches – threat actors continue to be successful in breaching secure information systems.  Data breaches have become a daily occurrence even among the largest, and supposedly most secure organizations in the world.  And almost every breach can be traced back to failure to adequately protect unsecured external data.  Many organizations are awakening to the reality that there are far fewer positions in the corporate sector focused predominantly on privacy than there are focused on security.  And they’ve begun to address this glaring deficiency, opening up rewarding career pathways to IT pros with a good grasp on how privacy factors into contemporary InfoSec practices.

This paper will provide credible evidence from trusted sources supporting the claim that there is about to be a massive embrace of privacy-related jobs and activities globally.  In response to the tsunami of devastating data breaches and other cyber-attacks being experienced daily, trends already point to increased growth in demand for qualified professionals to inhabit the Chief Privacy Officer role.  More and more organizations are realizing the imperative and creating this new C-suite role within their leadership structure.  This paper will also provide some insight into what the Chief Privacy Officer role involves and how readers can embrace external data privacy management strategies to propel their career forward and seize a lucrative new leadership position in a market exhibiting robust demand for their expertise.

IT Profession Slumping – But Privacy is a Bright Spot of Extreme Growth

250,000 workers in the tech sector of the United States have been laid off since the start of 2022 according to the “Layoff Tracker” at Layoffs.fyi, a website providing detailed information on job losses by career track. 

Analytics Insight reports that in August 2024 alone, more than 27,000 tech jobs were lost in the US.  Industry leaders like Apple, Intel and Cisco led the wave of layoffs in August, 

TechCrunch goes a step further providing a comprehensive list of 2024 tech layoffs with many from large enterprises like Tesla, Amazon and Microsoft.  Their month-by-month list of layoff numbers shows:

  • 19,350 layoffs in January
  • 25,589 layoffs in February
  • 7,403 layoffs in March
  • 22,153 layoffs in April
  • 9,882 layoffs in May
  • 10,083 layoffs in June
  • 8,851 layoffs in July

The rest of the article at TechCrunch provides the gruesome details of where the losses are coming from (by company). 

In an article in Fortune magazine, CIO Dan Walsh of healthcare company VillageMD (a Fortune 500 organization owned by Walgreens) is quoted as saying the cybersecurity layoffs have been “few and far between”.  So, one might be forgiven for believing that roles dedicated to cybersecurity are immune to the trend.  Yet, even as cybersecurity spend and staffing levels remain secure in the face of layoffs elsewhere in IT, organizations are awakening to the fact that cybersecurity is not effective without active privacy management.

Examination of the facts shows a tech job market evolving rapidly.  Once considered the highest in-demand field, tech workers are being let go and most predictions suggest the trend will not moderate anytime soon.  While unemployment remains at or near record historic lows in 2024, the rosy numbers are not there for tech workers.  Particularly for those in software engineering, application development and other related functions. While layoffs have been brutal in the tech space, the one area that remains insulated from layoffs is cyber security.  But cyber security is not the answer that companies clearly seem to think it is for the ongoing scourge of breaches.  But this will not continue to be the case the more it becomes apparent that cybersecurity alone is not the solution to the epidemic of data breaches.

Many existing cybersecurity jobs are focused on the traditional functions of legacy information security.  Whether an organization chose to “buy or build”, there have, for decades, been plenty of work for IT pros – coders, application developers, integration specialists, project managers, etc. – in the design, deployment and maintenance of standard InfoSec infrastructure.  Firewalls, encryption, endpoint security, identity access management, network security, cloud security and disaster recovery are all still relevant security functions.  However, they’re not getting the job done when it comes to slowing or stopping the flood of data breaches plaguing information systems. 

As detailed extensively in Privacy Bee white paper, “Cybersecurity Isn’t Enough”, in the absence of a concerted plan to manage unsecured external data and overall data privacy, these breaches continue to happen.  That paper explains, “the vast majority of today’s data breaches aren’t the result of bad actors successfully penetrating these [traditional] defenses via brute force attacks.  Rather, social engineering has become the primary attack vector resulting in data breaches and the catastrophic consequences that typically follow.  And these attacks are planned and enabled using the extraordinary volume of unsecured personal data about every worker in every organization, available for sale – and in many cases, even for free – on the internet.”

It is the role of the Chief Privacy Officer to stanch the unfettered flow of unsecured external data used by threat actors to perpetrate social engineering attacks that continue to be the predominant avenue for data breaches.  Doing this involves a religious dedication to protecting personal data privacy within an organization and any third-parties they associate with.

National Trade Organization Data Shows Growth in CPO Roles

The National Association of State Chief Information Officers (NASCIO) released research recently that shows that, at the state level in the US, awareness is growing of the critical role of privacy in protecting secure data systems.

NASCIO released the findings of a survey titled, “The Shifting Privacy Paradigm: State Chief Privacy Officers’ Evolving Roles and Persistent Realities”.  It contains great perspectives on the evolving regulatory landscape and underscores the increasingly vital part the Chief Privacy Officer plays in safeguarding citizens’ data privacy.  In the press release highlighting their findings, NASCIO writes, “The survey reveals a movement in the direction of increased authority and establishment of the role in state government. With privacy emerging as a critical policy priority, spurred by the absence of comprehensive federal legislation, an increasing number of states are taking matters into their own hands, enacting privacy laws and officially appointing Chief Privacy Officers to oversee their implementation and develop privacy programs.”

Also from the press release, key findings of the survey revealed:

  •  The prevalence of the title “chief privacy officer” has surged to 88%, indicating the growing recognition and institutionalization of the role within state governments.
  • State CPOs are increasingly reporting to administrative officials rather than CIOs or CISOs, reflecting a broader understanding of privacy beyond technology-centric domains.
  • Despite the prioritization of privacy, only 24% of respondents reported having an established privacy program, highlighting ongoing challenges in program development and implementation.
  • A lack of dedicated funding and authority remain significant hurdles, with only a fraction of Chief Privacy Officers having a defined budget for privacy initiatives and enforcement powers.
  • Top challenges identified by CPOs include lack of authority, funding, and qualified staff.

The findings of the survey underscore the urgent need for states to prioritize privacy governance, allocate dedicated funding, and empower Chief Privacy Officers with the authority needed to enforce privacy policies effectively. By heeding these recommendations, states can navigate the evolving privacy landscape and uphold the fundamental right to privacy for all citizens.

The bold statements in the above bullets clearly illustrate the increased awareness of the imperative for privacy management and the strong demand for professionals to fill CPO roles leading this initiative.  They also illustrate the shortcomings of current attempts to meet the rising need.  There is no doubt a crisis of Privacy in the United States.  One that traverses the realm of the political and the business world.  Privacy as a topic is a subject matter of great consequence and yet, one that has, until very recently, been objectively ignored by government and misunderstood by business organizations. 

Federal Government Inert on Privacy Matters

As the NASCIO release underlines, there is a woeful lack of federal regulatory guidance when it comes to privacy.  Leaving it to individual states to formulate disparate responses is not a viable strategy for overcoming the challenge facing public and private sector organizations alike.  Perhaps the lack of federal action stems from a Federal legislature and judiciary that regards privacy as a hotly contested notion. 

There is no explicit “right to privacy” in the US Constitution.  However, the right to privacy, for several generations was implied as being established by The Supreme Court which had used the personal protections expressly stated in the First, Third, Fourth, Fifth, and Ninth Amendments to find that there is an implied right to privacy in the Constitution.  This implied right was used to advance legal contraception, abortion, same sex marriage, gender affirming care and other basic liberties that were hard won over the last 50 years.   Only recently have we begun to see a regressive movement in the opposite direction with the current SCOTUS and its conservative majority working to undermine these privacy rights and roll back liberties the American public has enjoyed for generations.   

Yet, there is a through line between the supposed right to privacy in the public sense and the right to privacy when it comes to ones personal data and how it is managed by the businesses and other organizations with whom these data are shared.  And while the courts are busy examining and in many cases undermining privacy as a critical facet of a functioning modern society, the legislative and executive branches are doing far too little to enact protections for privacy of Americans’ personal and professional data. 

Business is Asleep at the Switch – Focused on Security not Privacy

For its part, and in the vacuum left by the absence of comprehensive privacy legislation and regulation, the private sector is seemingly resigned to the notion that daily risk of data breach is simply part of doing business.  Plenty of contemporary editorials and expert analysts seem to agree, concluding that data breaches simply cannot be stopped.  Consider the following examples of contemporary business media articles basically admitting defeat.  When reading through these, look for the pattern that emerges wherein the author laments the seeming inability of organizations to stop data breaches.  Then offers more of the same ineffectual suggestions for working to prevent them – employee education, standard cyber security practices, better cloud security, etc.

Harvard Business Review writes about “Why Data Breaches Spiked in 2023”.  Their article rightly points to three primary reasons behind the rising threat of data breach.  Cloud misconfiguration, new variants of ransomware attacks and increased exploitation of vendor/third party systems are the three drivers the vaunted Business Review offers.  All three are accurate, but nothing in the rest of this article points toward reducing unsecured external data as the main ingredient in remedying this problem. 

Business cybersecurity expert, Travis D. Mills writes a piece published on LinkedIn titled, “Reality Check: Stopping All Data Breaches is Impossible”.  This rather defeatist post correctly points out that there is no solution that will be one hundred percent effective in preventing data breaches.  This is true of any solution to any problem from birth control to air travel.   There will always be unplanned pregnancies and plane crashes.  However, Mills only points to a vague notion of cybersecurity “preparation” as his advice on how to minimize risk exposure.  He also talks about having responses prepared to deal with the aftermath of what his article argues will be an inevitable breach. Mills’ guidance says nothing at all about privacy management or unsecured external data.

Then of course, there are the different cybersecurity solutions providers publishing content proving the old adage, “when you are a hammer, everything begins to look like a nail”.  Take for example, the blog post published by data encryption provider, Baffle.io.  Headline of this two-part post reads, “Why You Can’t Stop Data Breaches”.  After recapping some of the more high-profile organizations suffering data breaches, the article goes on to extoll the virtues of data and database encryption best practices.  Nary a whisper about the real driving force behind data breaches – poor external data privacy.

The Slumbering Business Giant Awakens to the Threat of Privacy Risk

Without any governmental or regulatory forces coming to rescue them, businesses are indeed slowly, but surely awakening to the fact that their cybersecurity functions alone are not enough to protect them against threat actors using social engineering attacks.  The entire world is just now beginning to recognize the importance of privacy and taking steps to source leadership with the tech skills and know how needed to rise to this challenge. 

The previously referenced rise of new Chief Privacy Officers is not just an anecdotal factor.  We’re currently in the early stages of a migration away from a sole focus on traditional cybersecurity programs.  The IT function of tomorrow will have a whole new office, headed by a Chief Privacy Officer who not only works hand in hand with the CIO or CISO, but also with other segments of the corporate or organizational hierarchy impacted by privacy concerns.  This includes the CHRO, or HR leadership responsible for educating the workforce on protocol and policy.  It also includes the CPO or procurement officer who is responsible for all third-party vendor relationships. In many cases, this also includes executives in the Legal department responsible for governance protecting the organization from litigation and even Sales leadership who in some organizations are involved in collection of sensitive customer information.

The point being that privacy is the missing lynch pin to any organization’s policy and practice when it comes to preventing data breaches.  Since privacy-based threats are equally as effective being perpetrated through every facet of the organization (not just through IT channels) the role of the CPO is destined to be the most important role. 

The data from the US Bureau of Labor Statistics (BLS) confirms the trend.  BLS’s “Occupational Outlook Handbook” provides projections of all job sectors in the US economy.  Their current outlook for computer and technology occupations projects IT and tech occupations to grow faster than the average career segment between 2023 and 2033.  The data in the handbook suggests that data security roles will enjoy the largest growth in median pay among all the specialized IT functions in the tech realm. 

Be the Hero – Then Land the CPO Role

French novelist, author of the Three Musketeers and Count of Monte Cristo, Alexandre Dumas one said, “Nothing succeeds like success”.  With this quote in mind, Privacy Bee encourages the next generation of astute IT leaders to aim for the top.  To prove you’re the right candidate for a Chief Privacy Officer role, it would be enormously helpful to be able to demonstrate a sterling record of success in effectively managing privacy and dramatically lowering the risk profile for your organization – protecting it against the data breaches ravaging even the world’s top companies and governments.

How then would one go about producing such a record of success to bring to the hiring authorities?  Begin by advocating for Privacy Bee for Business within your current organization.  Show current leadership how an unwavering focus on data privacy and assiduous management of external data can provide the missing link, plugging the massive vulnerability in existing cybersecurity practices.  The good news is, it will be easy to gain approval to take the first few critical steps with Privacy Bee for Business because they require zero capital outlay.  Yet, they provide demonstrable metrics for the organization’s risk exposure.   Start with the following services from Privacy Bee for Business.

External Data Privacy Audit (EDPA)
The process of holistic data privacy and security begins with this free audit and accompanying report analyzing a company’s External Data Risk.

The EDPA is a unified employee audit, bringing together real-time dark web monitoring with 24/7 active clear web monitoring (Data Brokers, People Search Sites, paste sites, and more). It delivers a centralized view into public employee exposures, then overlays the tangible financial impact exposure may have within your organization.

The 100% free, web-based privacy app enables organizations to quickly and easily scan their employees and build an extensive audit.  It yields a critical view into risk assessment, operational inefficiency, emerging cyber risk, and External Data Privacy management.  The output of the EDPA enables the organization to:

  • Quickly determine the most at-risk departments and employees by their public vulnerabilities
  • Drill down into analytics on Dark Web exposures across all employees
  • Derive actionable and accurate financial modeling with forecasted opportunities for risk resolution.

Privacy Risk Assessment (PRA)
One hundred percent free to use, the PRA is a survey of roughly 75 questions Privacy Bee administers online to all the organization’s key stakeholders within executive leadership.  It takes about an hour to complete.   The PRA explores how customer and employee data is managed by the organization, illuminating any opportunities for improvement, unmitigated risk, or insufficient Governance, Risk and Compliance (GRC).

Once completed, the answers are used to calculate the business’s Privacy Risk Score, as maintained by Privacy Bee. Once completed, your organization’s PRA will be available to any of your customers all year.  They’ll be able see your organization’s active status, and optionally request detailed answers (for trusted relationships), which you fully control.  

Many Privacy Bee for Business customers proactively offer the annual Privacy Risk Assessment when responding to RFQs or RFPs, similarly to how they declare certifications like SOC 2 or ISO 27001.  This is of great utility to Procurement and Legal departments as well, and illustrates how cyber security, physical security and external data security are achieved through cross-functional collaboration.

Vendor Risk Management
The EDPA and PRA process should also be extended (again at no cost) to all third-party vendors with whom any degree of information systems access is provided by your organization.  Supply chain risk is one of the fastest growing emerging privacy threats to businesses.  One we wrote about at length in the white paper, “Supply Chain Attacks On the Rise – A Primer on Supply Chain Privacy Risk”.   As that document illustrates, the majority of Data Breaches are not caused by an attacker targeting your organization directly, but rather by targeting your vendors, who often have less sophisticated defenses. If a PII-powered spear phishing attack breaches their defenses, compromising their company, the attacker will often leverage the trusted relationship to now target your company.

Procurement departments and sourcing teams are always looking for better visibility into vendor risks. Existing 3rd party vendor risk platforms are still valuable but dated. Real-time scans analyze all vendor companies, their employees, attack vectors commonly exploited by bad actors, and any other privacy-centric path that attackers might use to compromise their organization, and in turn, you.  As more organizations include privacy standards in their RFx events, the Vendor Risk Management solution ensures your organization can prove its worthiness.

Build the Heroic Business Case

Once these steps have been taken, the output of the assessments is beautifully displayed on Privacy Bee’s intuitive visualizations dashboard.  This provides you with the tools to make a data-driven business case in favor of engaging the rest of the Privacy Bee for Business solution, which provides means for securing all the unsecured external data identified by the scans/assessments. 

Employee Risk Management
Having convinced leadership to engage the subscription portion of the Privacy Bee solution (which is very modestly priced per user), the work begins on licensing all relevant employees to achieve unsecured external data removal.  The Employee Risk Management (ERM) solution is an easy but powerful way to gain visibility into External Data Privacy risk.   Taking a short while to load and configure all employees (usually exported from HR software), Privacy Bee automatically begins scanning hundreds of external sources, searching for any exposed privacy risks on each employee.   Any discoveries are flagged as exposures and affect that employee’s aggregated Privacy Risk Score.

The output of ERM enables leadership to set minimum Privacy Risk tolerances for the organization and provides visibility and metrics to make enforcing tolerances easy.  While ERM does not claim to be able to achieve 100% removal of all unsecured external data, the removal of said external data is what makes an organization a far less attractive target to cyber criminals who typically seek the organizations with the least cyber security and most vulnerabilities.  The less unsecured external data existing on the organization’s workforce on the internet, the less ammunition scammers can attain to design and deploy the social engineering and phishing attacks they use to attack.

Use this Victory to Accelerate Your Career

After six months to a year, your efforts will yield a significant decrease in the risk of data breach affecting your organization.  You’ll have the hard data to prove it.  And, if you’ve begun quickly enough after having read this paper, you may even help your organization to completely avoid being victimized by hackers, threat actors, ransomware and all the social engineering vectors that enable them.  With this conspicuous success now on your record, you’ll be uniquely situated to shoot for the corner office.  Either convincing your organization to create a CPO position for you to inhabit, or using your successful record to apply for open CPO roles in other organizations seeking proven experts to help them deploy their own privacy protection campaigns.
 

Trusted by thousands of companies.

Instant access to the world's leading business privacy platform. Dive into your account: