The European GDPR legislation has put the privacy of customer data at the front and center of the modern organization, and rightly so. I know that there are companies that are complaining that this new focus on privacy is limiting their ‘innovation’ efforts, but the reason for this new privacy focus from the various governments around the world, is the this ‘innovation’ has seen the abuse of all of the data that is routinely collected by especially the various social media companies, but this excessive collection of private data is not only limited to the social media companies, they are just the most obvious of the culprits.
It is not the collection of this data that is at the issue for most of the new legislation around the world, it is the opportunity of using all of that data for profiling and opinion shaping that is at the core of the new privacy focus. Cambridge Analytica is the most high-profile company that was put through the media and public beating, and rightly so I might add! But make no mistake here, there are other companies out there doing the exact same thing as Cambridge Analytica did, they are just much more circumspect and quieter about their business because of what happened to Cambridge Analytica.
As cybersecurity professionals, the responsibility for the privacy and protection of customer data will land squarely on us! Data protection has been within our remit for years, but privacy is much more than just data protection. So how do we go about acquiring these new skills? Traditionally we have relied on certifications in various areas for our skill sets, are there any certifications out there focusing on privacy? I am happy to say that there is! Let us look at a few of them.
The order of these certifications is not a reflection of their value. All of them brings some privacy skills to the table and are thus, all of them, well worth your time if privacy is part of your responsibility, or something you are aspiring to work with. The below descriptions will only touch upon the various areas that the certifications are focusing on. If any of them catch your interest, then go to the organizations home pages for more information.
The ISO 27001 focuses on developing an Information Security Management System (ISMS), the ISO 27701 focuses on implementing a Privacy Information Management System. This is not a certification you should aim at if you do not already have the ISO 27001 Lead Implementer certification! Like the ISO 27001, it comes in two flavors. A Lead Implementer certification and a Lead Auditor Certification. As a company you can get an ISO 27701 Certification, but it will only make sense, if you are already ISO 27001 Certified!
Certified Data Privacy Solutions Engineer (CDPSE)
This certification comes from ISACA, the organization with the CISA and CISM certifications. This is one of the newest ones in the arsenal of privacy focused certifications. Full disclosure, I have this certification! The CDPSE certification focuses on the softer areas surrounding the privacy of customer data, specifically three areas. Privacy Governance, Privacy Architecture and Data Lifecycle. If you already have certifications from ISACA, you might be eligible to get CDPSE certified under the current early adoption program, but you should hurry!
The International Association of Privacy Professionals
This is an organization that have a few privacy related certifications on offer. As the name says, they are focused on privacy only! If privacy is your main area of interest, then I highly recommend membership in this organization. The next three certifications are from this organization.
Certified Information Privacy Professional (CIPP)
This certification is different, depending on where you are in the world. IN Europe for instance the focus is naturally on the GDPR legislation, whereas in Asia the focus is on the privacy legislation there. This makes the CIPP certification well worth your consideration if you are dealing with local regulations with regards to privacy. The number of questions in the certification tests are also different across the world, so make sure you are looking at the right version of the CIPP certification when researching it!
Certified Information Privacy Manager (CIPM)
This certification focuses on the implementation of the various regulations in the days to day operations of the organization. As the name implies, this one is mainly for the staff that is responsible for the operations in the organization. This includes things like measuring the performance of the privacy related processes and how to communicate with the various stakeholders inside the organization. If the management of privacy programs has your interest, this is the certification for you.
Certified Information Privacy Technologist (CIPT)
This is the certification for those of us that are working with the actual technology used in protecting the privacy of customer data. The focus here is on things like, encryption, data accuracy, attacks against the data and design methodologies. If you are a technician that would like to work more structured with the sensitive private data in your company, then this is the certification you should go for. It will also be a nice way of getting into the heavier issues surrounding cyber security in general.
Why is it Important?
If you read my first article on cybersecurity-magazine earlier this year, on the importance of governance in cyber security, then you will remember my argument on governance becoming a differentiator for customers and investors in the coming years. I will make the exact same argument for data privacy! If we disregard the potential catastrophic economic consequences of a GDPR fine, then I as a customer should be able to look at a company and have trust in the protection of my data and that my data will not be shared with 3rd parties without my consent.
As an investor I would like to know that my investments are done in a company that takes responsibility for its customers, thereby not opening themselves to any fines or lawsuits from governments or customers. Having good privacy controls in place, will be good business for the companies trying to make a living on the cutthroat modern business environment.
Tom Madsen has been active in the cybersecurity industry for more than 20 years. Tom graduated from the University of Aalborg and covered several technical roles in security during his professional career. He is certified as CISSP, CISA, CISM, CGEIT, CRISK, CCSP, CDSPE and CSSLP, and has published the book "The Art of War for Cybersecurity". He is currently writing a book 'Security Architecture - How & Why'.