November 7, 2022

Last Updated on January 15, 2024

Information security and privacy were long considered independent operational and career disciplines. But that view is going the way of the payphone.

Thanks to legislation like GDPR and CPRA, the two are merging at a functional level—putting privacy priorities on more and more security pros.

Rosemary Martorana, now Chief Privacy Officer at Corning and coming from a background in physical security, discusses what it takes to thrive on this cross-disciplinary path. She shares good practices for launching a new privacy initiative, ways to align privacy and security priorities, and how non-lawyers can bridge the privacy legal and compliance moat.

Staying between the guardrails

For individuals and orgs needing to step beyond their security comfort zone to embrace privacy, there is bound to be some hesitancy and resistance. But having made the crossing, Rosemary reports that the journey isn’t all that painful. It’s fundamentally the difference between protecting “information” and protecting “personal information.”

It breaks my heart a little when I hear people hesitate or get uncomfortable when we talk about privacy. – Rosemary Martorana

Getting privacy right takes three foundational steps, says Rosemary:

  • Establishing the right connections with key partners (e.g., cybersecurity team, legal team)
  • Understanding corporate risk tolerance in the privacy space
  • Addressing through technology, process and policy the true purpose of relevant regulations to protect privacy

 

3 legs on the security stool

Formerly the Director of Intelligence for the US Department of Homeland Security (DHS) New Jersey office, and then Corning’s Global Security Compliance Officer, Rosemary sees a company’s overall security posture as a 3-legged stool with interdependent physical security, cybersecurity, and privacy supports.

You really need all three: physical security, information security, and privacy baked in, in order to have that successful program. – Rosemary Martorana

The response to COVID-19 underscored these dependencies, such as creatively leveraging physical security tools to meet state regulations around screening visitors for COVID-like symptoms. All three security realms are becoming more nimble and they become more intertwined, helping to drive the needed changes in each area.

 

Put your legal team on speed-dial

While privacy has significant legal and compliance elements, you can tap that expertise as needed for interpretation of laws, etc.

While lawyers are great at telling you about regulations and interpreting those, they aren’t necessarily the tacticians on how a corporation is going to confine itself to those regulations. – Rosemary Martorana

Corning choose Rosemary as someone with strong program management skills to take on her “in the trenches” role. She sees the Chief Privacy Officer (CPO) function as needing not just analytical capabilities around regulatory requirements, but also soft skills like problem-solving motivation and intellectual curiosity—and especially good communication skills to collaborate with lawyers, business leaders and other stakeholders.

 

Where the rubber meets the road

At a company like Corning with over 60,000 employees worldwide, it takes a real commitment to create and maintain an accurate map of personal data. Automated data discovery is critical, as is communicating with the information security team on data flows.

But as a business selling mostly to other businesses, Corning doesn’t field as many data subject access requests (DSARs) as B2C orgs of comparable size. They have a largely manual process for fielding DSARs, despite using many different tools to help with privacy and security overall.

I always advise people to make sure you understand what your company does and where you really can best apply those technologies before you open that checkbook. – Rosemary Martorana

When it comes to running a world-class privacy program, Corning operates under a binding corporate rules (BCR) framework, per GDPR, to define its data protection policies across the board with internal teams, plus “flowdown” of those rules to suppliers.

For SMBs that need to prove they can protect personal data, a privacy program can start with benchmarking your current state and digging into best practices to move that forward, keeping risk tolerance top-of-mind. It takes significant time and effort to build a robust privacy program, but in today’s business and political climate it’s a requirement you can’t put off.

 

What’s next?

To hear the complete podcast show with Rosemary Martorana, click here.