DPC15_300x250_ads_FINAL
PSR15_300x250_ad-UPDATED-6-15-FINAL

A Proposed Career Roadmap for the Next Generation Privacy Professional

The concept of a career roadmap is something with which we are extremely familiar. We are both retired military intelligence professionals with a combined 60 years of service to the United States. We grew up in a system that consisted of an enterprise-wide, tiered certification process, which laid out a set of minimum skills and experience levels required at certain waypoints in our career. We have also witnessed the benefits of a structured career roadmap during our tenures in the U.S. government’s civilian career service. Entry-level employees understand exactly what knowledge, skills and abilities they must acquire to compete successfully at the middle and senior technical and management levels. Aspiring U.S. government civilian senior executives, positions comparable to corporate-level executives, also have structured career roadmaps that define executive core competencies they must possess in order to compete successfully at this level.

This is why we are proposing a career roadmap for privacy professionals.

Before continuing, we want to address the term “privacy professional.” We’re aware that many in our profession refer to themselves by other names, such as “data protection professionals.” However, for the sake of consistency, we will use “information privacy” to encompass those who are IAPP-certified and working within the information privacy profession, regardless of where they are on “Google Earth.”

Since 2004, the International Association of Privacy Professionals (IAPP) has made tremendous strides in professionalizing the information privacy profession through its globally recognized accreditation system consisting of the Certified Information Privacy Professional (CIPP), Certified Information Privacy Manager (CIPM) and soon-to-come Certified Information Privacy Technologist (CIPT) certifications.

In 2010, A Call for Agility: The Next-Generation Privacy Professional opined that a “rise in privacy awareness among small and medium-sized businesses, government agencies and other organizations—as well as ongoing maturation of roles pertaining to information governance, risk management, data security and compliance—will create new career paths and opportunities for privacy professionals.” We agree with this assessment and join the growing cacophony of voices from across the globe that believe it is time to develop and implement a career roadmap for the next generation of privacy professionals. Regardless of the privacy model (comprehensive, sectoral, co-regulatory), we believe a roadmap will provide professionals with a plan to progress through the entry levels, mid-levels and senior levels of the information privacy profession.

Our preliminary observations of IAPP certifications indicated no apparent structured relationship between the CIPP, CIPM and soon-to-come CIPT certifications. Moreover, the global information privacy profession appears to lack a general career roadmap that might provide future generations with a pathway to build mastery in the privacy profession. The IAPP’s “Privacy Pathways” program is definitely a step in the right direction. This program allows the IAPP to partner with law schools to enhance privacy education, and to assist students in certifying as IAPP privacy professionals. The Santa Clara University School of Law’s first-of-its-kind privacy law certification is an example of the IAPP’s success in this area. IAPP VPof Research and Education Omer Tene states, “We’re excited about Santa Clara Law’s efforts. At a time when data is becoming the most valuable currency in the information economy, the need for well-qualified professionals who understand global information management practices and the need to safeguard data are growing exponentially.” We strongly encourage the IAPP to expand its Privacy Pathways program to other non-legal academic programs.

We envision a day in the future when high school students, faced with myriad academic and employment options, will decide to pursue careers in the privacy profession. These students will enroll in two- or four-year degree programs at any number of universities globally. Upon graduation, they will enter into the workforce armed with an associate or baccalaureate degree, apprentice-level knowledge of the profession and at least one of the CIPP disciplines. A career roadmap, similar to Figure 1, will provide aspiring privacy professionals with a pathway to success and establish hierarchical relationships between certifications.

Those personnel who choose a non-formal education route will supplement education requirements with equitable work experience and skills. We encourage privacy professionals to pursue formal education to improve their critical reasoning, critical writing, management and other essential skills. To continue their career progression, information privacy professionals will need to complete the appropriate-level IAPP certifications throughout their careers. Some students will continue their formal academic education by pursuing Juris Doctor (JD), other legal professional degrees or non-legal, graduate-level degrees in data protection, information privacy or a related discipline. Privacy analysts, after completing two years of demonstrated work, could seek additional responsibility by pursuing a CIPM certification, as well as a corresponding position. Following four years of experience as a CIPM, many professionals will look for more responsibility at a higher level.

These professionals will serve as the equivalents of today’s chief privacy officers (CPOs) within the private sector. Australia, Canada, the European Union, the U.S. government and others have used legislation to define the responsibilities of CPOs working within their respective governmental systems. They have not established a certification process for these officers. The privacy sector also lacks a common certification for its CPOs. We believe the time has come to develop a certification, the Certified Information Privacy Officer (CIPO), for both private-sector and public-sector CPOs to better prepare them for the multitude of adversarial, legislative and regulatory challenges their organizations will face in the 21st century.

Certifications raise the professional standards by giving special peer-recognition to those who fulfill a prescribed standard of performance and who demonstrate and maintain a high level of documented expertise. We believe the creation of a CIPO certification provides official, public and peer recognition of a person’s competencies and capabilities in the information privacy profession. A tiered certification process, starting with CIPP, followed by CIPM and peaking in the CIPO certification, demonstrates a lifelong commitment to the information privacy profession.

We envision a day in the future when high school students, faced with myriad academic and employment options, will decide to pursue careers in the privacy profession.

We believe the discriminator between each level of certification will lie in the scope of organizational responsibility. We contend that, in the future, privacy professionals or subject matter experts possessing an IAPP compliance and policy certification,e.g., US, G, C, E, will work within a work center or business unit. The CIPTs will work with their information security counterparts, i.e. CISA, CISO, CISSP, etc. As their work experiences and skill levels increase in areas of scope and responsibility, we believe they will work as CIPMs who will serve as project or program managers within an organization’s business units. We also view this certification as being comparable to the “Certified Information Security Manager” within organizations.

Of note, we have made a clear distinction between the CIPMs and CIPOs that will work in tomorrow’s organizations. We do not view the CIPM position as being on par with the CIPPs in the future. We envision tomorrow’s CIPMs managing teams comprised of entry-level CIPPs within an organization’s business centers, i.e., finance, marketing, human resources, information technology, information security, etc. The word “manager” denotes some level of management responsibility, hence, our designation of the CIPM as an operational manager of information privacy professionals. We envision tomorrow’s CIPOs working with the organization’s senior executives to manage the organization’s strategic information privacy program. They will ensure information privacy is interwoven into every facet of the strategic plan’s enterprise and mission objectives.

We applaud the information privacy profession pioneers who worked diligently to establish the information privacy career field. Their foresight has allowed us to develop a cadre of information privacy professionals capable of addressing the myriad of threats to information privacy. We realize it’s extremely difficult to capture all of the nuances of a career roadmap in a short thought piece; however, we feel that privacy professionals will benefit from having a path to guide them throughout their careers. We hope that this contribution advances the dialogue on this important topic.

Written By

Christopher Stevens, CIPM, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT

Written By

Stephen Holland, CIPM

6 Comments

If you want to comment on this post, you need to login
  • Kerry Childe Jun 11, 2014

    Without opining on the benefit of a career roadmap for privacy professionals, I would offer that the levels of education/experience suggested seem to me to be inadequate.

  • James Jun 11, 2014

    There's a saying in information technology that the competence of an IT professional is inversely related to how many certifications they hold. Passing an exam like the PMP is no guarantee that one actually has any competence at project management; it merely shows that one can pass the exam. There are a few skills missing here. Privacy professionals like to make a big deal of out 'data', but if data is so important, why isn't training in relational databases (object, no-sql, etc) part of the curriculum? You are going to have a very hard time understanding privacy implications of large scale data processing without at least a basic background in that area. Add to that information security, privacy preserving data publishing, requirements engineering, data mining, etc. Privacy has intersections with numerous fields, including law, ethics, communications, accounting, software engineering (etc). At best these little certifications show that someone has been exposed to a few concepts at the level of a multiple choice test. The hard skills (e.g., databases) and soft skills (e.g., stakeholder management) required for success cannot be tested this way. A test like the CIPP/IT is not a form of assurance that a person is competent in those areas.

  • Greg Jun 11, 2014

    The idea of a roadmap is good in that it attempts to provide general directional guidance. However, as proposed here, it seems to neglect consideration of the breadth of other skills, knowledge, and experiences required to be professionally competent. I think perhaps minimal educational and job experience requirements would be more useful for qualifying and individual to earn a specific certification. However, I don't see any direct linkage between the privacy certification and educational qualifications otherwise at this time. The discussion, analysis, and application of controls around topics relating to privacy encompass varying fields and knowledge sets (legal, information technology, business process, social/culture values, etc). I believe the value of many certifications is simply to give credence towards developing and understanding an alternate perspective relative to a particular subject area, and isn't and indicator of expertise in most cases…but more to demonstrate having baseline knowledge. A roadmap for privacy professionals can (and should) go in many different directions beyond what is represented here. However, I do recognize this as a first step.

  • Richard Beaumont Jun 12, 2014

    I too applaud this effort - essentially to map out career pathways within privacy. However, I would caution against being too stratified in any model. And perhaps my own current pathway can illustrate the point. Though relatively new to the privacy field, I have years of experience in technology management - such that I am at a middle/senior management position. My role and interests in where I want to go in the future, led me to choose to go for the CIPM certification, rather than the CIPP - which in your model would be the entry level. I think these certifications, and the new CIPT reflect more the route into the privacy field from other areas - Law, Project Management and IT - rather than necessarily hierarchical levels. I also believe experience and skills in other areas can play a very strong role in what would be an appropriate position to place any individual. The idea of a senior level CIPO certification is a good one - but equally it could be possible for someone in senior management role in other areas, to enter the profession at that level. What would be very useful progressions in my view would be some kind of system of CPD recognition(which of course the lawyers have in their own profession) plus additional levels of recognition of knowledge and experience - often found through the application of titles like 'Master' and 'Fellow' in other professional areas. I hope this adds to the debate.

  • Rita Heimes Jun 12, 2014

    The University of Maine School of Law launched one of the first privacy pathways in the US four years ago, in collaboration with IAPP. The law school has a course in information privacy, a three-course Information Privacy Summer Institute that takes place partially at IAPP's headquarters, an opportunity to sit for the CIPP exam, and multiple externships with businesses (including IAPP) for students to get hands-on experience in information privacy law.

  • Domenic Jan 17, 2015

    I also too wish to applaud the efforts that was made by the contributors of this article. Where I feel that this information may have more of an immediate and more long term impact, would be for the IAPP to reach out to NIST and establish a way of incorporating this career roadmap within the National Institute for CyberSecurity Initiative (NICE). Data and Securing data in a way that protects Privacy information go hand in hand. If the stated goals are to increase the size of both the Privacy and CyberSecurity workforce with future leaders, having the IAPP and NICE work together would go a long way towards achieving that goal. I see the CIPT has more along CyberSecurity. The CIPP US/G/M/EU/C designations along with Masters degrees can prepare the next generation of leaders of being in the "C" Suite. I am working on Masters of Jurist Law (new program) that I feel will bode well for those who (i.e., such as myself) who are looking to be those next CIPO's (e.g., shaping the organization’s strategic information privacy program)

Related