The way Ken Mortensen sees it, there are three tiers to building a knowledge governance program. There's data governance, allowing an organization to understand, organize and make available its information. There's the second level: information governance, which means implementing controls and standards to address regulatory risks and making sure the data flows properly. And then there's the highest stage: knowledge governance, which creates the kind of information that's critical to decision making and creates and environment where the true value of information is extracted.
It's the opportunity to foster those kinds of programs that nudged him toward his most recent move back into private practice at consulting firm PricewaterhouseCoopers, which has been building a robust data protection privacy team with the announcement of at least a dozen high profile hires in the last few months, including Brad Chin, a former privacy officer from the technology industry; Eric Lybeck, Patricia Wynne and Lauren Schultz from the healthcare industry, Doris Patrick, a former privacy director in financial services and automotives; Angela Saverice-Rohan, a former chief privacy officer from big data and health insurance, and Bob Gibson, a former privacy officer in pharmaceutical industry.
The effort picked up steam with the acquisition of Jay Cline's Minnesota Privacy Consultants back in March.
"Law firms are very focused on the legal issues," Mortensen said. "Which make sense where there's a data breach or a class-action. That's what law firms do well; when the fire is burning, they try to put out the fire. They are not really into program building ... What I'm looking to do is not what I would call strictly a privacy and security program."
Moving to a consulting firm gives Mortensen a chance to work with organizations to advance their agenda and begin to put in place these knowledge governance programs, he said. A veteran of the privacy profession who's served as in-house counsel for the last 10 years, he's found privacy professionals today face a glass ceiling in both the extent to which the C-suite will allow them to grow a privacy program as well as their willingness to pay pros to take a leadership role.
Mortensen would like to help those CPOs break through that glass ceiling.
"Organizations aren't willing to invest in privacy leadership at the highest levels because they are looking at privacy as a functionality and so part of compliance or regulatory and so not as interested in advancing it," Mortensen said. "They may want a CPO, but they aren't seeing that person as a thought leader for the organization."
Privacy, as a result, is becoming commoditized; there's a certain "bringing down" of the level of importance.
The sort of program he'd like to help them put in place would raise their profile in the organization and emphasize the value that a privacy program can bring to the entire enterprise.
"More and more folks are being called a CPO at a manager or senior manager level," Mortensen said. The higher-ups don't understand the need for more horse power and are satisfied merely reaching a compliance level, rather than getting to an information-governance level, he argued.
Toward the end of his tenure at CVS, his gig before PwC, Mortensen found his meetings with counterparts across the table would not be the company's CPO or someone part of the executive leadership, and sometimes he found himself talking to former CPOs whose position had been demoted.
Maybe that partly reflects a simple supply and demand trend, though. The profession has evolved from a small set of seasoned professionals with a deep knowledge pool, and they were expensive. Now, the profession is booming with certified folks who, perhaps can't offer the same expertise veterans like Mortensen can, but they can get the compliance job done, and organizations know they need not pay a six-figure salary for that.
Additionally, Mortensen thinks the profession in general is having a hard time speaking up and saying, "We're not done here." It's incident response, and then the books close.
Jay Cline has a slightly different rallying cry, but similarly moved to PwC to fill perceived gaps in the privacy profession. He recently sold his consulting firm to PwC and became principal of the data protection and privacy team, jumping at the opportunity to work with PwC now because it was a way to get at developing the technology he feels the profession needs to do things more efficiently and at bigger scale.
He also saw a firm that had developed a team doing rigorous, high-visibility audits to high standards, and it didn't hurt that they had the lion's share of many of the FTC consent orders demanding long-term third-party audits.
While you'd think one of the "Big Four" of the consulting industry would be naturally slow-moving, Cline said PwC is very entrepreneurial, growing quickly and willing to invest in the tools and technologies he sees missing from the market. That's important given changes coming down the pipeline like Europe's data protection reform, new HHS audits, cloud computing, mobile apps and the questions raised by big data.
"Something we've been doing right away is developing new methodologies, technology-enabled methodologies," Cline said, adding that he's now able to take ideas that, at a small firm, would require backing from venture-capital, but with PwC's infrastructure can come to market much faster.
Both Cline and Mortensen see PwC getting a return on their privacy team investment through the global expansion of privacy awareness and the realization by global firms that the time to get their privacy house in order is now.
And the audience for their message goes beyond the CPO. Cline sees a shift away from a privacy officer "having to carry the bucket of water by themselves" to privacy responsibility shifting to other departments in the organization, with other executives helping to cheerlead for privacy.
"Because of big data, the chief marketing officer wants to unleash its power, and without a privacy plan in place, that value can often be locked up because of concern about violating privacy policies or privacy expectations," he said. "The CMO is the best friend of the CPO in 2014."
There's a fear factor out there, too. The potential to lose five percent of global annual revenue under the EU regulation is enough to finally start scaring Fortune 500 companies into assessing their current privacy program status and starting to build programs.
That's a market need PwC is looking to fill - and now they've got a few more privacy pros with which to do it.
If you want to comment on this post, you need to login.