CPO & CISO: A Comprehensive Approach to Information

GE CPO Nuala O'Connor Kelly advocates greater CPO/CISO cooperation to place the right value on information assets.

Nuala O'Connor Kelly, the former chief privacy officer for the US Department of Homeland Security, now serves as chief privacy leader with General Electric. O'Connor Kelly, along with GE's Chief Information Security Officer, Grady Summers, recently partnered to launch a GE Information Governance Council. The council, according to O'Connor Kelly, combines the strengths of IT and legal, and looks at information management and policy issues holistically across the data life cycle. The effort also marks what O'Connor Kelly says is a distinct change in the role of a CPO-one she predicts many companies will eventually adopt. She spoke with CSO about the future of the CPO.

Give me little background on your role with GE and how this convergence between privacy and information security began.

I started in the company three years ago as chief privacy leader and senior counsel for privacy and data. Over the course of the last year, we have congealed a vision around information governance; issues such as information management and data strategy. The new vision very much reflects a change in the CPO role to a more holistic approach to data.

With the CPO role, there has been a long-running debate about whether it belongs in legal, or in IT, or in risk or compliance. I wouldn't say we've settled all of the structural issues, but in terms of what information governance is, it's really about how we create information, how we keep it safe and secure and accessible during its lifecycle, and how we thoughtfully dispose of it. So we've brought in document management and data lifecycle, data retention, e-discovery and a whole bunch of other disciplines, under the information governance umbrella.

Now I lead information governance in legal and the information governance council, which is half legal and half IT. I've partnered with a team from the CISO's office as well as with the CTO. The idea is to create a multidisciplinary approach to data and both operationalize it and create a sustainable policy on the IT side.

What were some of the driving factors that lead to this change?

It really was driven by data breach security laws. We had to respond quickly to data security issues and the increasing amount of regulation in that area.

The other real driver is the changing workforce, and the changing expectations of today's workforce. We have 13,000 GE employees who are self-identified on Facebook as GE employees, sometimes using their GE e-mail address and putting up GE monograms to create discussion groups and so forth. This is happening whether we like it or not. Our employees are voting with their feet about what kind of collaborative networking tools they will use and this presents some real legal and organizational challenges.

Show Comments