Jul 262007

When I read Steve Andriole’s recent post (via Cindy Swain), What Are the Rules, I looked at the calendar…no, this was not April 1st.

What a thought-provoking post!

Yes, as some of the comments to Steve’s post indicate, there are definitely some controversial “rules” put forth. To put it mildly. Writing about them all would fill a book. I will just comment on a couple of the proposed rules.

“1. CIOs should come from the business, not the technology ranks: technology-rooted CIOs will never really understand the importance of business as the technology driver. When prospective CIOs start talking about network latency and virtualization, it’s time to get the hook out; go with the professional talking about up-selling and cross-selling every time.”

It can also be said that business leaders will never understand the depth and nuances involved with IT that is required to make sound IT decisions that will help make the business successful.

I strongly believe that IT must support the business. IT must be implemented with the best interest of the business in mind; so IT leaders must understand the business well. This is true. IT leaders must know how to speak business, read business and support business. However, IT leaders must also have deep knowledge and experience with IT. They are the IT experts within the company. Valid and feasible IT decisions, in the best interest of the organization, cannot be made unless the IT leader has a strong understanding and background in IT.

Likewise, the business unit leaders must be experts in their business. They must apply their business expertise to make the organization as successful as possible.

I used to work for a very large multinational organization that co-located each of the business unit IT support teams into the business unit office locations…they imbedded them, if you will. This worked, and still works, very well. The IT experts were sitting side-by-side with the business experts and had ongoing communications with them about the business. The IT folks learned the business, and in return supported the business during their IT planning, implementation and support.

I see ITIL as a great framework/methodology, when properly deployed, for integrating the business with IT. Leave the business experts to make their services and products successful; teach IT experts and leaders the business and have them use tools and frameworks, such as ITIL, to always have the business in mind when supporting IT.

I think it would be interesting to do an experiment. Take a smart business leader and see how long it would take for him/her to competently understand IT and compare to how long it takes an equally smart IT leader to competently understand the business.

Instead of trying to take a fish out of water and make it grow legs and walk, give IT experts the knowledge and tools to understand business. Not only will it be easier, it will be more effective and valuable to the business.

“5. Get over the lack of privacy. It’s been gone for years and most Americans would sell their personal data for a $50 a year, so long as you promised them a free Diet Coke. The fact is that privacy — like everything else in the world — is for sale at the right price.”

Aye yi yi! Where to begin…I could write a book about this. Wait; I *have* written books about this! :)

Scott McNealy is often quoted, out of context, by many, and overwhelmingly by CTO types, “You have no privacy, get over it.” Yes, technology vendors usually do want you to believe that because then you will not hold their feet to the fire to build security and privacy into their products. It is easier to say privacy is not possible than it is to architect privacy into technology. But, it can be done.

I recently wrote about this and the importance of privacy and the misconceptions on my personal blog site in my post “Carnegie Mellon’s Data Privacy Head Urges Development of New Privacy Technologies

Privacy is about much more than selling your personal information out for a Coke or Starbucks coffee.

Privacy is about individuals having the ability to make decisions regarding not only who gets access to their personally identifiable information (PII), but also about keeping other aspects of their life…where they travel, who they speak with, what clothes they buy, what food they eat, what books they read, whatever else humans do while living their life…private and divulging only those details they choose to divulge.

At the core of privacy is personal choice. Businesses and vendors typically do not provide this choice. It would be too costly, in the vendors’ opinions, for vendors to take the time and resources to provide that choice, and to, by default, protect PII. It would impact their profits.

If individuals *CHOOSE* to divulge their PII…even if for a Coke or Starbucks…then that is *THEIR* choice. Technology giants, businesses and other organizations should not take that choice away.

Organizations that work to ensure privacy will be more successful, retain more customers and have better reputations than organizations that remove choices from individuals about their PII, and that do not build privacy and security into their products and services. A recent study supports this, as I blogged about today.


Rebecca Herold

Rebecca Herold is a Senior Consultant with the Cutter Consortium's Business Technology Strategies practice. She is an information privacy, security and compliance consultant, author and instructor.


  2 Responses to “Privacy: Badly Roughed Up But Still Alive and Kicking”

  1. avatar

    People who are concerned about privacy should work on authorization and authentication. I should be able to advertise ny social security number on a billboard and not have it affect the security of any of my other data.
    I own the information about myself just like I own my lawnmower. I should be able to sell the data as I sell my lawnmower when I buy a new one.
    As for accounts and medical records, the companies in charge of those should require proper authentication before allowing access to them. If authentication is breeched, that company should be responsible for the damages.
    Making sure you know with whom you are dealing (authentication) and that they have a legitimate need-to-know (authorization) would go a long way towards alleviating privacy concerns.

  2. I do agree with you Rebecca regarding the privacy and confidentiality especially in business. Organizations that strictly follow privacy and maintain their internal as well as external confidential factors more secure which might affect their business are more successful at the same time retaining more customers and have better reputations.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>