The Nuances of Information Security and Privacy

Leon Ravenna, CISO, KAR Auction Services, Inc.

Leon Ravenna, CISO, KAR Auction Services, Inc.

There are so many new cybersecurity, privacy and risk laws and regulations to worry about. How can they possibly add value to your business? As you look at business innovation, many organizations will need to rely significantly on their cybersecurity and privacy groups, but these programs are often misunderstood functions within many corporations.

Cybersecurity and privacy programs are often considered a “necessary evil,” designed to address industry standards or customer compliance. However, they are not typically thought of from an innovation perspective. Well designed and marketed cybersecurity and privacy programs can create a competitive advantage for a company.

Your business likely provides services to many customers and impacts hundreds or thousands of employees, families, and multiple communities. These groups depend on your company to perform as a reliable business partner and responsible corporate citizen. They also expect, and deserve, adequate security controls to protect their assets entrusted to you and your company.

When you consider physical security, it’s common place to use fences, locks, cameras and other mechanisms to protect our physical assets. So, why is it that we often have less consideration for those assets we can’t see that could be electronically accessed by or transmitted to an unauthorized recipient?

Robust cybersecurity is a critical component of being a reliable and trustworthy employer and business partner. Many factors are considered in the development and implementation of cybersecurity and privacy programs:

• Helping drive new business and maintaining existing business

• Ensuring consistent and secure delivery of services

• Protecting assets from intentional or accidental misuse

• Meeting customer compliance expectations and contractual commitments

• Recruiting and retaining top talent

Each of these drivers by themselves is important. However, in combination, they create a unique program that not only provides comfort to customers to entrust their data to your care, but also focuses on the continued, secure delivery of leading technology solutions.

"Information Security and Privacy have been and will continue to be increasingly important as we seek to win business, protect our assets, ensure customer compliance and recruit top talent"

Let’s look a little deeper at a couple of these items.

Driving new Business:

It may not seem like cybersecurity and privacy are drivers of new business. However, when was the last time you saw a contract without any cybersecurity or privacy provisions? When was the last time a customer said, “Sure, you seem trustworthy. No need for an audit here?” As the world moves toward a more digital, online marketplace, cybersecurity and privacy are increasingly considered critically important in the sales process. The ability to demonstrate strong cybersecurity and privacy programs during the sales cycle can often help to speed up the process and can be a differentiator between providers.

Meeting Customer Compliance Expectations and Contractual Commitments

Customer Compliance is often considered the primary driver of cybersecurity and privacy programs. In a typical year, companies may field dozens if not hundreds of cybersecurity related RFPs, RFIs, questionnaires and audits. Every one of these, at its core, is focused on cybersecurity and privacy concerns. The primary driver of this scrutiny is that many of the major breaches are tied to 3rd party vendors. Because of this, customer’s scrutiny around cybersecurity and privacy compliance has led to an environment where many institutions’ requests have become unduly burdensome. Well documented and managed cybersecurity and privacy programs will help to efficiently facilitate, and reduce the overall impact, of these requests on your organization. Regardless, customer compliance continues to be an item that drives your programs to be better.

Recruiting and Retaining Top Talent

One often overlooked facet of a cybersecurity program is providing a feeling of protection and comfort with the environment within which one works. In the same way that physical security controls provide overt mechanisms to show outside personnel that you take employee security seriously, making employees aware of cybersecurity controls gives them confidence that their data is protected and threats against them are addressed. An organization that communicates and markets the importance of its cybersecurity and privacy programs will often generate stronger employee engagement resulting in a higher level of employee satisfaction.

A few words about Privacy and Roles

Privacy is mentioned above in conjunction with cybersecurity. In many organizations, both functions will, by default, end up the responsibility of the information security organization. However, as companies continue to struggle with meeting and maintaining compliance with existing and upcoming privacy and cybersecurity regulations such as GDPR, CCPA, NYDFS and others just around the corner, it will likely make sense to place regulatory and risk based functions under the guidance of a single leader, or at least coordinate these activities more closely.

The best way to think about the increasing scope of the role is that the CISO may morph into the “CISPRO” having responsibility for information security, privacy and risk. It is simply too expensive to separate these functions in many organizations. It won’t happen in all organizations, as larger organizations may want or need to keep these functions managed separately. It is likely that this shift will take place over the next three to five years.


Information Security and Privacy have been and will continue to be increasingly important as we seek to win business, protect our assets, ensure customer compliance and recruit top talent. As you move forward, strong cybersecurity and privacy programs and controls will not only be necessary, they will be a competitive differentiator.