The concept of a career roadmap is something with which we are extremely familiar. We are both retired military intelligence professionals with a combined 60 years of service to the United States. We grew up in a system that consisted of an enterprise-wide, tiered certification process, which laid out a set of minimum skills and experience levels required at certain waypoints in our career. We have also witnessed the benefits of a structured career roadmap during our tenures in the U.S. government’s civilian career service. Entry-level employees understand exactly what knowledge, skills and abilities they must acquire to compete successfully at the middle and senior technical and management levels. Aspiring U.S. government civilian senior executives, positions comparable to corporate-level executives, also have structured career roadmaps that define executive core competencies they must possess in order to compete successfully at this level.
This is why we are proposing a career roadmap for privacy professionals.
Before continuing, we want to address the term “privacy professional.” We’re aware that many in our profession refer to themselves by other names, such as “data protection professionals.” However, for the sake of consistency, we will use “information privacy” to encompass those who are IAPP-certified and working within the information privacy profession, regardless of where they are on “Google Earth.”
Since 2004, the International Association of Privacy Professionals (IAPP) has made tremendous strides in professionalizing the information privacy profession through its globally recognized accreditation system consisting of the Certified Information Privacy Professional (CIPP), Certified Information Privacy Manager (CIPM) and soon-to-come Certified Information Privacy Technologist (CIPT) certifications.
In 2010, A Call for Agility: The Next-Generation Privacy Professional opined that a “rise in privacy awareness among small and medium-sized businesses, government agencies and other organizations—as well as ongoing maturation of roles pertaining to information governance, risk management, data security and compliance—will create new career paths and opportunities for privacy professionals.” We agree with this assessment and join the growing cacophony of voices from across the globe that believe it is time to develop and implement a career roadmap for the next generation of privacy professionals. Regardless of the privacy model (comprehensive, sectoral, co-regulatory), we believe a roadmap will provide professionals with a plan to progress through the entry levels, mid-levels and senior levels of the information privacy profession.
Our preliminary observations of IAPP certifications indicated no apparent structured relationship between the CIPP, CIPM and soon-to-come CIPT certifications. Moreover, the global information privacy profession appears to lack a general career roadmap that might provide future generations with a pathway to build mastery in the privacy profession. The IAPP’s “Privacy Pathways” program is definitely a step in the right direction. This program allows the IAPP to partner with law schools to enhance privacy education, and to assist students in certifying as IAPP privacy professionals. The Santa Clara University School of Law’s first-of-its-kind privacy law certification is an example of the IAPP’s success in this area. IAPP VPof Research and Education Omer Tene states, “We’re excited about Santa Clara Law’s efforts. At a time when data is becoming the most valuable currency in the information economy, the need for well-qualified professionals who understand global information management practices and the need to safeguard data are growing exponentially.” We strongly encourage the IAPP to expand its Privacy Pathways program to other non-legal academic programs.
We envision a day in the future when high school students, faced with myriad academic and employment options, will decide to pursue careers in the privacy profession. These students will enroll in two- or four-year degree programs at any number of universities globally. Upon graduation, they will enter into the workforce armed with an associate or baccalaureate degree, apprentice-level knowledge of the profession and at least one of the CIPP disciplines. A career roadmap, similar to Figure 1, will provide aspiring privacy professionals with a pathway to success and establish hierarchical relationships between certifications.
Those personnel who choose a non-formal education route will supplement education requirements with equitable work experience and skills. We encourage privacy professionals to pursue formal education to improve their critical reasoning, critical writing, management and other essential skills. To continue their career progression, information privacy professionals will need to complete the appropriate-level IAPP certifications throughout their careers. Some students will continue their formal academic education by pursuing Juris Doctor (JD), other legal professional degrees or non-legal, graduate-level degrees in data protection, information privacy or a related discipline. Privacy analysts, after completing two years of demonstrated work, could seek additional responsibility by pursuing a CIPM certification, as well as a corresponding position. Following four years of experience as a CIPM, many professionals will look for more responsibility at a higher level.
These professionals will serve as the equivalents of today’s chief privacy officers (CPOs) within the private sector. Australia, Canada, the European Union, the U.S. government and others have used legislation to define the responsibilities of CPOs working within their respective governmental systems. They have not established a certification process for these officers. The privacy sector also lacks a common certification for its CPOs. We believe the time has come to develop a certification, the Certified Information Privacy Officer (CIPO), for both private-sector and public-sector CPOs to better prepare them for the multitude of adversarial, legislative and regulatory challenges their organizations will face in the 21st century.
Certifications raise the professional standards by giving special peer-recognition to those who fulfill a prescribed standard of performance and who demonstrate and maintain a high level of documented expertise. We believe the creation of a CIPO certification provides official, public and peer recognition of a person’s competencies and capabilities in the information privacy profession. A tiered certification process, starting with CIPP, followed by CIPM and peaking in the CIPO certification, demonstrates a lifelong commitment to the information privacy profession.
We envision a day in the future when high school students, faced with myriad academic and employment options, will decide to pursue careers in the privacy profession.
We believe the discriminator between each level of certification will lie in the scope of organizational responsibility. We contend that, in the future, privacy professionals or subject matter experts possessing an IAPP compliance and policy certification,e.g., US, G, C, E, will work within a work center or business unit. The CIPTs will work with their information security counterparts, i.e. CISA, CISO, CISSP, etc. As their work experiences and skill levels increase in areas of scope and responsibility, we believe they will work as CIPMs who will serve as project or program managers within an organization’s business units. We also view this certification as being comparable to the “Certified Information Security Manager” within organizations.
Of note, we have made a clear distinction between the CIPMs and CIPOs that will work in tomorrow’s organizations. We do not view the CIPM position as being on par with the CIPPs in the future. We envision tomorrow’s CIPMs managing teams comprised of entry-level CIPPs within an organization’s business centers, i.e., finance, marketing, human resources, information technology, information security, etc. The word “manager” denotes some level of management responsibility, hence, our designation of the CIPM as an operational manager of information privacy professionals. We envision tomorrow’s CIPOs working with the organization’s senior executives to manage the organization’s strategic information privacy program. They will ensure information privacy is interwoven into every facet of the strategic plan’s enterprise and mission objectives.
We applaud the information privacy profession pioneers who worked diligently to establish the information privacy career field. Their foresight has allowed us to develop a cadre of information privacy professionals capable of addressing the myriad of threats to information privacy. We realize it’s extremely difficult to capture all of the nuances of a career roadmap in a short thought piece; however, we feel that privacy professionals will benefit from having a path to guide them throughout their careers. We hope that this contribution advances the dialogue on this important topic.