One of the best things you can do as CPO is to be very thoughtful about access. Who in your company has access to data and how can they use that data? In the privacy and security realm we use a process called “least privileged” to help make those decisions. What that basically means is that an employee should only have access to any systems or to any data for the purposes that they need it for. In the government we know that there are different levels of secrecy and some people have a low level of clearance while others have a very high level. That same mentality exists around controls of your systems so that I, as a CPO, should absolutely not have administrative access to the HR systems around payroll. There is no reason for me to have administrative access to the HR systems because I'm not in HR and why would I need access to that information?

Does the Vice President of HR need access to that information? Probably not, but an HR manager would need payroll information. Does the Chief Technology Officer need to have full blown access to every single database that the company has? Probably not. The CTO's job, from a policy procedure perspective, is to help run the entire department, but they're not a developer. They're not the person who will be accessing any of the consumer data to develop products. So when you look at the controls that you're putting into your products and your services, you should first look at it from the employees' perspective ...