In today’s data-driven economy, there is often a great deal of crossover between the role of Chief Privacy Officer (CPO) and Chief Information Security Officer (CISO). Typically, a CISO will be responsible for security assurance and instant response mechanisms, but those same mechanisms are equally important when it comes to data privacy. A CPO needs to ensure that their company is compliant with all data privacy requirements, and if a breach should occur, they need to have a plan in place to deal with the fallout effectively.
For CISOs, CIOs and CPOs, risk and risk management come with the territory, but it’s absolutely crucial they get this right – and therein lies the challenge.
Organizations can have privacy breaches just like any other incident, and how quickly and appropriately they respond is more important today than at any other time in our brief digital history.
The broad scope of data privacy and protection
CPOs will, for the most part, report directly to the CISO. However, in an organization chart there will be many ‘dotted lines’ reporting to other areas of the business too. In my role at Tenth Revolution Group, for instance, I have a lot of back and forth with our Chief Legal Officer who is currently based in the US. This is just one example where managing data privacy is broader than just data security.
While security is more concerned with monitoring and protecting an organization based largely on their own rules and objectives, privacy has to factor in complex regulations that vary from one region to another.
This can be a difficult web to untangle, particularly in the US. Instead of a single principle data protection legislation, the US has hundreds of privacy laws enforced at both state and federal level, and designed to protect individuals’ data. Part of the challenge many organizations have, mine included, is establishing an information security function that is the right size for the company’s various components. For example, sales-focused businesses need more information security support on the front lines than support in HR and finance departments.
Combining big picture focus with day-to-day security
The first three to six months of any CPO’s tenure is largely focused on planning, particularly if it’s a newly created role within the business supporting a CISO and other security initiatives. For instance, I meet with our privacy lawyer every day to review whatever has surfaced in the data privacy stack, but in the background I’m focused on driving security awareness and communication training.
That means splitting focus between the here and now, such as events in Ukraine and how that might impact our risk posture, or planning for tomorrow by engaging and training employees to be better data handlers.
You could have the most thoroughly designed security policies in the world, but if teams on the ground are not trained to follow through on them, they are not going to be effective when it comes to minimizing risk.
The role of staff training
Proper training is critical when it comes to the secure management of data. It’s not enough to simply warn staff of the dangers and teach them what not to do, because tight security these days relies on good data hygiene at all times. Operating outside of a security policy to save time might seem harmless to an individual, but even something that is apparently trivial can have an impact on an organization’s overall risk posture. It’s therefore up to businesses to approach risk management and data hygiene in ways that their staff are more likely to understand and react to. It also can’t be a one-time thing, or just a box that gets ticked. At Tenth Revolution Group, security training is part of the onboarding process when somebody joins the company, and it’s something we come back to time and time again.
Even employees that aren’t involved in technology deployment or development should have a basic understanding of what the technology they use is capable of doing, and the potential security risks it opens up. Even something as seemingly innocuous as Office 365 comes with risks, so it’s important that staff know the digital footprint they are creating, where the data is going and who can access it.
Learn more about Phil’s experience as Tenth Revolution Group’s Chief Privacy Officer in ourLeaders in Cybersecurity and Riskpodcast.