Vector
Vector

Choose your topics

Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Blogs
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Vector-1
Data Privacy, GRC

A Chief Privacy Officer’s Insight Into Data Privacy Challenges and Security

A Chief Privacy Officer’s Insight Into Data Privacy Challenges and Security
Written by

Phil Le

Published on

6 Jul 2022

A Chief Privacy Officer’s Insight Into Data Privacy Challenges and Security

 

Guest Author: Phil Lea, Chief Privacy Officer at Tenth Revolution Group

 

In today’s data-driven economy, there is often a great deal of crossover between the role of Chief Privacy Officer (CPO) and Chief Information Security Officer (CISO). Typically, a CISO will be responsible for security assurance and instant response mechanisms, but those same mechanisms are equally important when it comes to data privacy. A CPO needs to ensure that their company is compliant with all data privacy requirements, and if a breach should occur, they need to have a plan in place to deal with the fallout effectively.

 

For CISOs, CIOs and CPOs, risk and risk management come with the territory, but it’s absolutely crucial they get this right – and therein lies the challenge.

 

Organizations can have privacy breaches just like any other incident, and how quickly and appropriately they respond is more important today than at any other time in our brief digital history.

The broad scope of data privacy and protection

CPOs will, for the most part, report directly to the CISO. However, in an organization chart there will be many ‘dotted lines’ reporting to other areas of the business too. In my role at Tenth Revolution Group, for instance, I have a lot of back and forth with our Chief Legal Officer who is currently based in the US. This is just one example where managing data privacy is broader than just data security.

 

While security is more concerned with monitoring and protecting an organization based largely on their own rules and objectives, privacy has to factor in complex regulations that vary from one region to another.

 

This can be a difficult web to untangle, particularly in the US. Instead of a single principle data protection legislation, the US has hundreds of privacy laws enforced at both state and federal level, and designed to protect individuals’ data. Part of the challenge many organizations have, mine included, is establishing an information security function that is the right size for the company’s various components. For example, sales-focused businesses need more information security support on the front lines than support in HR and finance departments.

Combining big picture focus with day-to-day security

The first three to six months of any CPO’s tenure is largely focused on planning, particularly if it’s a newly created role within the business supporting a CISO and other security initiatives. For instance, I meet with our privacy lawyer every day to review whatever has surfaced in the data privacy stack, but in the background I’m focused on driving security awareness and communication training.

 

That means splitting focus between the here and now, such as events in Ukraine and how that might impact our risk posture, or planning for tomorrow by engaging and training employees to be better data handlers.

 

You could have the most thoroughly designed security policies in the world, but if teams on the ground are not trained to follow through on them, they are not going to be effective when it comes to minimizing risk.

 

The role of staff training

Proper training is critical when it comes to the secure management of data. It’s not enough to simply warn staff of the dangers and teach them what not to do, because tight security these days relies on good data hygiene at all times. Operating outside of a security policy to save time might seem harmless to an individual, but even something that is apparently trivial can have an impact on an organization’s overall risk posture. It’s therefore up to businesses to approach risk management and data hygiene in ways that their staff are more likely to understand and react to. It also can’t be a one-time thing, or just a box that gets ticked. At Tenth Revolution Group, security training is part of the onboarding process when somebody joins the company, and it’s something we come back to time and time again.

 

Even employees that aren’t involved in technology deployment or development should have a basic understanding of what the technology they use is capable of doing, and the potential security risks it opens up. Even something as seemingly innocuous as Office 365 comes with risks, so it’s important that staff know the digital footprint they are creating, where the data is going and who can access it.

 

Learn more about Phil’s experience as Tenth Revolution Group’s Chief Privacy Officer in our Leaders in Cybersecurity and Risk podcast below.