3 Ways CISOs and DPOs Can Work Better TogetherWith Data Privacy Officer (DPO) positions on the rise, Chief Information Security Officers (CISOs) should lean on existing business mechanisms to define roles and swim lanes By: NK McCarthy
The advent of new data privacy regulations such as Europe’s General Data Protection Regulation (GDPR) and California’s Consumer Protection Act (CCPA) has triggered the creation of DPO roles in many organizations today, and that trend has had no small impact on cybersecurity leaders. While there are varying interpretations of the differences between the roles of Privacy leadership (DPO or CPO) and Information Security leadership (CISO, CSO or CIO), most agree that these roles have some degree of overlap and must work together to further their mutual interests.
The purpose of this blog is to identify three existing business mechanisms that data privacy and security leaders can leverage in order to work better together. We’ll refer to them as DPOs and CISOs, respectively, throughout this blog.
- Enterprise Risk Management
The first mechanism is an organization’s Enterprise Risk Management (ERM) program. Although the word “Enterprise” might lead some to think this is a technical effort, ERM is typically an executive-level management function that covers the entirety of an organization’s risks. ERM risks run the gamut from financial and competitive to operational and security. In publicly traded companies, the Annual Report to Shareholders contains numerous pages of narrative describing the organization’s risks which are typically derived from and managed by an ERM program.
One of the common “Information/Cyber” risks detailed today in annual reports is compliance with privacy laws. An effective ERM program should not only identify risks, but also the mechanisms to manage those risks.
An effective ERM Risk Register will list all the individual risks (e.g. Compliance with Privacy Statutes) and then detail the various mechanisms and efforts to address or mitigate the specific risk. The risk registry is an excellent mechanism for drafting and managing a consolidated list of enterprise level risks. DPOs need to be mindful that the Risk Register will most likely have a broad list of “Cyber/Information” risks that the CISO will also need to address that fall outside of the “Privacy” and “Compliance” realm. Some examples include theft of intellectual property, fraudulent financial transactions, contractual reporting obligations such as Third-Party Security Agreements (TPSAs), or the loss of competitive information such as marketing and pricing strategy, to name just a few.
The ERM risk registry should not get into the granularity of ‘how’ tasks are to be accomplished, but it should reference, at a high level, the commitments necessary to mitigate risks to an acceptable level. This document is typically managed by members of the executive management team, often a Chief Risk Officer, and should benefit from Board level oversight. Typically, that oversight comes from the Board’s Risk Committee.
- Information Governance
A second process shared by the DPO & the CISO is Information Governance (IG). Simply put, in the ERM process above, the organization acknowledged its information risks and identified the mechanisms to address/mitigate these risks. IG is the next level down. IG asks the question: where is this data and what are we doing to “protect” it? IG typically encompasses a broad scope of requirements which include:
- Retention (Storage/Archiving)
- Records Management
- Information Security (Confidentiality, Integrity and Availability)
- Physical Security
- Data Classification
- Data Minimization
- Third Party processors
Information Governance should address both structured and unstructured data. It is also critical that IG address physical records such as paper personnel files. In the Privacy realm, a similar effort is called the Privacy Impact Assessment (PIA). The PIA is intended to understand the scope of sensitive data being processed and determine the appropriate protections. This is similar to Information Governance. Again, this is another shared mechanism where the DPO and the CISO can work together to develop a shared approach that meets the needs of both.
- The Cyber Incident Response Plan (CIRP)
A third mechanism in which the DPO can partner with the CISO is the organization’s Cyber Incident Response Plan (CIRP). Large data breaches typically involve two distinctly different activities. The first is a cyber intrusion event (i.e. cyber criminals “hacked” the network). The second is that personal data was “breached.” A common “Division of Labor” tactic that is being employed in CIRPs is one in which the DPO addresses the data breach, and the CISO addresses the cyber intrusion. This approach accommodates the following concerns:
- The cyber intrusion response and the breach response will need to occur simultaneously. These two tasks will require different skill sets. Having the same person managing both is suboptimal.
- The cyber intrusion response should address the full range of information that is important to the organization, not just personal data. The ERM and IG efforts (above) should identify all information that will require attention during the Cyber Intrusion event. Even if this effort is to simply assure management that the scope of the intrusion was limited to non-sensitive data, it will require a broader focus than a privacy program will address.
- Most of the personal data breaches that I’ve been involved with (with over a decade of experience) are not initiated by a cyber intrusion or other malicious activity but rather, by user errors. The majority of these incidents never hit the media but still require a response. One example of this is a lost file cabinet of personnel records, or any other paper records for that matter. This constitutes a data breach, but not a cyber intrusion event.
Privacy regulation change is likely to continue to increase into the foreseeable future. Organizations that create the Data Privacy Officer role should ensure the Privacy function is compatible or even mutualistic with the Information Security function. The recommendations listed above should set your efforts in the right direction.