Privacy and Security Go Hand-in-Hand: How CISOs Can Work Toward Privacy Nirvana
Demetrios Lazarikos (Laz)
February 8, 2021
Data Privacy Day is always a good time to pause and recognize the kinship that organizational security and privacy teams have in business. While the day may come and go, it is never too late for CISOs to leverage the momentum of their strategic planning conversations taking place throughout their organizations. This includes ensuring your voice is heard and that you hear the voices of the leaders responsible for—and the stakeholders interested in—maintaining a level of privacy.
Taking this approach is essential. I hate to be prescriptive – but I will here – it is critical to build relationships with organizational leaders in every privacy role—including those responsible for defining acceptable use policies, driving data-driven processes, and ensuring industry and regulatory compliance.
When evaluating the roles of organizational security and privacy as separate functions, one might make some assumptions about what each function’s goals are, how their teams meet those goals, and what information, systems, and processes are involved in the process. In reality, organizational security is about protecting data (our new currency) by granting access to those who have authorized access. On the other hand, privacy is about the legal (and maybe ethical/moral) use of the data collected to provide better services and experiences to customers, which will drive efficiencies (and revenue) for the business. Please remember—we’re here to support the business and not be an obstacle.
Sure, privacy is also about keeping sensitive information protected from unauthorized access and misuse as well. In connection to the business objectives, the success of the privacy role is much, much broader than that.
Working Closely with Legal, Your Chief Privacy Offer, and/or Data Protection Officer for Organizational Security
Upon closer evaluation, you might find that the person’s objectives in your organization who is responsible for data privacy—often the General Counsel (GC) or Chief Privacy Officer (CPO)—may have a different agenda than your security objectives. The one commonality between the two is that they both deal with risk. The key is to identify and discuss the risks together so both roles can succeed for the benefit of the business.
Even if you’re not bound to adhere to European laws such as GDPR, or US-based laws such as California Consumer Privacy Act (CCPA) —[and more US-based regulations are coming!]—you should still understand the role of yet another person in the organization responsible for privacy, the Data Privacy Officer (DPO). GDPR requires the DPO role. And according to the European Data Protection Supervisor, the primary function of the DPO is to “ensure that the organization processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.” Likewise, the CCPA assumes, “there must be a qualified individual with the responsibility for monitoring activities associated with data gathering, the storage and transfer of consumer data, and data privacy.”
Aligning Your Organization’s Security and Privacy Objectives
So why should you care? Data privacy isn’t your responsibility, right? There’s at least one, possibly two, others in the organization that have to worry about that. It may not be that simple.
Even though, as a CISO, you don’t officially “own” data privacy, it is paramount that you establish a relationship with the GC, CPO, or DPO—the person who has that responsibility. Then find a way to ensure both programs align with the business objectives and the policies/laws you are bound to. These are some of the questions that need to be answered:
- How does data privacy impact your cybersecurity management process?
- What mitigating controls need to be applied to address the risk that data privacy introduces?
- What protection, monitoring, detection, response, and recovery processes need to be updated?
- Does your organizational security and risk management program need to be updated to address data privacy requirements that the company must meet?
By discussing these questions, you’ll likely uncover that there may be some gray areas that need to have clear lines drawn between or around them:
- What does the reporting structure look like for you, the GC, CPO, or DPO?
- Who makes the final call accepting risk, discrepancies, or conflicts between organizational security and privacy?
- How do you stay “true”—without building a space shuttle to cross the street—to the ultimate goal of enabling business innovation while also protecting the business from risk?
- How do you align your strategies and architect a process, a set of controls, and a governance model that demonstrates you are doing what you need to do, individually and collectively?
As you answer these questions and begin to discern the difference between security and privacy, also look for the overlaps:
- What are the deltas and differences?
- How do you manage expectations and ownership?
- How do you deal with conflicting business requirements?
By working in partnership with your GC, CPO, or DPO, you can better identify how your organization collects, stores, processes, and transmits data within the law while also protecting the data from loss or theft. That’s a win-win for both of you that’s sure to lead to your privacy nirvana.
If you have ideas or questions about this topic, I am always available to connect and discuss this with you. Feel free to contact us online via LinkedIn @Blue-Lava.
Laz has 30+ years industry experience, is a 3x CISO, the Co-Founder of Blue Lava, and is a globally-recognized authority in Information Security. He welcomes your feedback and can be reached at: [email protected].