The Privacy Paradox. What’s a CISO to Do?

By Kristy Edwards, co-founder and Technical Advisor to PrivacyCode

People expect CISOs to be superheroes.  

They are expected to manage a highly complex tech stack while staying ahead of a perennially expanding volume of cyber threats. They often must do this while being understaffed, under-budgeted and under a lot of stress. 

And now, data privacy is also increasingly on the CISO’s mind - and in some cases, directly on their plate. This means that CISOs and their teams will need to get comfortable with different models and focus areas.

I’m going to explain why this is a good thing - for the security and privacy teams, and for the organizations they support. And, how CISOs can work effectively with privacy teams -or in the absence of one- to increase their overall security posture. 

First, it’s helpful to understand how privacy and security have (or have not) worked together in the past, and how they interact today. 

The Privacy Function: Moving From Siloed to Symbiotic

Historically, CISOs have been mostly insulated from the privacy function, and vice-versa. Privacy teams usually resided in the legal department, where they crafted policies and stayed abreast of new regulations. Meanwhile, the CISO and his or her team focused on strategic approaches to preventing breaches, engaging everyone from the Board to sysadmins and monitoring endpoints for indicators of compromise. If they engaged with the privacy team at all, it was when a new policy was handed off to them to “figure out” how to implement it appropriately in products or systems.

That started to change when the California Legislature approved SB 1386, which mandates that companies with customers in California must inform them if they believe their personal information has been breached. Arguably, SB 1386 helped usher in a whole new generation of privacy regulations. I was in a security executive role at the time and saw firsthand how this new regulation was a forcing function for the C-Suite and Boards to recognize that security controls are a business imperative.

In other words, a privacy law helped to elevate the posture of cybersecurity inside the enterprise.

Fast forward to now, when an explosion of cyber threats - ransomware, malware, nation-state attacks, you name it - and a patchwork of new privacy laws have emerged concurrently to make the CISO’s job highly fragmented. They can barely keep up with stopping breaches let alone understand and implement protections for different categories of personal data that these new privacy regulations demand.  

As this threat landscape has evolved and the amount of data in the hands of businesses has exploded, the structure of security and privacy teams has also changed.

Today, I see three scenarios for how privacy and security teams work together (with nuances within each.)

• Closely adjacent: In this model, privacy and security teams are “peer” groups that work together regularly. However, they have well-defined roles and boundaries. For instance, the privacy team might tell the security team that stored data encryption is required for sensitive personal data, but they have a very clear handoff point to security, who specifies encryption algorithms and key lengths and leads the security review to execute this requirement. This model is more symbiotic - each team understands the value and role of the other and have processes and guardrails around who does what.

• Combined:  Here the two teams work as one - the operational and technical elements of the privacy program are within the CISO’s domain and report into him/her, often with a dotted line to the CPO. I personally have run global privacy programs within this structure, which tends to exist in companies that are more “security forward” and understand the critical role of the privacy engineer within the security function.

• Cobbled Together: In this scenario, privacy responsibilities are doled out across various company stakeholders. This is most common in small to medium sized businesses that have not invested in full time privacy staff. Various aspects of privacy may be an added responsibility for a variety of stakeholders, from a commercial attorney to a privacy engineer to an organization’s CISO. For these folks, privacy may be their 2nd (or 3rd!) job, and so keeping track of how new regulations and policies are deployed and enforced in their business can be particularly challenging. 

I share this background because it can help CISOs who are struggling to “figure out how to work with privacy” envision a potential model. However, internal structure and division of labor only goes so far. To succeed, CISOs need to understand that no matter how the function is assembled, today they sit at the intersection of data privacy and cybersecurity. And rather than be overwhelmed by that or wishing it will go away (it won’t), they should understand that collaborating with privacy teams and finding workable technical solutions can actually, paradoxically, make a CISO’s life easier.

Actions CISOs Can Take to Make Privacy Work for Them

When I say “make privacy work for them,” I mean that figuratively. Although in some instances, the privacy function may indeed report into the CISO, the intention here is for CISOs to shift their mindset and turn privacy integration and collaboration into an advantage for the security function writ large.  Here are some ways a CISO might want to approach the new realities of the privacy-security partnership.

• Accept the new reality.  The protection of personal information is a security problem.  While it’s true that data privacy focuses on how personal data is collected, used, and shared; and data security refers to the measures and technologies used to protect data from threats, the reality is more complex. 

For instance, employee monitoring of email and other communication channels has employee privacy implications for the enterprise. How this monitoring is done in terms of tools and technology often lands with the security team - even though the notice and oversight requirements are the domain of privacy teams. 

And there’s the rub, for CISOs at least. Security leaders may have a larger team or have a seat at tables where the privacy leaders do not, but security itself is downstream of privacy. A new regulation or policy is born first, and then the security team needs to figure out the implications of that policy for a whole slew of scenarios such as this one. And if something goes wrong in the protection of data or how a privacy law or policy is implemented the buck will often stop with the security team.

By understanding, accepting and leveraging this current dynamic, CISOs can begin to find ways to even the playing field, so that accountability is shared between the functions, and the CISO’s posture is elevated to being more strategic and business-outcome focused.

• Embrace collaboration - or pay the price. As mentioned above, security has been downstream of privacy. Today, they need to meet in the middle. Not only to protect an organization’s most valuable assets - its data and reputation - but because the C-suite and the Board expect it. Frankly, most Boards don’t really understand the difference between the respective roles and responsibilities of privacy and security. What they really care about is risk exposure.  

To manage that risk, a spirit of cooperation and collaboration is essential–as equal, respected partners (regardless of fancy degrees or technical prowess). There are significant benefits of this to both teams, but for the CISO it enables them to get off defense and take a more proactive role in managing risk in concert with their privacy counterparts. Even more important, by working together, the chance of something falling between the cracks is minimized. When these teams work in silos, it’s often at cross-purposes and even in competition with one another - for budget, attention and credibility. And we know how well that goes over within an enterprise. 

So what does “collaboration” look like?  As mentioned before, enterprises structure their teams in different ways. Depending on whether yours is closely adjacent, combined or cobbled together will often determine how easy or challenging it will be to work together. But don’t let org structure be an obstacle. There are many opportunities to collaborate independent of where a function resides.  

Incident response planning is a good place to start. Often breaches (which the security team manages) involve personal data (which the privacy team is charged with protecting.)  Collaborating on your incident response plan - and doing tabletop exercises so that both entities are appropriately involved - is a great in-the-trenches-together way to team up and identify gaps, overlap and weak spots.

Another opportunity is to share strategies, even philosophies, of how you each approach your mission. This does not involve cross-training each other - privacy and security are still very different animals when it comes to expertise and daily responsibilities - but rather ensures there is an awareness and understanding of each other’s operating framework. For instance, the National Institute of Standards and Technology (NIST) has developed frameworks with both privacy and security considerations. If your organization adopts the NIST frameworks, coming together to understand the shared principles across functions may be beneficial.

The cost of not collaborating can be high. Financial penalties, reputational harm and loss of business can all occur when personal data is compromised. By structuring teams and processes in a way that enables an intersectional, collaborative approach, these problems can be avoided. 

• Raise Your Privacy IQ. I get it. When you work in security you’re constantly inundated with information. But a little learning can go a long way to enable a more informed position when working with your privacy partners.

As more and more privacy regulations come into being, the potential fines and penalties for non-compliance will drive at least some of the security spend a CISO must make.

So how can you intelligently spend without a general understanding of laws like GDPR or CCPA? A CISO need not understand these laws in fine detail - that’s the privacy officer’s job - but some knowledge is essential to knowing how best to protect the data these laws govern.  

Likewise, Privacy teams need to understand enough about tech solutions like MFA and zero trust to the degree that it helps them speak to technical teams in a language they can understand. Going further, CISOs can help CPOs understand what is involved in protecting data beyond legal requirements. In cobbled together orgs, privacy responsibilities are distributed among security personnel and non-privacy lawyers, and may need more support (and spend) on privacy services, or increasingly, by leveraging skillfully-built SaaS platforms like ours that can fill in the gaps. 

• Plan for a privacy-first future.  By now you’re acutely aware that people are serious about protecting their private information - and they have a strong partner in state and federal governments and regulators who take enforcement actions. And that, while the social push to protect an individual’s privacy has accelerated, the process to manage it from the enterprise has remained almost frozen in time - making your job even harder. 

However, CISOs have a secret weapon: significant expertise in acquiring and deploying technical solutions. Privacy teams, for the most part, do not. As you gain more insight into the privacy world and collaborate to secure personal data, you’ll likely see how privacy teams have tried to track their policies, programs and metrics using a variety of processes or tools. Perhaps you’ve been on the receiving end of these efforts - for instance, when product requirements from the privacy team were either not fully documented or an update to a policy wasn’t communicated in a way that the security team could use.

As the owner of an already unwieldy security tech stack, CISOs know that a point solution to manage privacy isn’t likely the answer to these inefficiencies. And that checklists and outdated modes of communicating privacy requirements have resulted in gaps and increased risk.

What CISOs Need To Do Now

CISOs are incentivized to see that going forward, privacy is managed in a more efficient way so that their team can understand requirements, communicate progress and over time, analyze trends. And, to do so in an environment where both the privacy experts and the security experts can work together to see how enterprise projects are moving through each critical stage, in a fully transparent, fully tracked way.  

We built PrivacyCode as a SaaS platform so that privacy and security teams can seamlessly work together on privacy implementations in the language that both teams understand, while gaining valuable reporting and insights. Our solution empowers security teams - who are not privacy experts but who often take on privacy work because of the adjacencies of the two fields - to meaningfully track, measure and prove the effectiveness of their privacy work. 

If you’re a CISO or security professional who is interested in helping to solve the privacy management paradox for your organization, reach out to us. We’d love to hear from you. Meanwhile, as you continue to work hard to protect your enterprise, remember that even superheroes need a day off.