As a former chief privacy officer (CPO) of a publicly traded commercial real estate services firm, Maria D’Avanzo worked in close partnership with her company’s chief information security officer (CISO). They had regular meetings, shared information and issued joint messages and guidance on topics that had both privacy and security implications. Here, D’Avanzo explores the important lessons this collaboration taught her — including the fact that too few organizations prioritize collaboration between CPOs and CISOs.
If we’re to be more proactive in identifying and preventing privacy and security risks, CPOs and CISOs must work together now more than ever. Security teams can’t protect personally identifiable information (PII) like names, Social Security numbers, home address, phone numbers and personal email addresses if they don’t understand what and where the information is; and privacy teams can’t exist in a company without the security controls in place to protect PII.
Private information won’t remain private if it isn’t protected properly. Once the privacy team understands and tracks how the company intends to collect, store, use, process and dispose of PII, the security team can then develop and implement appropriate safeguards to protect that PII.
Costly consequences of not collaborating
The costly consequence of privacy and security failures is illustrated in a recent case where a leading financial services organization agreed to pay $35 million to settle SEC charges that the company failed to properly safeguard customer PII by:
- Hiring a moving and storage company with no experience in data destruction services to decommission thousands of hard drives and servers containing customer PII.
- Failing to monitor the moving company’s work which resulted in failing to know that the moving company sold thousands of company devices (including servers and hard drives, some of which contained customer PII) to a third party, which further resulted in the resale of the servers and hard drives on an internet auction site without removal of the customer PII.
- Losing 42 decommissioned local office and branch servers, all of which potentially contained unencrypted customer PII and consumer report information. While the local devices being decommissioned were equipped with encryption capability, the company failed to activate the encryption software.
The company clearly violated its customers’ privacy rights (a privacy failure) by not safeguarding its customers’ PII (a security failure). Gurbir S. Grewal, director of the SEC’s Enforcement Division, described these failures as astonishing. He went on to point out that “[i]f not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors.” The $35 million penalty to settle the SEC charges was intended as a “clear message to financial institutions that they must take seriously their obligation to safeguard [PII].”
Finding common ground from different perspectives
Data security and data privacy are separate, yet related, concepts, and the same goes for executives in charge of these areas. CISOs and CPOs have different educations and sit in different parts of the organization. The CISO tends to be versed in technology, typically has an IT background and uses technology to protect the company and its data. CISOs most often report to the CIO/CTO or directly to the board. The CPO, on the other hand, tends to be either a legal or compliance specialist who interprets and applies law for a corporation and reports to the general counsel or chief compliance officer.
Because both roles are tasked with looking after data, they can both benefit from working together. CPOs are more likely to be directly involved in data audits and, therefore, to know what data is used and stored by different teams and departments in the business, for what reasons and where. They can help CISOs better spread the message of security throughout the business.
CISOs can help CPOs understand what is involved in protecting data beyond legal requirements. Given their legal or privacy backgrounds, CPOs need CISOs to help educate them on best security practices, so privacy officers can raise concerns when something doesn’t feel quite right.
Privacy and security professionals both need to understand how different teams across the business organize their work and how they operate and intersect. Only then can both functions provide practical data protection advice that not only satisfies regulations, such as GDPR and CCPA but also highlights the critical value of data protection to the business. Good data protection and governance requires that everyone in the company understands (through ongoing communication and training) the need for privacy and security and feels responsible when dealing with data in their day-to-day activities.
Driving strategy between data privacy and information security
While CISOs protect the organization and its data and CPOs protect the interests of its data subjects, both are looking to achieve the same thing — protecting the company through appropriately balanced risk management.
Handling data breaches provides a good example of how collaboration can work. Imagine a company’s supplier experiences a data incident, which puts the company’s employee data at risk. The company’s CPO and CISO work together to manage the incident itself and mitigate the risk to company employees and systems. They then quickly pivot and look at “lessons learned,” taking a critical look at their vendor risk assessment process and asking some critical questions:
- Are we doing enough in that area?
- Is our standard contractual language robust enough?
- Do we need to update the information security standards we require of our vendors?
- Do CPOs and CISOs have a veto in onboarding new vendors?
- Was there anything we could have done to better protect our data?
Working together in this way creates alignment on what is important, what needs investment and what messages to share with executive leadership and the board.
What does the future look like for information security and privacy?
While more collaboration is likely, there is a risk that the CPO and CISO find potential areas of disagreement. As more tools become available or the functionality of existing tools improves, there is a risk that organizations consciously, or unconsciously, infringe on privacy rights.
Email monitoring software, for example, presents privacy challenges for CPOs. CISOs, however, find value in such software, especially with respect to detecting or preventing data loss. In Europe, the systematic monitoring of emails is frowned upon due to the privacy rights of individuals. We are also now seeing U.S. states focus on employee rights in this area.
In May 2022, for instance, New York enacted a law requiring employers to issue a formal notice to employees stating that “any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee … may be subject to monitoring at any and all times by any lawful means.” The law further provides that employers must provide this written notice “upon hiring to all employees who are subject to electronic monitoring” and the notice must be “acknowledged by the employee either in writing or electronically.”
With a view toward new and emerging information security and data privacy initiatives and regulations, CPOS and CISOs have a unique opportunity to work together to protect company systems, data, employees, and customers. With a common purpose, and ongoing discussions and collaboration, everyone benefits when CPOs and CISOs combine efforts and strengths.
Read Traliant’s free guide, “Responding to Data Privacy and Security Incidents: 4 Steps to Building Collaboration Between CPOs and CISOs,” to learn the proactive measures your organization can take today to effectively respond to a data privacy or security incident or breach.
With a mission to transform compliance training from boring to brilliant, Traliant’s award-winning training helps organizations create and maintain inclusive, respectful and ethical workplaces. Our modern approach to eLearning is designed to motivate positive behavior through realistic video scenarios and up-to-date content that is interactive, easy to customize and connects with today’s mobile workforce.
Traliant currently serves over 8,000 organizations across industries. Backed by PSG, a leading growth equity firm, Traliant is ranked on Inc.’s 2021 and 2022 list of the 5000 fastest-growing private companies in America, and on Deloitte’s 2021 Technology Fast 500.
Get an Instant Course Preview Today at www.traliant.com.