No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity
Sponsored

Allies in Privacy, Security & Compliance: Why Closer Collaboration Between CPOs and CISOs Benefits Everyone

Properly protecting private information means working as a team

by Maria D'Avanzo
September 28, 2022
in Cybersecurity, Data Privacy
cpo and ciso

As a former chief privacy officer (CPO) of a publicly traded commercial real estate services firm, Maria D’Avanzo worked in close partnership with her company’s chief information security officer (CISO). They had regular meetings, shared information and issued joint messages and guidance on topics that had both privacy and security implications. Here, D’Avanzo explores the important lessons this collaboration taught her — including the fact that too few organizations prioritize collaboration between CPOs and CISOs.

If we’re to be more proactive in identifying and preventing privacy and security risks, CPOs and CISOs must work together now more than ever. Security teams can’t protect personally identifiable information (PII) like names, Social Security numbers, home address, phone numbers and personal email addresses if they don’t understand what and where the information is; and privacy teams can’t exist in a company without the security controls in place to protect PII.

Private information won’t remain private if it isn’t protected properly. Once the privacy team understands and tracks how the company intends to collect, store, use, process and dispose of PII, the security team can then develop and implement appropriate safeguards to protect that PII.

Costly consequences of not collaborating

The costly consequence of privacy and security failures is illustrated in a recent case where a leading financial services organization agreed to pay $35 million to settle SEC charges that the company failed to properly safeguard customer PII by:



  • Hiring a moving and storage company with no experience in data destruction services to decommission thousands of hard drives and servers containing customer PII.
  • Failing to monitor the moving company’s work which resulted in failing to know that the moving company sold thousands of company devices (including servers and hard drives, some of which contained customer PII) to a third party, which further resulted in the resale of the servers and hard drives on an internet auction site without removal of the customer PII.
  • Losing 42 decommissioned local office and branch servers, all of which potentially contained unencrypted customer PII and consumer report information. While the local devices being decommissioned were equipped with encryption capability, the company failed to activate the encryption software.

The company clearly violated its customers’ privacy rights (a privacy failure) by not safeguarding its customers’ PII (a security failure). Gurbir S. Grewal, director of the SEC’s Enforcement Division, described these failures as astonishing. He went on to point out that “[i]f not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors.” The $35 million penalty to settle the SEC charges was intended as a “clear message to financial institutions that they must take seriously their obligation to safeguard [PII].”

Finding common ground from different perspectives

Data security and data privacy are separate, yet related, concepts, and the same goes for executives in charge of these areas. CISOs and CPOs have different educations and sit in different parts of the organization. The CISO tends to be versed in technology, typically has an IT background and uses technology to protect the company and its data. CISOs most often report to the CIO/CTO or directly to the board. The CPO, on the other hand, tends to be either a legal or compliance specialist who interprets and applies law for a corporation and reports to the general counsel or chief compliance officer.

Because both roles are tasked with looking after data, they can both benefit from working together. CPOs are more likely to be directly involved in data audits and, therefore, to know what data is used and stored by different teams and departments in the business, for what reasons and where. They can help CISOs better spread the message of security throughout the business.

CISOs can help CPOs understand what is involved in protecting data beyond legal requirements. Given their legal or privacy backgrounds, CPOs need CISOs to help educate them on best security practices, so privacy officers can raise concerns when something doesn’t feel quite right.

Privacy and security professionals both need to understand how different teams across the business organize their work and how they operate and intersect. Only then can both functions provide practical data protection advice that not only satisfies regulations, such as GDPR and CCPA but also highlights the critical value of data protection to the business. Good data protection and governance requires that everyone in the company understands (through ongoing communication and training) the need for privacy and security and feels responsible when dealing with data in their day-to-day activities.

Driving strategy between data privacy and information security

While CISOs protect the organization and its data and CPOs protect the interests of its data subjects, both are looking to achieve the same thing — protecting the company through appropriately balanced risk management.

Handling data breaches provides a good example of how collaboration can work. Imagine a company’s supplier experiences a data incident, which puts the company’s employee data at risk. The company’s CPO and CISO work together to manage the incident itself and mitigate the risk to company employees and systems. They then quickly pivot and look at “lessons learned,” taking a critical look at their vendor risk assessment process and asking some critical questions:

  • Are we doing enough in that area?
  • Is our standard contractual language robust enough?
  • Do we need to update the information security standards we require of our vendors?
  • Do CPOs and CISOs have a veto in onboarding new vendors?
  • Was there anything we could have done to better protect our data?

Working together in this way creates alignment on what is important, what needs investment and what messages to share with executive leadership and the board.

What does the future look like for information security and privacy?

While more collaboration is likely, there is a risk that the CPO and CISO find potential areas of disagreement. As more tools become available or the functionality of existing tools improves, there is a risk that organizations consciously, or unconsciously, infringe on privacy rights.

Email monitoring software, for example, presents privacy challenges for CPOs. CISOs, however, find value in such software, especially with respect to detecting or preventing data loss. In Europe, the systematic monitoring of emails is frowned upon due to the privacy rights of individuals. We are also now seeing U.S. states focus on employee rights in this area.

In May 2022, for instance, New York enacted a law requiring employers to issue a formal notice to employees stating that “any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee … may be subject to monitoring at any and all times by any lawful means.” The law further provides that employers must provide this written notice “upon hiring to all employees who are subject to electronic monitoring” and the notice must be “acknowledged by the employee either in writing or electronically.”

With a view toward new and emerging information security and data privacy initiatives and regulations, CPOS and CISOs have a unique opportunity to work together to protect company systems, data, employees, and customers. With a common purpose, and ongoing discussions and collaboration, everyone benefits when CPOs and CISOs combine efforts and strengths.

Read Traliant’s free guide, “Responding to Data Privacy and Security Incidents: 4 Steps to Building Collaboration Between CPOs and CISOs,” to learn the proactive measures your organization can take today to effectively respond to a data privacy or security incident or breach.

Traliant LogoAbout Traliant

With a mission to transform compliance training from boring to brilliant, Traliant’s award-winning training helps organizations create and maintain inclusive, respectful and ethical workplaces. Our modern approach to eLearning is designed to motivate positive behavior through realistic video scenarios and up-to-date content that is interactive, easy to customize and connects with today’s mobile workforce.

Traliant currently serves over 8,000 organizations across industries. Backed by PSG, a leading growth equity firm, Traliant is ranked on Inc.’s 2021 and 2022 list of the 5000 fastest-growing private companies in America, and on Deloitte’s 2021 Technology Fast 500.

Get an Instant Course Preview Today at www.traliant.com.


Tags: California Consumer Privacy Act (CCPA)Cyber RiskGDPR
Previous Post

Blowing the Whistle: Exploring Federal Protections After Twitter Testimony

Next Post

Reputation Is Your Company’s Most Precious Asset. How Can You Nurture and Preserve It?

Maria D'Avanzo

Maria D'Avanzo

Maria D’Avanzo is the chief evangelist officer at Traliant, an online compliance training provider. She has 30 years’ experience as an attorney and chief ethics and compliance officer at financial institutions and publicly traded global organizations, where she built both ethics and compliance programs and global data privacy programs from the ground up. Maria earned her Juris Doctor from St. John’s University School of Law and a Bachelor of Arts degree in political science from the College of the Holy Cross.  She is admitted to practice law in New York and Connecticut and holds NASD Series 24, 7 and 63 financial securities licenses.

Related Posts

castle pixel art

Building a Defense-in-Depth Culture to Combat Phishing

by Perry Carpenter
March 22, 2023

Phishing attempts are only growing more sophisticated by the day, and effective cybersecurity means defending all the vectors of attack,...

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

cisa website

What Can Your Organization Learn From the New CISA Strategic Plan?

by FTI Consulting
January 11, 2023

Cyber threats against organizations of all sizes are only rising as scammers and fraudsters become more and more sophisticated. Kyung...

Next Post
nurturing reputation

Reputation Is Your Company’s Most Precious Asset. How Can You Nurture and Preserve It?

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT