two people walking near each other in a field
PHOTO: Marta Esteban Fernando

The annual Privacy Security and Risk Conference, which is put on by the International Association of Privacy Professionals (IAPP), used to be attended almost exclusively by privacy professionals. But over the last few years, I have seen an increasing number of security and IT professionals in attendance. This was confirmed in one of my presentations at the most recent conference — “Is it time for a CPO-CISO Merger?” — where at least half of the attendees had responsibilities in their organizations for both privacy and security.

Given the changing global regulatory landscape — thanks to the onset of GDPR, the California Consumer Protection Act (CCPA), China’s cybersecurity law and security and breach notification laws abound — I’m not surprised to see the merging of privacy and security roles as an emerging trend in this space. It’s clear that the new normal for privacy laws will require clear, tangible and operational IT security controls.

While both chief privacy officers (CPOs) and chief information security officers (CISOs) may shudder at the idea of taking on any more responsibility than they already have, there are many good reasons for these teams to be closely aligned, even if the roles cannot be combined.

Related Article: Why California's New Privacy Law Signals a Major Shift in the Privacy Landscape

Privacy and Security: More Intertwined Than Ever Before

Both privacy and security regulations now require procedures and technical controls that provide evidence a company is actually complying with the regulations. Historically, however, many organizations use paper-based policies, which go largely unenforced for two reasons:

  • They’re often written by legal and compliance professionals who know very little about the average users within their companies, and therefore aren’t practical to implement or follow. Many privacy professionals, however, are used to writing policies that help their companies match regulatory requirements, but don’t necessarily reflect what their company is doing in practice, or even what is possible in practice.
  • These policies are also often written without consulting the company’s IT and security teams. Because of this, they don’t always reflect what is technically possible to enforce, nor the everyday work of the employees within the organization.

Without privacy, security and IT working together, the reality of true compliance is nearly impossible.

Why Should CPOs and CISOs Work Together?

While CPOs should have primary responsibility for policies that address personal information and how it is collected, used, managed and protected by the organization, CISOs should be responsible for policies that focus on the protection of systems, IT security and how the data is moved and retained. At the end of the day, for policies to be actionable and the organizations to be successful, CISOs and CPOs need to be working together.

This is especially true to ensure the success and safety of an organization’s employees. When left to their own devices, workers tend to make poor or selfish decisions when it comes to their own data management, privacy and security. Most believe that their information is critically important, and tend to keep it for longer than necessary in places where it’s easiest for them to access (instead of in a secured network) because they think they may need it again someday. This can lead to a number of problems, including proliferation of the data across corporate and personal networks and devices, loss of good knowledge management and, of course, an increase in potential security and privacy risk. This is just one tangible example of how the partnership between CPOs and CISOs can mend security issues within organizations.

Related Article: How Much Information Security Is Enough?

The Real Challenge: The Intersection of Policy and Practice

Collaborating on alleviating everyday, common security problems within an organization is the easy part about CPOs and CISOs joining forces. The real challenge comes when working towards implementing policies and measuring their success. Regardless of the source of the mandate, once organizations have created their policies, they then must decide how to enforce them and measure their effectiveness. On the surface, this may seem simple, but creating a policy without any mechanism — whether automated, manual or third-party — to measure and monitor compliance of the policy isn’t effective.

To build effective policies, organizations must not only understand the legal and statutory requirements that will shape the policy, but they must also understand how these policies relate to the business as a whole, including its internal practices, employees and technologies. As a result, education, monitoring and enforcement are crucial to implementing an effective model, as they allow you to both understand and prove compliance — two key aspects to adhering to stringent privacy and security regulations.

It’s also important that leaders surround themselves with employees who have diverse and relevant experience. No one knows everything — even the CPO and CISO — so it’s important to find champions within the organization who have appropriate knowledge and abilities to bring the company to the next level.

Related Article: The Chief Privacy Officer Balancing Act

Privacy and Security, Acting in Conjunction

Privacy officers have seen a big shift in their roles recently in part due to GDPR, but also because of the state of the current breach landscape. As a result, privacy professionals will need to become more fluent in IT and security skills. While it’s not necessarily time for a complete CPO and CISO merger, it is important for these two roles and their teams to work closely together to leverage their unique skill sets and knowledge bases to ensure their organizations comply with their required regulations and protect their important, sensitive data and information.