In recent years, there has been a noticeable shift in the responsibilities of chief information security officers (CISOs) within organizations. Mark Eggleston, a seasoned CISO at CSC, a provider of business administration and compliance solutions, has witnessed this transformation firsthand. Reflecting on his experience building a privacy program for a national healthcare provider, Eggleston emphasizes the critical role of cross-functional collaboration in addressing privacy concerns.
Eggleston highlights the necessity of legal expertise in translating regulatory requirements, such as the HIPAA Privacy rules, into internal policies. He also underscores the role of technical controls in enhancing operational efficiency and security measures. These insights shed light on the evolving landscape where CISOs are increasingly shouldering the responsibility for privacy management within their organizations.
According to a recent report from IANS, the ownership of privacy functions by CISOs has risen significantly from 35% to 47% over the past five years. This trend is driven by the convergence of privacy management and cybersecurity, propelled by regulatory pressures, concerns surrounding emerging technologies like artificial intelligence (AI), and the persistent threat of data breaches.
Traditionally, privacy and security were considered distinct areas of focus within organizations, with legal and compliance teams handling privacy matters while CISOs concentrated on cybersecurity. However, this demarcation is becoming increasingly blurred, leading to more CISOs assuming privacy-related responsibilities.
Rebecca Herold, CEO of The Privacy Professor and an IANS faculty member, emphasizes that integrating privacy into the CISO role formalizes the existing practices of safeguarding sensitive information. Yunique Demann, a senior director and data protection officer at NTT Data Americas, echoes the sentiment, noting the natural alignment between CISOs and privacy controls given the rising regulatory scrutiny and data privacy concerns.
The evolving regulatory landscape, marked by laws such as the GDPR in Europe and the CCPA in the US, necessitates robust privacy controls within organizations. This regulatory environment places the CISO in a pivotal role in overseeing privacy efforts, as underscored by Eggleston’s dual role as a CISO and chief privacy officer (CPO).
As CISOs navigate the expanding realm of privacy management, striking a balance between privacy and cybersecurity remains paramount. Demann highlights the importance of segregating operational privacy responsibilities by appointing a data protection officer (DPO) while maintaining a reporting line into security functions.
Furthermore, advancements in technology, particularly the integration of AI, are reshaping the role of CISOs in privacy management. The IAPP survey reveals that chief privacy officers are increasingly tasked with AI governance and cybersecurity compliance, emphasizing the heightened scrutiny required in these areas.
Reskilling initiatives are essential for CISOs to effectively manage privacy functions, with a focus on legal, ethical, and regulatory frameworks. Engaging with privacy communities, collaborating with privacy leads, and expanding knowledge of privacy issues are key recommendations put forth by Demann.
In conclusion, as CISOs navigate the evolving landscape of privacy management, collaboration with CPOs and legal departments is essential to ensure compliance and alignment with organizational goals. As the roles of CISOs continue to expand, staying informed about emerging privacy trends and evolving regulations will be crucial in safeguarding company data and individual rights. Eggleston aptly summarizes the symbiotic relationship between privacy and security, emphasizing their collective strength in ensuring organizational resilience.