The Evolving Role of CISOs: Embracing Privacy Management
In an era where data breaches and privacy concerns dominate headlines, the role of Chief Information Security Officers (CISOs) is undergoing a significant transformation. Mark Eggleston, the current CISO at CSC, a provider of business administration and compliance solutions, has witnessed this evolution firsthand. Years ago, when tasked with building a privacy program for a national healthcare provider, he recognized the critical importance of cross-functional collaboration. This collaboration is now more essential than ever as CISOs increasingly take on responsibilities related to privacy management.
The Intersection of Privacy and Security
Eggleston recalls the challenges he faced in navigating the complexities of privacy regulations, particularly the Health Insurance Portability and Accountability Act (HIPAA). "I needed legal experts to debate the HIPAA Privacy, NPRM [Notice of Proposed Rulemaking], final rule, and guidance and convert those requirements into internal policies," he explains. This necessity for collaboration highlights a growing trend: the intertwining of privacy management and cybersecurity.
According to research from IANS, the percentage of CISOs who own privacy responsibilities has surged from 35% to 47% over the past five years. This shift reflects a broader recognition that privacy and security are not separate domains but rather interconnected facets of organizational risk management. As regulatory pressures mount and concerns about emerging technologies like artificial intelligence (AI) grow, CISOs are increasingly seen as the natural fit to oversee privacy controls.
The Blurring Lines of Responsibility
Traditionally, privacy was the domain of legal or compliance teams, while CISOs focused on safeguarding organizations from cyber threats. However, as Rebecca Herold, CEO of The Privacy Professor, points out, the line between these areas is blurring. "When a CISO conducts a risk assessment or looks at data flow, they’re already thinking about how to protect that information," she says. Incorporating privacy into the CISO’s role formalizes what many are already doing.
Yunique Demann, senior director and data protection officer at NTT Data Americas, echoes this sentiment. With her background in both security and privacy, she notes that the rise in data breaches and regulatory scrutiny has made CISOs a natural fit for overseeing privacy controls. "Privacy is one of many areas that have impacted a CISO’s role," she states.
Why CISOs Are Taking on Privacy Roles
One of the primary drivers behind this shift is the evolving regulatory landscape. Privacy laws such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the United States impose stringent requirements on organizations to protect personal data. As Eggleston highlights, "Most CISOs are already working strongly with human resources and legal teams, and the focus on privacy makes it paramount to continue to do so."
The integration of privacy into the NIST Cybersecurity Framework further underscores this trend. As CISOs take on more privacy duties, they must balance these responsibilities with their traditional focus on cybersecurity. Demann emphasizes the importance of operational privacy responsibilities being assigned to a Data Protection Officer (DPO) while maintaining a reporting line into security to mitigate potential conflicts of interest.
The Impact of Technology on Privacy Management
Advancements in technology, particularly the rise of AI, are also contributing to the expanded role of CISOs in privacy management. A recent survey from the International Association of Privacy Professionals (IAPP) found that 69% of chief privacy officers now have additional responsibilities for AI governance, and 37% for cybersecurity regulatory compliance. Demann explains that many aspects of AI require scrutiny from both privacy and security perspectives. "Privacy risks occur when the use of AI conflicts with these fundamentals and lacks transparency," she warns.
The ethical implications of AI usage, particularly regarding consent and bias, further complicate the landscape. Demann stresses the need for clear and explicit consent from individuals whose data is being utilized, highlighting the risks associated with hidden consent practices.
Reskilling for Privacy Management
As the responsibilities of CISOs expand, so too do the skills required for effective privacy management. Demann emphasizes that privacy is fundamentally about protecting individuals’ rights and ensuring compliance with applicable laws. This necessitates a deeper understanding of legal, ethical, and regulatory frameworks, as well as a focus on data governance, consent management, and transparency.
CISOs are encouraged to engage with privacy communities, collaborate with privacy leads, and actively seek opportunities to expand their knowledge of privacy issues. Regular communication and joint initiatives with Chief Privacy Officers (CPOs) and legal departments can help create a unified approach to privacy and security.
Eggleston highlights the importance of staying informed through think tank digests, privacy updates from legal firms, and ongoing discussions with jurisdictional staff. He notes that many countries in the EMEA region have more detailed and stringent privacy requirements, citing Luxembourg’s Professional Secrecy obligation as an example.
Looking Ahead: The Future of Privacy and Security
As the role of CISOs continues to evolve, they must be prepared to navigate emerging privacy trends, regardless of whether privacy falls directly within their purview. The integration of privacy and security is not just a trend; it is a necessity for organizations aiming to protect both company data and individuals’ rights.
"Security is about confidentiality, and privacy is fundamentally about confidentiality," Eggleston concludes. "Privacy and security are stronger together." As organizations face increasing scrutiny from regulators and the public, the collaboration between privacy and security functions will be crucial in building trust and ensuring compliance in an ever-changing digital landscape.