The CISO is responsible for the vision, strategy, and program to ensure the protection of information assets, and technologies. As it relates to policies, vendor management, data breaches, and reporting to the board of directors, the CISO plays an integral and sometimes overlapping role with that of the Chief Privacy Officer (CPO) to protect the brand and reputation of an organization.
So what exactly is the CISO’s role and responsibility as it relates to the increasingly intertwined issues of security and privacy. Let’s add data protection to complicate the discussion for good measure.
For the uninitiated, data privacy may be misconstrued as the same as data security.
In 1976, Turn and Ware defined security, as “the procedural and technical measures required to (a) prevent unauthorized access, modification, use, and dissemination of data stored or processed in a computer system, (b) prevent any deliberate denial of service, and (c) to protect the system in its entirety from physical harm.
Privacy, on the other hand, is looser as its meaning depends on the context in which it is used. For Vincent Goh, senior vice president, APJ, CyberArk, privacy is concerned with what kind of information organisations process, store and transmit.
“For security, it's always about preventing unauthorised access via breaches or leaks. Privacy is concerned about what kind of information organisations process, store and transmit,” he added
The ongoing struggles of CISOs
Speaking at both GDS’ European and US Security Digital Summits, Dr Claudia Natanson, chair of the Board of Trustees, UK Cyber Security Council, said “security is not treated as a business function, it’s treated as a technology function.”
And arguably this obsession with technology is distracting everyone from the reality that most information security breaches are caused by humans irrespective of intent.
Goh posits that a lot has changed for CISOs, particularly during the pandemic. He posits that CISOs need to think about infrastructure and identity, and the need to update themselves with innovations in terms of cloud, as a service adoption, DevOps and zero trust.
“The pandemic has accelerated the effects as companies are forced to work from home. CISOs are forced to deal with this remote workforce, and it has changed the traditional strategy which is focused on perimeter defence and protecting people within the company's network and boundaries. But now they need to think about extending the capability to using cloud services,” he continued.
Do not overstep responsibility
Asked how the CISO can perform his function without overstepping the bounds of responsibility, Goh skirts the response saying privacy is about using information responsibly, keeping it private, and then security is for keeping it safe. They are complimentary and it should be a collaboration, not competition.
“The CPOs role is to dictate internal policies and programs and make sure data is compliant with local privacy laws. They also need to balance the costs of maintaining privacy versus a company's business objective. The CISO is focused on building and managing systems to protect the company's data,” he continued.
Separating privacy from security
Goh suggests being diligent in doing the basic cyber hygiene habits. He adds configuring the system properly is one of the biggest issues that people face, and the key is to back up regularly.
He warns that customer privacy should come before profitability. “You either respect or lose it. Customers are demanding honesty and transparency from companies. They want to know that their data is handled responsibly,” he added.
Tips for 2022
Privacy continues to move up in the scale of importance to not just the CISO and CIO, but the rest of the C-suite and the Board. In the Cisco 2022 Data Privacy Benchmark Study, 94% are reporting one or more privacy-related metrics to the Board.
The most-reported metrics include Privacy Program Audit findings (34%), Personal Data Breaches (33%), and the results of Privacy Impact Assessments (32%).
As for his tips to CISOs to be effective at their role in 2022, the first thing Goh suggests is to first have constructive paranoia.
“How you wake up thinking dictates the way you respond daily. It's important to always do defence in depth strategy when it comes to cybersecurity. Think like an attacker, conduct red team exercises to look at where the blind spots are,” he suggested.
He also suggested raising employees' awareness of cybersecurity. The third is companies should review the processes, strategy, and implementation to make sure that they are keeping up. Finally, accept that identity is the new perimeter.
“My suggestions are to use strong passwords and change them regularly, especially privileged credentials. Secondly, use multi-factor authentication, adopt the least privilege approach, and don't give privilege to users if you don't have to, and don't provide standing access,” he concluded.
Click on the PodChat player to listen to Goh explain how the CISO can be effective in managing the forces pulling security and privacy in different directions.
- The terms security and privacy are often used interchangeably. What’s the difference between data security and data privacy?
- What are the various struggles faced by a CISO when it comes to ensuring data security and data privacy?
- Has this changed with the pandemic?
- Where the Chief Privacy Role exists, how does the CISO perform his role without overstepping the bounds of his/her responsibility?
- Our topic is CISO at the crosshairs of security and privacy. What needs to happen from an infrastructure point of view?
- Transparency and trust will be a key priority for consumers in 2022. How can businesses build and maintain trust effectively?
- What are your tips for CISOs?
