EU Privacy Regulation - Is It Such a Bad Thing for a CISO?
We recently had a conversation on the topic of privacy from the legal perspective with Elle Todd, a partner at Reed Smith who specializes in this area of the law. During the conversation, a number of interesting observations around privacy regulation came to mind.
Privacy Regulation Can Be a Good Thing
Firstly privacy regulation can be a good thing. Often when any issue of compliance or regulation is mentioned, it is seen as yet another set of controls to be implemented or a new reporting overhead. All to be done by the CISO, within a constrained budget, and shortage of resources. Allow me to explain.
I spoke with a group of CISOs at Cisco Live in Barcelona. We covered a variety of topics and concerns. One of the first points we discussed was that privacy is not a “security issue” — it is a business issue. So the responsibility cannot just be dumped onto the CISO. It has to be taken seriously by the overall business as customers and consumers are taking the issue seriously. They value their data, so it is a business imperative that personal data is understood and protected in line with the appropriate regulation. A clear stance on Privacy can be a business differentiator.
A further advantage of a business-owned and led approach to privacy is that it results in a clearer picture of what data is really needed by an organisation. It also helps identify where the data is held and who owns it. Often for a CISO protecting the data is the easy part. Finding where it is held is the hard part.
CISOs Are Concerned About a Lack of Technical Talent
On the point of a shortage of technical resources, the CISOs expressed this as their main concern. Not only was there an internal resource shortage, but it was difficult to find technical resources in partners and suppliers. Technical help needed to implement or upgrade solutions is a major constraint holding back their security programmes.
CISOs Can Create a Privacy Operations Centre
The CISO’s role will be important because of their experience in breach situations. One idea that is being put forward by Cisco CISO Adviser Chris Leach is that CISO’s should start to think about the idea of a Privacy Operations Centre. We have long had NOCs (network operations centers) for the networks and SOCs (security operations centers) for the security teams. Perhaps now we should look at developing POCs (Privacy Operations Centres) for the Privacy teams.
From an operational perspective the management of the data and the Information Lifecycle Management function will probably still be part of the greater IT department. Ensuring that the private data is stored in a secure fashion by adding controls over who accesses what and how can limit data flooding out without a due purpose. These controls work to prevent a breach happening, and the wrong folks getting hold of the data they shouldn’t have. Duo’s 2FA (two-factor authentication) protects identity access up front by using multiple factors to confirm a user’s identity and through robust policy controls that adds security to end points. If a business led privacy programme helps the CISO get the support they need to protect the organisation better than it will be a great help all round.
Hope you enjoy the discussion in the video.