[BreachExchange] Why DPOs and CISOs Must Work Closely Together
Destry Winant
destry at riskbasedsecurity.com
Thu Jan 23 10:11:25 EST 2020
https://www.darkreading.com/attacks-breaches/why-dpos-and-cisos-must-work-closely-together/a/d-id/1336840
Recent data protection laws mean that the data protection officer and
CISO must work in tandem to make sure users' data is protected.
With strict data protection laws in place around the world (including
GDPR and CCPA), it's vital that the data protection officer (DPO) and
CISO work closely together. Although part of the DPO's job is to audit
the CISO's security policies, it is essential that the DPO and CISO
have a good rapport. Essentially, CISOs are concerned with security
and confidential data, and DPOs are focused on privacy and personal
data.
The CISO examines security issues from a business and operations'
standpoint. While bolstering an organization's cybersecurity posture,
the CISO strives to ensure that all company information is securely
processed. The DPO is primarily concerned with how the organization
handles personal data. This can include data minimization,
communication with data subjects, rights management, storage
minimization, data collection, and data processing.
Data Minimization
One of the DPO's main goals is to ensure that no unnecessary customer
data is processed. If any personal data is processed, it should not be
kept beyond a certain date (as per the commitment mentioned in the
privacy policy), and customers must be informed about the nature of
the data processing.
Data minimization involves storing less personal data, which shrinks
the overall attack surface. This is important when it comes to the
collaboration between the DPO and CISO. With the DPO helping to
minimize the amount of collected data, the CISO is able to maintain a
higher level of security.
For example, perhaps your organization issues a sign-up form that asks
for an email address, phone number, and Social Security number. The
CISO will mostly be concerned with how the data is protected.
Conversely, the DPO will likely ask questions such as, "Why are we
even collecting this information?" and "Do we need to process (store,
use, or transfer) this data?" By asking questions like these, the DPO
helps the CISO's security team effectively — and proactively — protect
data.
Create an Activity Register
In modern digital organizations, there are many data flows coming from
a variety of different sources. By creating a register, the DPO can
help the CISO monitor the various data flows. An effective activity
register will answer questions such as "Where exactly is this
information being used?," "Who is using it?," and "To whom is this
data being transferred?" Again, the CISO is interested in this
information from a security standpoint, and the DPO has privacy
concerns.
During the creation of an activity register, assess whether the data
is personal in nature. Sometimes, whether the data is personal depends
on the context. For example, perhaps a customer only provides a
company with her home address. If this home address can be traced back
to the individual, then it's personal data. Due to nuances like these,
it's helpful to have a DPO with a legal background.
Data Protection by Design
Another way that the DPO and CISO can effectively work together is
during product inception. By working closely with an organization's
developers, the DPO and CISO can proactively build data protection
into the company's products.
For example, during the creation of essential and nonessential
cookies, the CISO will have concerns related to security
vulnerabilities, and the DPO will have privacy concerns. From a
security perspective, the CISO wants to ensure that the essential
cookies — those used for tracking logged-in sessions and providing
user-related functionality — are protected. This way, no impersonation
can occur.
And from a privacy perspective, the DPO will be concerned about
nonessential cookies, such as advertising cookies used to display ads.
The DPO must ensure that the list of cookies is displayed to the
website users, and that users can opt out of some cookies without
significantly degrading website performance.
Thus, close collaboration between the CISO and the DPO during the
cookie creation process can be effective from both a privacy and a
security standpoint.
Handling Breaches and Privacy Violations
Another instance in which DPOs and CISOs should work closely together
is in the event of a data breach or privacy violation. Incidentally,
these are often disparate events. For example, perhaps a customer is
given a contact form, and the phone number is used later to sell him
or her a product. If there was not a link to the privacy policy on the
contact form, this would be a privacy violation, but not a breach.
Alternatively, perhaps there was a data breach; however, only source
code was stolen. This would be a data breach but not a privacy
violation.
Nevertheless, to assess the situation, the DPO and the CISO should
closely collaborate. This is especially important during a breach, as
fines can incur if the company doesn't alert authorities about an
incident in time.
Impact Assessments
After a breach, organizations should conduct a risk assessment during
which the DPO functions in an advisory role. In addition to auditing
the CISO's existing security infrastructure, the DPO should offer
advice for the future. With the help of the CISO, the DPO can answer
questions such as "Can an incident like this happen elsewhere?," "How
can we protect against this moving forward?," and most importantly,
"Should we be collecting this personal data at all?"
Conclusion
By working closely, the DPO can help the CISO secure data more
efficiently by collecting only the most necessary data and keeping
customers well-informed about the transfer and usage of data. With the
DPO and CISO working together, the transfer of data from one place to
another can be transmitted securely and legally, greatly reducing the
chance of a security breach occurring and ultimately helping the
organization save time and money.
More information about the BreachExchange
mailing list