The GDPR is not just about Security, but it has been dominating the life of many CISOs since last year.
Notoriously, the regulation contains only a few actual references to data security. Article 32 mentions the need to have “appropriate” technical and organisational measures in place to ensure a level of security “appropriate to the risk” and quotes “inter alia” a few possible measures (pseudonymisation, encryption etc…), but that’s almost the only specific reference to security in the whole text.
The “appropriateness” of the technical and organisational measures in relation to the risk has to be understood in the context of Article 32, i.e. “taking into account” the elements listed in the article:
• “The state of the art
• The costs of implementation
• The nature, scope, context and purposes of processing
• The risk of varying likelihood and severity for the rights and freedoms of natural persons”
Article 32 also cross-references Articles 40 and 42 and allows the use of approved codes of conduct and certification schemes to demonstrate compliance, but those won’t be in place for a while given the way approval is described in the mentioned articles.
Beyond the lack of explicit definitions for the key terms (“appropriate”, “state of the art”) over which the guidance from the WP29 has shed little light so far, what does that mean in practice for the CISO?
Frankly, it should change very little to their practice: The GDPR simply seems to endorse a risk-based approach to delivering up to date security good practices to protect personal data. It is an approach that should be in place in many firms to protect any type of sensitive data (personal or not).
Having security measures appropriate to the “nature, scope, context and purpose of processing” should be a perfectly normal way of working (you don’t secure an e-commerce website in the same way you secure a back-office in-house accounting system). And the reference to the “costs of implementation” is simply a reality check and hints at something which happens all the time in real-life: Every CISO will be used to having security measures rejected by their business on grounds on costs.
Information security good practices and risk-based approaches have been well established for the best part of the last 15 to 20 years, and most large firms would have had fully functioning security teams in place for the best part of that period and would have spent collectively billions on security products and consultants. So why would a CISO be worried?
CISO and DPO: Allies or enemies?
Could it be that in spite of the billions spent, little demonstrable alignment to security good practices was actually achieved in real terms over the past decade in many large firms? (there is ample anecdotal evidence of that surrounding the Wannacry ransomware outbreak in May 2017).
Outside already regulated industries (where the role of compliance and audit departments has been better established for a long time), could it be that the CISO is now worried that they will have a DPO “breathing down their neck”? and that the threat of massive fines is going to change the managerial dynamics of the game in favour of the DPO, who – in addition – benefits from a somehow protected regulatory status?
Of course, it depends on the profile of the individuals involved and we have analysed several times since 2015 the profile of CISO roles, their reporting lines and the type of interaction they can drive across large firms.
Where the CISO role is positioned as a “Change Agent” (in the language of those earlier articles), there should be little friction with the DPO and the GDPR offers fundamental levers to the transformational CISO.
The DPO is likely to be a new player in the security governance game, and it could be that he/she brings a different outlook and a different background to the table (very often it is likely to be somebody with some form of legal training).
The DPO will face many challenges similar to those faced by the transformational CISO around driving cultural change and engineering new dynamics around “privacy by design”.
Working together, they can be strong allies if they manage to build and push from different angles a common transformative agenda and create together the structures they will need to demonstrate GDPR compliance (for the DPO) and ensure the adequate protection of information assets (for the CISO).
Where the CISO role is positioned as a “Firefighter” or a “Figurehead”, the situation could be quite distinct: To both, the DPO could start demanding answers to difficult questions around the actual structure of their practice or its tangible output, and their relationship could become complex.
In all cases, the GDPR brings an opportunity to rethink Infosec and where necessary make it work better.
The role of the CISO is often the result of organic evolutions going back a decade or more. The new role of the DPO cannot exist on its own and will require a proper governance model to function and bring value to the whole organisation, despite its imposed independence.
They need to converge into a coherent operating model which builds on positive interactions between the functions, while respecting the constraints of each.
A considerable challenge, in particular in large firms, but a necessary one, and absolutely key to ensuring ongoing GDPR compliance post May 25th and adherence to the “privacy by design” objectives which are at the heart of the regulation.
Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Security Strategy, Organisation & Governance challenges.