With the focus over the past few years on Data Privacy at the institutional level continuing to gain traction across the globe, it is important for companies to understand how these (potential) changes will affect their IT department. With that in mind, I thought it good to start with some of the foundational concepts regarding data privacy. Specifically, what role do the key players actually represent, assuming they are properly vetted and sourced to fill the correct business needs within the enterprise. Today I will discuss three of the key leadership positions and the ideals and focus of each – in a perfect (well-funded) IT department.
Chief Technology Officer/Chief Information Officer (CTO) – The CTO, also known as CIO, is the head of the company’s technical assets
The CTO’s focus should be on making certain that the Enterprise is running as smoothly as possible and it set up to support the key business objectives. Depending on the size of the company, the departments under the CTO umbrella have a wide range of responsibilities that have some aspect of building and supporting electronic products and/or business processes. In a nutshell, the CTO is the person that translates the executive plans for the company into “technical speak” and controls how the IT related staff works to support those executive plans.
Chief Information Security Officer (CISO – See So) – The responsibility of this position is the integrity of the technical systems
The CISO, in most situations, will report to the CTO. IT Security is the primary driving point of this person/department. Again, depending on the size of the company the title may change some (Director of IT Sec, VP of Cybersecurity, etc.), but the function will remain the same. A number of companies I work with also “outsource” some of the work to internal operations or third-party companies to manage the day to day efforts, while serving in an oversight and advisory manner. The where and how the work get’s done is less important than making sure that it is done correctly. This group also tends to be the primary point of contact when working with external auditors/assessors on compliance related efforts.
Data Privacy Officer (DPO) – Tasked with representing the customer’s interest within the environment
This position is a relatively new position that is quickly becoming one of, if not the most important leadership position in the enterprise. It also has a much different approach to the focus of their mission. The Data Privacy Officer’s main focus is on the integrity and management of the customer data. I know what you may be thinking right now. “Didn’t you just say that was the job of the CISO?” Well, yes. I did say something similar to that. Let us look again. The DPO’s main focus is on the integrity and management of the CUSTOMER DATA. There are two subtle differences in the approach between a CISO and DPO.
- Customer Data – The DPO’s approach is that as a representative of the customer. Their job is to make certain that the company isn’t doing anything that places the customer at risk or acts in a way that is outside of the agreed upon terms between the company and the customer that provided their personal data. This is a direct response to the focus of privacy acts and regulations popping up around the globe, such as GDPR (EU Privacy) and CCPA (California) and the expectation of many more governments passing similar laws.
- Hierarchy – Typically the DPO is outside of the IT department. While they are a technical resource, and require technical knowledge to do their job properly, due to the nature of them being a voice on behalf of the customer they usually report outside of IT to avoid conflicts or internal pressure that may sway them from doing their job correctly out of fear of losing it. In larger companies the DPO will report to the legal department. In companies that don’t have legal departments in house, they can also report directly to the President/CEO. Of course, that does not mean there is a need to do a reorg if this isn’t how you have the structure within your company. If things are working well and the DPO is a Rockstar – then don’t fix something that isn’t broken.
What does this mean for the data privacy needs of your organization?
To be honest, I cannot give a specific answer on that (without talking to you.) My best suggestion would be to have the round table discussion with the leadership of your company and confirm that you have someone that is designated as the “voice of the customer” and get them trained on how the relevant security regulations will affect your business operations. You can also hire a DPO. According to Zip Recruiter the average salary for a DPO (as of Oct 2020) is just under $90,000. This is a national average, so cost will vary drastically based on the market. You can also hire consultants if looking to save money on annual spending. You could probably get a good privacy consultant for a third of the cost of a full time DPO, that can work with your IT and HR leadership to build, design, and implement your privacy program in a compliant manner across all areas you are doing business.
Regulations can often be confusing, and many organizations are left unsure which regulations apply to them. To assist with this process, we’ve created a CCPA screener survey to help you determine where your organization stands. To complete the survey, click below!
CLICK TO TAKE OUR SURVEY – Know Where Your Business Stands
Shawn Adams is a Senior Security Consultant at SecureTrust and an active member of the IT Security Community. In his role at SecureTrust Shawn works primarily with Enterprise class clients to improve the maturity and effectiveness of their security programs. He also helps his clients build stronger governance and culture practices to reduce over all risk and increase key business objectives through security measures.
Prior to SecureTrust, he has spent over 25 years in IT Operations and Architecture roles. Most of this time was in leadership positions where he worked with executives in organizational development efforts and client facing communication and incident management positions. Shawn holds the QSA, CISA, CISM, and CDPSE certifications and an MBA with a focus on IT Management. He can be reached for additional questions on twitter under the handle: @Shawn_writes