Chief Information Security Officers (CISOs) and Chief Privacy Officers (CPOs) work closely together to ensure that information within an organization is properly secured and protected as well as appropriately controlled and used. While ideally CISOs and CPOs would be tightly coupled, in many cases friction occurs between these leaders and their teams. CISOs and security teams are likely overloaded dealing with potential cyber attacks, underfunded, and may generally feel underappreciated within the business, while CPOs and privacy teams may be excluded from key incident process design, decisions about technology approaches and investments, and may generally feel technically unsure when they interact with the security team. Even given all that, however, CISOs and CPOs have a lot to learn from each other. This first post in a series explores what those in the CISO role can learn from their privacy partners.
Attorney-client privilege is tenuous at best
Those emails with a header of attorney-client privilege aren’t doing much by themselves. The common belief for many security professionals is just having an attorney copied or involved in a process or workflow ensures attorney-client privilege protects it. This is far from the truth, as seen again with the recent ruling against Capital One. Courts continue to refine what constitutes privilege between the in-house legal team and the employees and officers of the organization, as well as the organization and outside counsel. For example, courts have ruled in many cases that interactions involving both regular business and legal advice are not protected.
Privilege ultimately comes down to how well you can build up proof that the actions you were taking were directed by the legal team and that the activity between teams goes further than routine business activities. The bottom line here is that CISOs cannot assume that their incident response process is protected just because their privacy team and Chief Privacy Officer is in the loop on incident handling processes and tickets. At the same time, having conversations outside tickets and/or a documented process will not build up the necessary proof that might be needed to demonstrate to a judge that the response to an incident should be protected by privilege.
Every incident matters
It’s well known that security teams are typically overloaded with work and strive to push through any potential incident as fast as possible, moving from detection to close rapidly and using automation to lower the threshold for human involvement in the response. The privacy team differs in their approach in that they typically require more consideration of complex legal and contractual obligations because the organization is at risk of damages and lawsuits for what may seem to the security team to be the smallest of incidents. This is particularly true given newly enforced regulations like CCPA and well-known ones like GDPR that have low thresholds for notifying government regulators of these incidents. Teams ultimately need their process to be less turn and burn and instead more deliberate and well-planed and ideally comprehensively practiced. A great example of this is proactively developing and including a comprehensive communication strategy for ensuring the organization is prepared to handle data breaches of any size.
Security teams seem like a black box to their peers
It’s unclear whether or not security leaders are aware that in many organizations the rest of the leadership “teams up” to get what they need from a security team during an incident. From legal to operations to communications, teams will even go as far as meeting regularly together without security to discuss the answers they need and the steps they will take together to make good decisions for their organization outside of the operational and largely technical bubble the security teams tend to live within. Risk is clearly a key tenant for both security and privacy, and CISOs can use this to reach out and create dialogue to better understand the lens through which the CPO and other peers look at incidents and to gauge how to improve their relationship. Improving communications between CISOs and peers will lower the overall risk of the organization while also helping retain and even attract new customers and improve the bottom line.
Time is of the essence when it comes to privacy
Most security leaders are aware by now of the 72-hour deadline that GDPR set for reporting incidents. What many are not yet aware of are the multitude of contractual obligations that the CPO must consider and potentially act on for reporting their organization’s incidents to partners and customers who’s data may have been involved or definitely was part of an incident. The deadline for these partners and customers for notifying regulators as set by regulations like GDPR and Vermont state’s recently amended breach notice act likely start at the same time as your organization discovers the incident, even though they aren’t even aware of the incident’s existence at that point. For this reason, most contracts between businesses now have clauses that require even tighter notification timelines to give the other company enough time to act and meet their own deadlines for the incident. The privacy team therefore needs to be aware of potential incidents as fast as possible. This does not run counter to the previous points – the lesson learned is teams need to strike a fine balance between speed and care.
Security processes and technologies aren’t optimized for privacy
Ideally, teams should work together to design a comprehensive incident response plan and process for managing and responding to incidents that includes privacy requirements as a key element. These include regulations that apply to your company and all the contractual obligations in your agreements with customers, suppliers, and business partners. The plan and process should also include any compliance controls you are certified for or are guiding from as well as the policies the organization has put in place. In addition, the team should regularly practice this process to easily and frequently test it, especially given these obligations frequently evolve over time.
Current processes and technology solutions commonly used for incident management and response do not meet this bar, which is part of the reason why organizations ultimately end up spending huge sums of money on responding to data breaches. The solution is an automated and dynamic platform for proactively preparing for incident response that centralizes and ties in the necessary actions for the broad set of privacy obligations for the variety of incidents that might occur. The fastest way to achieve this goal for the long term is implementing the BreachRx platform as part of a best in class program for effective incident management and response.
Our next post in this series will explore what CPOs can learn from CISOs.