The first post in this series explored the five things Chief Information Security Officers (CISOs) can learn from Chief Privacy Officers (CPOs). Even though privacy and security teams sometimes struggle to understand and integrate their operations, their common mission to reduce risk represents a bridge between organizations that companies should exploit to their benefit. Given this shared objective, CPOs and CISOs have a lot to learn from each other, and this post explores what CPOs can learn from their security partners.
Companies know that privacy and security specialists are valuable, and CISOs in particular have learned over the last two decades that talent is scarce and their teams must be augmented with technology and data automation to succeed in protecting their organizations. Today, CPOs are facing similar challenges.
Invest in Individuals
A key challenge that security leads have faced for more than a decade is their struggle to find and retain talent. It will surprise few to learn there are frequent reports that the field is short thousands to even millions of professionals. CISOs have worked creatively to solve this problem by identifying and investing in motivated people with a variety of different educational backgrounds possessing the right fundamental abilities to succeed in specific roles – including necessary but less-skilled roles where security leaders provide on-the-job training and the experience necessary to move up the ranks.
For example, teams commonly find new members from diverse backgrounds, even some without university degrees, possessing strong skills in logic and pattern matching and place them in a security operations center as a tier 1 analyst. Similarly, CISOs sourced talent from other data and technology professions given the ease at which those people could more quickly add security as a secondary skillset on top of their technical understanding.
Privacy team leaders are beginning to face similar challenges with scarcity of talent, but the industry has not yet recognized the depth of this challenge and in many cases still default to finding and employing legal professionals for their positions. The shrewd CPO will seek to get ahead of this challenge now before the market gets even tighter by determining which roles in their team can be filled with non-legal professionals and aiming to fill them with people with technical and other more diverse backgrounds. One excellent pool of ready candidates are those with compliance, risk, and security backgrounds. This is also an excellent opportunity to hire women and underrepresented minorities and improve cultural diversity and add breadth to the team’s thought processes and approaches.
Evangelize the Risk
Business leaders from executives to the board have only recently recognized that security represents a true business risk, and many industries are still learning these lessons. CISOs and security leaders have focused extensively over the last five to ten years on shifting from a technology to a business focus which has led to increased success helping their leadership understand security risks and invest accordingly.
Privacy leaders need to grow and partner with their business leaders. Most business leaders fail to understand non-security related privacy risks nor fully grasp the potential impacts from a loss of customer or partner data and potential for brand impacts and loss of customer trust. CPOs need to find opportunities to explain their challenges to their leadership and board using specific case studies or examples that resonate with a business audience and are calibrated to the organization’s risk appetite. In addition, proposing a comprehensive plan for implementing a privacy program – including objectives and key results targeted to lower the organization’s risks – will go far to build trust with executive leadership and support dedicated investment.
Operations and Strategy
In the past, security leaders in the past tended to focus on one facet of their team, technology and operations, versus seeking to balance that with business and strategy. For example, they dove deep to develop their team’s processes at the expense of their strategy, leaving them scrambling to react to major shifts in the adversary landscape or business changes like an acquisition or a major new office in a new geographic region. Today, the modern CISO puts time and focus on both these areas, and CPOs similarly need to find bandwidth to balance their time and focus across these areas.
Given the nature of the privacy office as a policy and regulatory-oriented function, without time and focus CPOs will lean more toward strategy and risk versus operations. This orientation can come at the expense of their team’s operational execution, which can have significant impacts in the case of a crisis like a data breach. Unless the privacy function is properly aligned and resourced, they will likely find themselves overwhelmed and spending significantly on outside counsel and consulting firms.
To strike a better balance between operations and strategy, teams can focus on collaboration and link the security function and its operational strengths with the strategic and policy strengths of the privacy team. From there, mapping response strategy down to discrete tasks mapped into incident response plans and practicing and exercising those tasks in tabletops and other simulations will improve readiness for an incident and drastically reduce risk to the enterprise.
Understand the Data
The security community now excels at understanding and using data within their processes and technologies. Practitioners and leaders in security quickly recognized that the only way to get technology automation into place was a common means of data exchange. To that end, data standards are increasingly prevalent in security, ranging from the Vocabulary for Event Recording and Incident Sharing (VERIS), the common event format (CEF), and the Open Vulnerability and Assessment Language (OVAL), to the Cyber Kill Chain, Structured Threat Information Expression (STIX), and MITRE ATT&CK. Ultimately, the development of these frameworks drove cross-platform interoperability from vendors to horizontally and vertically integrate their people, processes, and technologies which gave breadth to the risk mitigation efforts of companies.
Modern-day privacy experts are beginning to recognize the need for well-defined data formats exemplified by explorations into proposed approaches such as the Privacy Ontology for Legal Reasoning (PrOnto). While such efforts are by no means a panacea, they do represent a starting point for a common language with which to communicate with their security and technical counterparts. Additionally, work like this is a necessary part of the long term foundation for technology automation in privacy workflows.
CPOs and privacy teams are also increasingly defining the common types and elements of data they need to operate and to mitigate risk. While the emerging area of privacy engineering is focused in this area, other teams are collecting key data and do not even realize it. For example, privacy teams centralizing key data in preparation for incidents are likely including specific data elements to help them more quickly find what’s relevant during a data breach response – for example, tags and additional information added with the core data in a spreadsheet. This additional data is directly relevant metadata and if collected and centralized would help accelerate the company’s response time and improve task prioritization and completion.
Ultimately, data like this should be a focus as it will support building privacy data formats and frameworks as well as help the greater privacy community create the foundation to drive interoperability among the technologies it uses.
Automation is Key
Major investments in technology automation has empowered security teams, allowing them to keep pace with the complex environment of ever more sophisticated adversary attacks. A brief and greatly simplified look at the history of security automation is illuminating. The security industry started manually and moved quickly to automate security controls, processes, and some workflows. From there, they identified that their work was strongly tied to security data which evolved into security information and event management (SIEM) software and security analytics. These technologies coalesced with additional automation into the now ubiquitous security orchestration, automation, and response platform (SOAR for short), the new core of security operations.
Today, privacy is proceeding on a similar trajectory. While companies see the need to automate their privacy programs and implement technologies in areas like the discovery and identification of personal data and automating cookie and consent management, the industry has yet to fully embrace the opportunity to deeply understand their data and automate their key workflows to augment and empower their teams.
The BreachRx vision focuses on these issues to significantly mitigate the risk to the enterprise from privacy and security incidents and breach situations. Privacy, legal, and risk teams need technology solutions built with automation in mind to enable them to flexibly address their business needs and meet the tight timeframes and need for scale of successful incident management and response. BreachRx is an automated and dynamic platform for proactively preparing for and achieving readiness for incident response.
Teams can use BreachRx as a central system of operation to execute their response once the inevitable incident occurs to reduce risk and demonstrate best practice privacy incident readiness, all of which represents increasingly critical needs in response to regulators, partners, shareholders and investors, and most importantly, to their customers.