NTSC Blog

CISOs Should Take a Nod from Article 38

CISOs Should Take a Nod from Article 38

By Donna Gallaher, CISSP, C|CISO

While the US debates new privacy regulations modeled after the EU’s General Data Privacy Regulation (GDPR), other aspects of GDPR may solve several of the CISO’s key challenges. The GDPR not only requires companies to appoint a Data Protection Officer (DPO) responsible for a company’s privacy program (similar to the way a CISO is responsible for a company’s security program) but it also mandates special protections for the DPO. If you can’t have data privacy without security, it follows that CISOs should have similar protections as Data Protection Officers. This article describes some of the DPO protections detailed in the GDPR that may apply to CISOs.

Protections Against Conflicts of Interest

According to K logix, more than half of CISOs report to the Chief Information Officer (CIO) despite recurring concerns over potential conflicts of interest. CISOs often find themselves advising their boss about IT organization weaknesses, which leads to potential conflict. Because the security function spans the entire organization including HR, legal, compliance, facilities, insurance, product development, and other areas, obtaining funding from the CIO’s budget for programs outside of the CIO’s domain can be challenging. The CISO may need to seek funding from multiple departments to fully remediate any discovered security gaps.

This conflict between a CIO and CISO may tempt some organizations to just subsume the CISO’s duties under the CIO, but the benefit of appointing a CISO is well documented. The 2017 Ponemon Cost of Data Breach Study reports that the average per capita cost of a data breach can be reduced from $225 per record to $217.10 per record (a $7.90 decrease per record) by appointing a CISO. State laws such as New York’s Department of Financial Services Cybersecurity Law (23 NYCRR 500) now require the appointment of a CISO for compliance purposes. One might assume that a CISO’s professional code of conduct leads to independence from a CIO, but whenever internal pressures influence the way an individual does their job, conflict naturally exists—and current law does not require that the CISO be free from conflicts of interest within the company’s reporting structure.

Although K logix reports a recent shift toward more CISOs reporting to CEOs, which resolves the potential for conflict of interest, that shift is not yet mandated by US law. Article 38 of the General Data Privacy Regulation describes several protections afforded to the Data Protection Officer (DPO) and requires that “the data protection officer shall directly report to the highest management level of the controller or the processor” and “…the data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests…” Similar language in federal cybersecurity legislation may resolve this continuing problem of conflict between CISOs and CIOs.

Required Resources and Funding

I’ve seen many job postings for CISOs that include “hands-on” work experience in addition to governance and strategic duties, or they ask the CISO to function in more than one role. However, training and professional development program budgets are often first to get cut in a crunch, even with a negative employment rate in cybersecurity. To resolve this problem in the EU, Article 38 mandates that companies “…shall support the data protection officer in performing the tasks […] by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.”

While companies can debate what resources are “necessary” versus “nice to have” based on risk appetite, benchmarking data exists for both budget and staffing levels by industry and company size. Good third-party oversight programs for key suppliers are already in place to examine the adequacy of the resources available to support the supplier’s security program, and so partners are asking companies to demonstrate “adequacy.” Information security legislation with some type of “adequacy of resources” language would effectively make demonstrating staffing and resourcing decisions a compliance requirement benefitting the security industry.

Protected Status of the DPO

Infosecurity Magazine reports the average tenure of a CISO as 18 months and uses the colorful and descriptive acronym “Chief Infosec Scapegoat Officer” in describing the role. In the local job market, I have heard CISOs refer to their constant transition in and out of roles as “musical chairs,” with each CISO taking a turn as a previous CISO leaves a company for one reason or another. As the name implies, the CISO is often the scapegoat for a data breach and may be forced to leave the company.

For those CISOs who voluntarily leave, the ESG/ISSA research report, The Life and Times of Cybersecurity Professionals, reports that the reasons include the company not supporting a culture of security, a lack of engagement with executive management and / or the board of directors, or the company not providing adequate resources for the security program. In some cases, a CISO may be pressured to compromise their integrity to keep their job. In addition to the “adequacy of resources” language mentioned earlier, Article 38 speaks to this problem by requiring that “…the data protection officer does not receive any instructions regarding the exercise of [their designated] tasks [and] shall not be dismissed or penalised by the controller or the processor for performing his tasks.”

Through the GDPR legislation, the European Commission designated the DPO as a quasi-regulatory post with dotted line reporting to a member state government agency called a “Supervisory Authority” (SA) which uses the DPO to serve in an enforcement capacity. While I recognize that this type of organizational structure for a CISO may lead to an adversarial relationship with the rest of the company and ultimately hinder the transparency and collaboration essential to the success of a security program, it certainly does drive home the point we should protect the position of the CISO. To execute this idea in a more palatable way, US companies may consider requiring that a company’s D&O insurance cover CISOs and provide compensation or protected status when the CISO did their job of advising the company about relevant risks.

Conclusion

As a cybersecurity executive, I am glad to see a new respect for data privacy in the US and the impact that GDPR has had on the security industry. The Cambridge Analytica scandal may have served as the catalyst for launching this national debate, and the US is looking to the EU for possible solutions through the GDPR. Because of the important relationship between privacy and security, state and federal governments should consider protections not only for consumers but also for the professionals who support the security programs that protect consumer data when crafting new legislation.

What do you think? Please contact the NTSC at info@ntsc.org and reply to this article to let your voice be heard.