When a high profile breach occurs, one thing seems to become increasingly certain; the CISO may have to look for another employer. Is that fair? In privacy, a discipline learning fast from the evolution of the security pitfalls over decades, I hope this won’t become a trend . Of course, the privacy leader must be a demonstrable expert and we need to separate the chaff and unmask charlatans. Of which there are enough already. Every now and then, such as in South Korea recently, someone is found personally liable for whatever reason. In the EU, an officially installed DPO has a certain level of protection against being fired. But that may not be enough.
You see, regulations most often are a reaction. A reaction to prevent reoccurrence of something undesired, or at least a reaction to an underlying (potential) problem. I’d like to explain by referencing an example seen in Sao Paulo, Brazil. Something very bad must have happened in 1997, as demonstrated by provincial law #9502/97. This law mandates that a warning sign be placed next to the entrance of every elevator in the state. Roughly translated from Portuguese it reads,
“Before entering this elevator, please make sure…… that it is there“.
I believe the correct response is LOLWHUT?
Something is wrong or (potentially) dangerous. As a reaction, a law is passed. Organizations respond to that reaction. That is not conducting strategic business very proactively, is it? And while innovations continue to increase in number and speed, the legal system and enforcement lags behind. Thus do many organization even more so lag behind as they await ‘what to respond to’. Every now and then someone looks ahead, sees potential danger and attempts to guide innovation to a certain extent. But the essence of a successful privacy or security program lies primarily elsewhere: Who is to blame?
If expectations were set correct and everyone ‘did their job’: Not the CISO. Nor the DPO.
Bart’s law #4: Every organization is in the business of going from A to B. They could walk there, or look at the CIO/IT Exec and ask for a car, if you will. To get from A to B faster. Here is where things go wrong: Who has to pay the ticket when the car was found breaking the speed limit? Who is at fault when facing a traffic jam, the breaks were hit too late for reasons of cellphone distraction? Neither the car nor the dashboard manufacturer.
To simplify: CIOs and IT Execs are responsible to deliver a road legal vehicle. New law demanding crumple zones, a third breaklight, or prohibiting tinted windows? Make it so. The CISO ensures the breaks, seatbelts and airbags function, and hands over relevant information to the driver. The DPO adds to the dashboard of risks and speed-sign recognition functions that feed the adaptive cruise control. Both can even show more profitable and safe routes on the satnav and (suggest to) redirect a little. But accountability should be placed where it belongs:
With the driver. i.e. With the decision-making business.
PS if you want to know what to expect from your CISO, your Privacy Officer or how to position yourself as a good one? Check out Gartner’s toolkits for their job descriptions, the ‘First 100 Days’ documents for the functions, or use even the Gartner ITScore for Privacy to assess where you stand.