Gartner Blog Network

Action-Reaction-the Blame Game. Please Play it Right.

by Bart Willemsen  |  February 24, 2020  |  Comments Off on Action-Reaction-the Blame Game. Please Play it Right.

When a high profile breach occurs, one thing seems to become increasingly certain; the CISO may have to look for another employer. Is that fair? In privacy, a discipline learning fast from the evolution of the security pitfalls over decades, I hope this won’t become a trend . Of course, the privacy leader must be a demonstrable expert and we need to separate the chaff and unmask charlatans. Of which there are enough already. Every now and then, such as in South Korea recently, someone is found personally liable for whatever reason. In the EU, an officially installed DPO has a certain level of protection against being fired. But that may not be enough.

You see, regulations most often are a reaction. A reaction to prevent reoccurrence of something undesired, or at least a reaction to an underlying (potential) problem. I’d like to explain by referencing an example seen in Sao Paulo, Brazil. Something very bad must have happened in 1997, as demonstrated by provincial law #9502/97. This law mandates that a warning sign be placed next to the entrance of every elevator in the state. Roughly translated from Portuguese it reads,

“Before entering this elevator, please make sure…… that it is there“.

I believe the correct response is LOLWHUT?

Something is wrong or (potentially) dangerous. As a reaction, a law is passed. Organizations respond to that reaction. That is not conducting strategic business very proactively, is it? And while innovations continue to increase in number and speed, the legal system and enforcement lags behind. Thus do many organization even more so lag behind as they await ‘what to respond to’. Every now and then someone looks ahead, sees potential danger and attempts to guide innovation to a certain extent. But the essence of a successful privacy or security program lies primarily elsewhere: Who is to blame?

If expectations were set correct and everyone ‘did their job’: Not the CISO. Nor the DPO.

Bart’s law #4: Every organization is in the business of going from A to B. They could walk there, or look at the CIO/IT Exec and ask for a car, if you will. To get from A to B faster. Here is where things go wrong: Who has to pay the ticket when the car was found breaking the speed limit? Who is at fault when facing a traffic jam, the breaks were hit too late for reasons of cellphone distraction? Neither the car nor the dashboard manufacturer.

To simplify: CIOs and IT Execs are responsible to deliver a road legal vehicle. New law demanding crumple zones, a third breaklight, or prohibiting tinted windows? Make it so. The CISO ensures the breaks, seatbelts and airbags function, and hands over relevant information to the driver. The DPO adds to the dashboard of risks and speed-sign recognition functions that feed the adaptive cruise control. Both can even show more profitable and safe routes on the satnav and (suggest to) redirect a little. But accountability should be placed where it belongs:

With the driver. i.e. With the decision-making business.


PS if you want to know what to expect from your CISO, your Privacy Officer or how to position yourself as a good one? Check out Gartner’s toolkits for their job descriptions, the ‘First 100 Days’ documents for the functions, or use even the Gartner ITScore for Privacy to assess where you stand.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


Bart Willemsen
VP Analyst,
4 years at Gartner
11 years IT Industry

Bart Willemsen is a VP Analyst with focus on privacy compliance, risk management and all privacy-related challenges in an international context. With detailed knowledge of privacy in various jurisdictions, he's also proficient in security and risk management strategies. Read Full Bio

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.