Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/22/2020
02:00 PM
Rajesh Ganesan
Rajesh Ganesan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why DPOs and CISOs Must Work Closely Together

Recent data protection laws mean that the data protection officer and CISO must work in tandem to make sure users' data is protected.

With strict data protection laws in place around the world (including GDPR and CCPA), it's vital that the data protection officer (DPO) and CISO work closely together. Although part of the DPO's job is to audit the CISO's security policies, it is essential that the DPO and CISO have a good rapport. Essentially, CISOs are concerned with security and confidential data, and DPOs are focused on privacy and personal data.

The CISO examines security issues from a business and operations' standpoint. While bolstering an organization's cybersecurity posture, the CISO strives to ensure that all company information is securely processed. The DPO is primarily concerned with how the organization handles personal data. This can include data minimization, communication with data subjects, rights management, storage minimization, data collection, and data processing.

Data Minimization
One of the DPO's main goals is to ensure that no unnecessary customer data is processed. If any personal data is processed, it should not be kept beyond a certain date (as per the commitment mentioned in the privacy policy), and customers must be informed about the nature of the data processing.

Data minimization involves storing less personal data, which shrinks the overall attack surface. This is important when it comes to the collaboration between the DPO and CISO. With the DPO helping to minimize the amount of collected data, the CISO is able to maintain a higher level of security.

For example, perhaps your organization issues a sign-up form that asks for an email address, phone number, and Social Security number. The CISO will mostly be concerned with how the data is protected. Conversely, the DPO will likely ask questions such as, "Why are we even collecting this information?" and "Do we need to process (store, use, or transfer) this data?" By asking questions like these, the DPO helps the CISO's security team effectively — and proactively — protect data.

Create an Activity Register
In modern digital organizations, there are many data flows coming from a variety of different sources. By creating a register, the DPO can help the CISO monitor the various data flows. An effective activity register will answer questions such as "Where exactly is this information being used?," "Who is using it?," and "To whom is this data being transferred?" Again, the CISO is interested in this information from a security standpoint, and the DPO has privacy concerns.

During the creation of an activity register, assess whether the data is personal in nature. Sometimes, whether the data is personal depends on the context. For example, perhaps a customer only provides a company with her home address. If this home address can be traced back to the individual, then it's personal data. Due to nuances like these, it's helpful to have a DPO with a legal background.

Data Protection by Design
Another way that the DPO and CISO can effectively work together is during product inception. By working closely with an organization's developers, the DPO and CISO can proactively build data protection into the company's products.

For example, during the creation of essential and nonessential cookies, the CISO will have concerns related to security vulnerabilities, and the DPO will have privacy concerns. From a security perspective, the CISO wants to ensure that the essential cookies — those used for tracking logged-in sessions and providing user-related functionality — are protected. This way, no impersonation can occur.

And from a privacy perspective, the DPO will be concerned about nonessential cookies, such as advertising cookies used to display ads. The DPO must ensure that the list of cookies is displayed to the website users, and that users can opt out of some cookies without significantly degrading website performance.

Thus, close collaboration between the CISO and the DPO during the cookie creation process can be effective from both a privacy and a security standpoint.

Handling Breaches and Privacy Violations
Another instance in which DPOs and CISOs should work closely together is in the event of a data breach or privacy violation. Incidentally, these are often disparate events. For example, perhaps a customer is given a contact form, and the phone number is used later to sell him or her a product. If there was not a link to the privacy policy on the contact form, this would be a privacy violation, but not a breach. Alternatively, perhaps there was a data breach; however, only source code was stolen. This would be a data breach but not a privacy violation.

Nevertheless, to assess the situation, the DPO and the CISO should closely collaborate. This is especially important during a breach, as fines can incur if the company doesn't alert authorities about an incident in time.

Impact Assessments
After a breach, organizations should conduct a risk assessment during which the DPO functions in an advisory role. In addition to auditing the CISO's existing security infrastructure, the DPO should offer advice for the future. With the help of the CISO, the DPO can answer questions such as "Can an incident like this happen elsewhere?," "How can we protect against this moving forward?," and most importantly, "Should we be collecting this personal data at all?"

Conclusion
By working closely, the DPO can help the CISO secure data more efficiently by collecting only the most necessary data and keeping customers well-informed about the transfer and usage of data. With the DPO and CISO working together, the transfer of data from one place to another can be transmitted securely and legally, greatly reducing the chance of a security breach occurring and ultimately helping the organization save time and money.

Related Content:

 

Rajesh Ganesan is Vice President at ManageEngine, the IT management division of Zoho Corporation. Rajesh has been with Zoho Corp. for over 20 years developing software products in various verticals including telecommunications, network management, and IT security. He has ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2020-10817
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
CVE-2020-10952
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.