Question: How should the Chief Security Officer work with the Chief Privacy Officer?

Chris Bush, Chief Customer Officer at Black Kite: You'll find both a Chief Security Officer and Chief Privacy Officer in heavily regulated industries like pharmaceuticals, finance, and insurance. The CPO is typically responsible for covering scenario situations, policy, and protecting personally identifiable information. The CSO is typically responsible for creating procedures, creating policy, and then implementing technical controls to actually secure everything. So while you can see the delineations and recognize each function is mutually exclusive in their respective disciplines, the CSO and CPO have to come together in several important areas. That would include regulatory issues like the European Union's General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other state and international mandates which demand such expertise. Both the CSO and CPO need to work together on policies to deal with regulatory issues in order to secure the desired outcome. Creating policies without any mechanism for control is useless.

When it is working well, CSO and the CPO both understand each other's function as well as the requirements for the company. They do that by understanding where the responsibilities are siloed and where the responsibilities need to be harmonized. They need to be in constant communication about what’s working or not working.

For the business, harmony between the two Officers leads to a strong understanding of how regulations designed for industry translate into business requirements as well as how they influence tangible technical controls. Furthermore, the company should have a measure for the success of both the controls and the policies to ensure regulatory compliance and internal effectiveness.

You don't want a CPO going in and implementing those tangible technical controls. So they need to be engaged with the CSOs who are ultimately responsible for implementing policy and systems that are aligned with privacy policy and regulatory requirements. For the good of the company, it's necessary for them to be in lockstep.