The International Association of Privacy Professionals (IAAP) and (ISC)² recently collaborated on a pair of webinars , bringing a panel together to shine a light on the intersection of cybersecurity and privacy. After looking at the landscape in the U.S., we now turn our attention to Europe. The conversation brought together conversation Isabelle Roccia, IAPP managing director Europe, Christian Toon, CISO at Pinsent Masons Law Company, Anna Zeiter, CPO at eBay and Ilias Chantzos, global & privacy officer at Broadcom.
The reality of data breaches is causing the structure of corporate management to rapidly evolve. The traditional model was that the different financial, legal and technical disciplines were separate specialisms that reported to or were part of boards. While this remains true of some organizations, the walls between them are breaking down. This is especially true for CISOs, a role that is acquiring new responsibilities and prominence within corporate structures.
Security vs Privacy – Can They Work Together?
In large enterprises such as eBay, the privacy and cybersecurity teams are separate with different lines of reporting, explained Anna Zeiter, chief privacy officer for eBay. “But there is no security without privacy and no privacy without security.” The roles and responsibilities are separate but clear.
Historically, organizations have geared themselves around information security with privacy being a more recent innovation. And the idea that the two disciplines could work together was also unfamiliar, said Christian Toon, CISO for Pinsent Masons Law Company.
“Only 3-5 years ago, teams were at loggerheads because security teams wanted to monitor everything without telling anyone. If they told anyone, then others would know what they were monitoring and how to circumnavigate those controls. But the privacy argument is around empowering employees and being transparent in those controls.”
A trend he is seeing within clients that have experienced a breach is that they are aligning the CISO and general counsel (legal) roles more closely with one another. He welcomes the convergence of these two disciplines.
According to Ilias Chantzos, Broadcom global & privacy officer, the roles are symbiotic. They need to be best friends. In the end, the security teams need the guidance of privacy teams to execute what is expected of them. He sees security teams as the “armed response” responsible for technical changes. Enforcing security controls is impossible without them. Moreover, he believes that security must be the starting point for any organization looking to have a good privacy setup. Most importantly, having security-privacy processes in place isn’t enough; they need to be tested in advance of an incident.
“We test them to understand how well they work, and to pivot and improve,” said Chantzos.
The big bang moment for privacy and data governance in EMEA and beyond was the advent of the General Data Protection Regulation – better known as GDPR. This turned what had once been seen as a system of security controls into one directed as much towards privacy, a completely different way of understanding data security.
“This is where you need privacy lawyers to understand the requirements.” These are then digested by the privacy team and handed over to the data security teams. “The CISO and the DPO need to be close friends…in the end we go hand in hand,” said eBay’s Zeiter.
Toon of Pinsent Masons believes that it’s never about one side leading and the other following but that both find a way to break down old-fashioned professional barriers and work together.
“For me, enforcement needs to be a last resort. If you need a stick approach, then the organization will not buy into it.” This will work for most people. However: “You do get people who won’t comply but at other times you might just need to turn their access off to systems because they are not compliant.”
Chantzos agreed, adding that to get buy-in privacy teams need to explain why it is in the interests for employees to comply. He also pointed out that many people don’t violate rules deliberately. There is a process of education that regulations such as GDPR leave to organizations to sort out. His hope is that technology and automation will, in time, perform some of the role of enforcement.
Zeiter suggested starting the security-privacy communication with a conversation. The first thing being to make sure you have a data breach response plan in place and that everyone understands who will conduct different parts of the investigation and who is communicating with the authorities and data subjects. At eBay, - admittedly a large company – a privacy team member is embedded with the security team. Alternatively, a shadowing program can be set up to allow someone from the privacy team to work with the infosec team on a given day or week. Over time, you build a common understanding.
“Start with cake,” advised Toon. “Sit them down [infosecurity and privacy teams] and you’ll suddenly start to see the commonality between the two teams.” That will bond infosec and privacy, but they need to consider who else they can take on this journey, for example the CIO being interested in a data governance program that will reduce the quantity of information storage.
“Anyone telling you they’re operating in 100% compliance is very much lying to you,” contended Toon. More realistically, it’s about managing risk, even if that’s only going to be 70% compliance. Managing compliance is very difficult across multiple jurisdictions at any one time. “If you do get that 100% compliance, chances are that your business will grind to a halt.”
Chantzos noted the “regulatory inflation” that is a distinct part of doing business in the E.U. He predicts this will grow, taking in not only security and data but things like artificial intelligence (AI). This can lead to regulatory contradictions, which privacy professionals need to be aware of. Compliance needs to adjust itself to this issue and not end up trying to resolve irreconcilable contradictions.
“It’s our job to make sure that we point to these contradictions,” said Chantzos. “In the end, having a system that results in multiple overlaps doesn’t deliver legal certainty and delivers the exact opposite.”