News & Insights

Melanie Ensign Melanie Ensign

The Privacy Paradox. What’s a CISO to Do?

Although in some instances, the privacy function may indeed report into the CISO, the intention here is for CISOs to shift their mindset and turn privacy integration and collaboration into an advantage for the security function writ large. Here are some ways a CISO might want to approach the new realities of the privacy-security partnership.

By Kristy Edwards, co-founder and Technical Advisor to PrivacyCode

People expect CISOs to be superheroes.  

They are expected to manage a highly complex tech stack while staying ahead of a perennially expanding volume of cyber threats. They often must do this while being understaffed, under-budgeted and under a lot of stress. 

And now, data privacy is also increasingly on the CISO’s mind - and in some cases, directly on their plate. This means that CISOs and their teams will need to get comfortable with different models and focus areas.

I’m going to explain why this is a good thing - for the security and privacy teams, and for the organizations they support. And, how CISOs can work effectively with privacy teams -or in the absence of one- to increase their overall security posture. 

First, it’s helpful to understand how privacy and security have (or have not) worked together in the past, and how they interact today. 

Photo courtesy of #WOCinTech Chat

The Privacy Function: Moving From Siloed to Symbiotic

Historically, CISOs have been mostly insulated from the privacy function, and vice-versa. Privacy teams usually resided in the legal department, where they crafted policies and stayed abreast of new regulations. Meanwhile, the CISO and his or her team focused on strategic approaches to preventing breaches, engaging everyone from the Board to sysadmins and monitoring endpoints for indicators of compromise. If they engaged with the privacy team at all, it was when a new policy was handed off to them to “figure out” how to implement it appropriately in products or systems.

That started to change when the California Legislature approved SB 1386, which mandates that companies with customers in California must inform them if they believe their personal information has been breached. Arguably, SB 1386 helped usher in a whole new generation of privacy regulations. I was in a security executive role at the time and saw firsthand how this new regulation was a forcing function for the C-Suite and Boards to recognize that security controls are a business imperative.

In other words, a privacy law helped to elevate the posture of cybersecurity inside the enterprise.

Fast forward to now, when an explosion of cyber threats - ransomware, malware, nation-state attacks, you name it - and a patchwork of new privacy laws have emerged concurrently to make the CISO’s job highly fragmented. They can barely keep up with stopping breaches let alone understand and implement protections for different categories of personal data that these new privacy regulations demand.  

As this threat landscape has evolved and the amount of data in the hands of businesses has exploded, the structure of security and privacy teams has also changed.

Today, I see three scenarios for how privacy and security teams work together (with nuances within each.)

  • Closely adjacent: In this model, privacy and security teams are “peer” groups that work together regularly. However, they have well-defined roles and boundaries. For instance, the privacy team might tell the security team that stored data encryption is required for sensitive personal data, but they have a very clear handoff point to security, who specifies encryption algorithms and key lengths and leads the security review to execute this requirement. This model is more symbiotic - each team understands the value and role of the other and have processes and guardrails around who does what.

  • Combined:  Here the two teams work as one - the operational and technical elements of the privacy program are within the CISO’s domain and report into him/her, often with a dotted line to the CPO. I personally have run global privacy programs within this structure, which tends to exist in companies that are more “security forward” and understand the critical role of the privacy engineer within the security function.

  • Cobbled Together: In this scenario, privacy responsibilities are doled out across various company stakeholders. This is most common in small to medium sized businesses that have not invested in full time privacy staff. Various aspects of privacy may be an added responsibility for a variety of stakeholders, from a commercial attorney to a privacy engineer to an organization’s CISO. For these folks, privacy may be their 2nd (or 3rd!) job, and so keeping track of how new regulations and policies are deployed and enforced in their business can be particularly challenging. 

I share this background because it can help CISOs who are struggling to “figure out how to work with privacy” envision a potential model. However, internal structure and division of labor only goes so far. To succeed, CISOs need to understand that no matter how the function is assembled, today they sit at the intersection of data privacy and cybersecurity. And rather than be overwhelmed by that or wishing it will go away (it won’t), they should understand that collaborating with privacy teams and finding workable technical solutions can actually, paradoxically, make a CISO’s life easier.

Actions CISOs Can Take to Make Privacy Work for Them

When I say “make privacy work for them,” I mean that figuratively. Although in some instances, the privacy function may indeed report into the CISO, the intention here is for CISOs to shift their mindset and turn privacy integration and collaboration into an advantage for the security function writ large.  Here are some ways a CISO might want to approach the new realities of the privacy-security partnership.

  • Accept the new reality.  The protection of personal information is a security problem.  While it’s true that data privacy focuses on how personal data is collected, used, and shared; and data security refers to the measures and technologies used to protect data from threats, the reality is more complex. 

For instance, employee monitoring of email and other communication channels has employee privacy implications for the enterprise. How this monitoring is done in terms of tools and technology often lands with the security team - even though the notice and oversight requirements are the domain of privacy teams. 

And there’s the rub, for CISOs at least. Security leaders may have a larger team or have a seat at tables where the privacy leaders do not, but security itself is downstream of privacy. A new regulation or policy is born first, and then the security team needs to figure out the implications of that policy for a whole slew of scenarios such as this one. And if something goes wrong in the protection of data or how a privacy law or policy is implemented the buck will often stop with the security team.

By understanding, accepting and leveraging this current dynamic, CISOs can begin to find ways to even the playing field, so that accountability is shared between the functions, and the CISO’s posture is elevated to being more strategic and business-outcome focused.

  • Embrace collaboration - or pay the price. As mentioned above, security has been downstream of privacy. Today, they need to meet in the middle. Not only to protect an organization’s most valuable assets - its data and reputation - but because the C-suite and the Board expect it. Frankly, most Boards don’t really understand the difference between the respective roles and responsibilities of privacy and security. What they really care about is risk exposure.  

To manage that risk, a spirit of cooperation and collaboration is essential–as equal, respected partners (regardless of fancy degrees or technical prowess). There are significant benefits of this to both teams, but for the CISO it enables them to get off defense and take a more proactive role in managing risk in concert with their privacy counterparts. Even more important, by working together, the chance of something falling between the cracks is minimized. When these teams work in silos, it’s often at cross-purposes and even in competition with one another - for budget, attention and credibility. And we know how well that goes over within an enterprise. 

So what does “collaboration” look like?  As mentioned before, enterprises structure their teams in different ways. Depending on whether yours is closely adjacent, combined or cobbled together will often determine how easy or challenging it will be to work together. But don’t let org structure be an obstacle. There are many opportunities to collaborate independent of where a function resides.  

Incident response planning is a good place to start. Often breaches (which the security team manages) involve personal data (which the privacy team is charged with protecting.)  Collaborating on your incident response plan - and doing tabletop exercises so that both entities are appropriately involved - is a great in-the-trenches-together way to team up and identify gaps, overlap and weak spots.

Another opportunity is to share strategies, even philosophies, of how you each approach your mission. This does not involve cross-training each other - privacy and security are still very different animals when it comes to expertise and daily responsibilities - but rather ensures there is an awareness and understanding of each other’s operating framework. For instance, the National Institute of Standards and Technology (NIST) has developed frameworks with both privacy and security considerations. If your organization adopts the NIST frameworks, coming together to understand the shared principles across functions may be beneficial.

The cost of not collaborating can be high. Financial penalties, reputational harm and loss of business can all occur when personal data is compromised. By structuring teams and processes in a way that enables an intersectional, collaborative approach, these problems can be avoided. 

  • Raise Your Privacy IQ. I get it. When you work in security you’re constantly inundated with information. But a little learning can go a long way to enable a more informed position when working with your privacy partners.

As more and more privacy regulations come into being, the potential fines and penalties for non-compliance will drive at least some of the security spend a CISO must make.

So how can you intelligently spend without a general understanding of laws like GDPR or CCPA? A CISO need not understand these laws in fine detail - that’s the privacy officer’s job - but some knowledge is essential to knowing how best to protect the data these laws govern.  

Likewise, Privacy teams need to understand enough about tech solutions like MFA and zero trust to the degree that it helps them speak to technical teams in a language they can understand. Going further, CISOs can help CPOs understand what is involved in protecting data beyond legal requirements. In cobbled together orgs, privacy responsibilities are distributed among security personnel and non-privacy lawyers, and may need more support (and spend) on privacy services, or increasingly, by leveraging skillfully-built SaaS platforms like ours that can fill in the gaps. 

  • Plan for a privacy-first future.  By now you’re acutely aware that people are serious about protecting their private information - and they have a strong partner in state and federal governments and regulators who take enforcement actions. And that, while the social push to protect an individual’s privacy has accelerated, the process to manage it from the enterprise has remained almost frozen in time - making your job even harder. 

However, CISOs have a secret weapon: significant expertise in acquiring and deploying technical solutions. Privacy teams, for the most part, do not. As you gain more insight into the privacy world and collaborate to secure personal data, you’ll likely see how privacy teams have tried to track their policies, programs and metrics using a variety of processes or tools. Perhaps you’ve been on the receiving end of these efforts - for instance, when product requirements from the privacy team were either not fully documented or an update to a policy wasn’t communicated in a way that the security team could use.

As the owner of an already unwieldy security tech stack, CISOs know that a point solution to manage privacy isn’t likely the answer to these inefficiencies. And that checklists and outdated modes of communicating privacy requirements have resulted in gaps and increased risk.

What CISOs Need To Do Now

CISOs are incentivized to see that going forward, privacy is managed in a more efficient way so that their team can understand requirements, communicate progress and over time, analyze trends. And, to do so in an environment where both the privacy experts and the security experts can work together to see how enterprise projects are moving through each critical stage, in a fully transparent, fully tracked way.  

We built PrivacyCode as a SaaS platform so that privacy and security teams can seamlessly work together on privacy implementations in the language that both teams understand, while gaining valuable reporting and insights. Our solution empowers security teams - who are not privacy experts but who often take on privacy work because of the adjacencies of the two fields - to meaningfully track, measure and prove the effectiveness of their privacy work. 

If you’re a CISO or security professional who is interested in helping to solve the privacy management paradox for your organization, reach out to us. We’d love to hear from you. Meanwhile, as you continue to work hard to protect your enterprise, remember that even superheroes need a day off. 

Read More
Melanie Ensign Melanie Ensign

Introducing PrivacyCode!

PrivacyCode is the only SaaS platform that brings scale, efficiency, and accountability to privacy programs. Today, there is a chasm between the privacy teams who use words to create privacy policies and developers who use code to transform these policies into products.

A SaaS Platform for Privacy Management is Finally Here

The way we work, move around the globe, entertain, educate and affect social change is fueled by a ubiquitous flow of data and data-driven products. 

At the same time, we see fault lines forming between safety and individual autonomy; convenience and choice; ethics and urgency. The systems of law and international sovereignty can scarcely keep pace with technological change and the demands of new generations of digital natives who are hungry to have their digital cake and eat it, too.   

This complex, ever changing, multi-stakeholder and high-risk world is the realm of the Chief Privacy Officer. She is tasked with understanding individual employee and consumer rights, international legal regimes, technical capabilities and the financial realities required to drive the entire soft system that is data protection and privacy. It’s a lot.

Reimagining Privacy for the Modern Enterprise

When we talk to people who work in privacy – from CPOs to privacy engineers - we hear stories of communication failures, confusing product requirements, and ever-increasing pressure from regulators and board members to reduce the risk of collecting, managing and securing personal data. Often, we find ourselves vigorously nodding in agreement. That’s because we’ve both “sat in the chair,” leading privacy programs from the legal and technical sides. The pain points we hear are deeply familiar to us.  

We’ve stared into the void – and it is a void – searching for an enterprise solution to connect policy words, technology, law, reporting and governance. We searched for a platform that legal, technical and business teams understand and could actually use to build privacy into products and governance programs. For too long, the void stared back at us.

So we decided to fill the void (and then some) – by building a proactive, metrics creating platform that meets developers and privacy leaders where they are. Specifically, a solution that enables privacy teams to leverage the best ML/AI solutions to test assumptions and make standards-based recommendations.  And, to equip them to scale their work by having the most current regulatory standards at their fingertips. We wanted them to be able to break down complex requirements into intelligible chunks so that the right person can execute on them quickly and effectively. We believe privacy leaders and teams should be able to do all of this, and more. So that’s what we built: a platform to empower privacy experts to become more efficient, and for privacy novices to perform like experts. 

Why PrivacyCode?

PrivacyCode is the only SaaS platform that brings scale, efficiency, and accountability to privacy programs. Today, there is a chasm between the privacy teams who use words to create privacy policies and developers who use code to transform these policies into products. Simply put, they speak different languages.  

For decades these two essential stakeholders (and others across the enterprise who “own” aspects of privacy) have found themselves in endless meetings, struggling to create system requirements from legal documents, only to end up frustrated.  Correcting these requirements after systems are deployed or updated can be costly, time consuming, and failure prone. The cost of this inefficiency and miscommunication is real. Last year, Didi Global was hit with a breathtaking $1.2 billion fine, Sephora was fined $1.2m for breaking California’s privacy law, Weight Watchers suffered bloated liabilities from poor acquisition practices because the startup failed to build privacy in to protect children’s data. The list goes on.  

To address these growing risks and build a solution that would scale and iterate as the privacy landscape continues to change, we focused on building the PrivacyCode platform that is:

  • Cloud-based and collaborative

  • One-source of truth and proof

  • Developer and privacy team friendly

  • Engineered for the ethics of the modern enterprise 

In essence, these principles are the “code” that we use to guide us. In the process, we’ve created new ways to advance how people work with privacy, day to day. For instance:

  • The Privacy Object TM Library provides out of the box instructions and translates privacy policies into consumable tasks for developers and project managers

  • Machine Learning (ML) engine enables speed, automation and scale

  • Embedded tools capture data, drive analytics, and generate reporting

There’s a lot more to know about what PrivacyCode can do – contact us for a demo.

We also think it’s important to say what PrivacyCode is not. Our solution is not a checklist. It’s not an assessment framework or data mapping tool. These are point solutions that only look at a piece of the privacy puzzle without connecting it to the larger privacy program, technical requirements, or reporting imperatives.  

Why a Platform?

Privacy programs today must scale. One-off, siloed projects in legal departments or technology teams, or in separate business functions fail to leverage previous knowledge and development work, and almost always result in costly gaps and lost productivity. And without an integrated workflow and view, it’s almost impossible for privacy leaders to provide metrics and demonstrate the progress of their program. This “proof gap” is something that plagues many privacy professionals.

What’s more, privacy is no longer the purview of a single person, be it a lawyer, privacy manager or a cybersecurity expert with “privacy” as a side job. Now, privacy touches all parts of an enterprise, from sales to marketing to supply chain to HR to IT. A comprehensive solution that enables each of these stakeholders to contribute to, and track a privacy program from their POV , is essential. PrivacyCode as a platform is the “spine” that connects the unique elements and various user personas of enterprise privacy into a single, simple to use system.   

Why Now?

Businesses are responsible for managing an avalanche of proprietary data. Yet the privacy protection “industry” is still in its infancy. As the ownership of privacy within large enterprises continues to shift from legal teams to a shared responsibility across teams and work streams – many who are new in the field - keeping track of the work and the evidence is critical. Toss in the explosion of remote work, complex governance, growing cyber threats, and enterprise customers who want to know if a company can prove it protects customer data, and it becomes clear that continuing to manage privacy like it’s 2010 is a massive risk.

In concert with a shifting privacy management landscape, C-suites and Boards of Directors are paying closer attention to what they spend on their privacy program and want evidence that risks are being managed efficiently. Successful and sustainable businesses know that it’s critical  to protect data, and act as its guardian and manage it as an asset.  

Where Are We Headed?

We’re pretty excited about what we’ve built with PrivacyCode. We uniquely understand the challenges facing privacy leaders and privacy engineers today and making their work easier – and protecting the private data of all people – is a mission we truly believe in. We also love the fact that our platform is a business enabler for our customers and creates real value for the enterprises that use our platform.

As the data privacy solutions market is poised for hypergrowth, we’re confident that PrivacyCode will be at the forefront of privacy innovation for a long time to come.  If you’d like to join us on our journey by becoming a PrivacyCode Design Partner to see firsthand how you can reduce privacy risk and accelerate teams across your enterprise, please contact us.

-----------------------------------

PrivacyCode founders Kristy Edwards and Michelle Finneran Dennedy

About the Founders

PrivacyCode was founded by industry pioneers Michelle Finneran Dennedy and Kristy Edwards. 

Michelle wrote the book on Privacy Engineering; she has held Chief Privacy Officer roles at Cisco, McAfee/Intel, and Sun Microsystems, and is former CEO of Drumwave. Kristy is an entrepreneur, patent holder, and seasoned Product leader who builds privacy-enabled products that customers love; she’s led global Privacy and Information Security teams at Oracle, Workday, McKesson and Lookout. Both founders are thought leaders and data privacy innovators.

Read More
Grace Nadich Grace Nadich

Accelerating Development

Privacy work only moves forward when engineers and lawyers are able to communicate effectively with each other, and when product teams truly understand end-users. Until now there hasn’t been a single solution that could effectively bring all these disciplines together under the same set of expectations, metrics, and goals.

A Message from PrivacyCode President Kristy Edwards

Photo courtesy of #WOCinTech Chat

Developers, development managers, privacy engineers, privacy attorneys — tell me the same story about the litany of meetings they have trying to translate all the words and policies of privacy requirements into something usable for engineers.

They’re all spending an enormous amount of time not writing code, designing new features, or doing legal work. They feel increasingly stuck in these discussions as new requirements emerge from regulators and customers, and they’re unable to focus on the work that fulfills them. I’ve been there.

I understand PrivacyCode customers because I’ve been in their shoes. I led privacy teams, security teams, and product teams, and I know why so many cross-functional privacy efforts struggle to gain traction. Privacy work only moves forward when engineers and lawyers are able to communicate effectively with each other, and when product teams truly understand end-users. Until now there hasn’t been a single solution that could effectively bring all these disciplines together under the same set of expectations, metrics, and goals.

Developers want to do the right thing, to write code that enforces data minimization, consent, and responsible sharing, but legal policies don’t often specify how to do that. Every team involved in privacy work needs someone to show them using language, tools, and context they understand. Legal and governance teams usually explain policy and law with words, but engineering systems are driven by code. To move forward, privacy needs a translator.

My co-founder Michelle and I are building what we wish we’d had as privacy and product executives — a solution to bridge the gap between privacy policies and actual code.

PrivacyCode is a SaaS platform with a translation engine that turns complex privacy policies into a language developers understand, using agile methodologies. It provides context in a world they already know and integrates with tools they already use. This is the future of privacy engineering.

Read More

Media inquiries

Media@PrivacyCode.ai