CISO Challenges in Data Security: Best Practices for Privacy Compliance

As part of Data Privacy Week, IANS Faculty offer tips and insights focused on data integrity to ensure that policies are in place that manage, control and protect both personal and organizational data. In this feature, Rebecca Herold discusses common privacy and new data protection legislative challenges and provides best practices to make the compliance process much more efficient and effective.

Q&A with IANS Faculty member, Rebecca Herold

Rebecca Herold is Founder, owner, and CEO of Rebecca Herold, LLC aka The Privacy Professor®, an information security, privacy, IT, and compliance services firm. She also co-founded Privacy Security Brainiacs, a SaaS platform, early 2020 with her oldest son, Noah. Rebecca also serves as a Distinguished Ponemon Institute Fellow and as an Advisory Board Member for multiple technology businesses and startups. Additionally, Rebecca serves as an expert witness for diverse cases, is an advisor on multiple high school and college/university curriculum and program boards and hosts a VoiceAmerica radio show called “Data Security & Privacy with the Privacy Professor.”

Tracking and complying with the myriad of privacy compliance laws and regulations in the U.S. and abroad is becoming increasingly difficult. Across the globe, countries and jurisdictions continue to create new security and privacy laws and regulations, in addition to revamping old ones, making the task all the more difficult.

What are CISO challenges around data protection and privacy legislation? 

Rebecca: With regard to how the requirements of new legislation are impacting CISOs who are trying to stay current with all requirements and keep their security and privacy management programs updated for compliance, they often are impacted significantly by the following:

• How to address conflicting requirements between different legal requirements for which they are obligated to comply. For example, with laws that have personal data retention requirements that conflict with other laws that require the same data to not be retained immediately after transactions.
• How to meet compliance regulations with insufficient budgets for security and privacy compliance. Especially when it means taking budget to do so.
• How to prioritize which of the changes to make first.
• Keeping up with risk assessments, policies and procedures updates, and updated training to include information about the new legal requirements.
• Providing training that is pertinent to specific topics, as opposed to the more common general types of security and privacy training that is available through most vendors.
• Communicating new requirements to contracted third-parties who also need to update their compliance activities accordingly, and then having oversight of their security and privacy programs.

What are the compliance consequences of a weak data protection program?

Rebecca: Most of the business leaders I speak with, (who CISOs indicate are not providing enough funding and support to have a solid, comprehensive, privacy/data protection/cybersecurity program), tell me it is because they do not think that they will ever be audited by a regulator for compliance. “What are the odds that we will ever even be audited for compliance?”

Business leaders must realize that being compliant with all legal requirements is just one of many reasons to implement a privacy/data protection/cybersecurity program comprehensive.

Some significant, and costly, consequences of not having a solid, comprehensive privacy/data protection/cybersecurity program starting with compliance related include:

• Non-compliance fines, which can be significant and into the tens of millions of dollars, particularly after breaches.
• Other types of non-compliance penalties can include the need for additional staff to support ongoing oversight, required documentation and reporting, and being audited by the regulators for up to twenty years, such as in the healthcare industry under HIPAA.
• Increased risks for security incidents, which can result in systems downtime, removing access to customers, patients, employees, and business partners.
• Increased risks for hacking and other types of outside threats exploiting weak points that may have been eliminated by following technical, physical and administrative/operational compliance requirements.
• Increased risks for insider threats from malicious authorized users who look for opportunities to exploit weaknesses within the business ecosystem.
• Increased risks for privacy breaches.
• Lost business from news media reporting on their privacy breaches, security incidents, and service outages.
• Failed audits from potential business partners for having an acceptable, comprehensive program, which could lead to lost business.
• Bad public relations from incidents and breaches.
• Risk of increased cybersecurity insurance premiums.

What are some data and privacy best practices to ensure compliance?

Rebecca: Security, privacy and compliance teams can plan, implement, and maintain the following core elements within most privacy, data protection, and security programs now:

1. Obtain executive support for the privacy, data protection, and security compliance program(s).
2. Assign responsibility for the privacy, data protection, and security compliance program(s), and establish accountabilities for roles with key security and privacy impacting job responsibilities.
3. Define what “personal data” (or whatever your organization’s preferred team may be) is within your organization, to meet all your legal requirements and data risk environments. Provide examples to help ensure personnel understanding.
4. Establish inventories of the personal data, and associated data relevant to impacting risk. This should include data flow maps. You can’t protect data unless you know where it is. You can’t know where it is if you don’t know the full data collection-use-sharing-retention-elimination lifecycle.
5. Establish, document, implement and maintain security and privacy policies and supporting procedures.
6. Provide education to personnel with any type of access to data, or associated data assets, that impact security and privacy risks. This should include requiring periodic courses at least once a year (but more often provides more benefits), in addition to providing ongoing awareness activities.
7. Implement basic technical security controls, including strong authentication, access logging, anti-malware protection, software/firmware updates, and intrusion detection tools.
8. Implement basic physical security protections for your organization physical infrastructure.
9. Perform risk management activities, including regular risk assessments, and a wide range of other risk management activities.
10. Ensure security incident and breach response teams exist, support the established procedures, know who to contact and when for breach notices, and receive regular training, and perform table-top exercises to ensure the procedures will work as intended.
11. Perform third-party security and privacy oversight management activities.

    If organizations have these core elements in place, they will be meeting the majority of the basic legal requirements within most laws and regulations. CISOs can then more easily make changes within these core elements based upon requirements within specific laws, regulations and contractual requirements. For example, changes for how quickly notice must be made to impacted individuals following discovery of a personal data breach.

How IANS Faculty Expertise Benefits You

Cybersecurity today is faced with a myriad of complex challenges, and the IANS Faculty will help you make informed security decisions that protect your business.

Whether you need guidance on program direction, a tie-breaking opinion on architectural considerations, tool implementation advice, a comprehensive security assessment, a penetration test, or mapping controls to a regulatory standard, we are a trusted partner to provide the best decision support for your security team.

Our mission is to help you make better, faster decisions, grow professionally, and stay compliant. Get in touch with IANS to learn more about how we can help move your security program forward.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.