CISOs' Privacy Responsibilities Keep Growing

Years ago, when Mark Eggleston was tasked with building a privacy program for a national healthcare provider, he saw firsthand the importance of cross-functional collaboration.

"I needed legal experts to debate the HIPAA Privacy, NPRM [Notice of Proposed Rulemaking], final rule, and guidance and convert those requirements into internal policies," Eggleston recalls. "CISOs can bring efficiency and reliance to these procedures by implementing technical controls."

Eggleston, who is currently the chief information security officer (CISO) at CSC, a provider of business administration and compliance solutions, now recognizes how this collaboration underscores a larger trend occurring: CISOs are increasingly taking responsibility for privacy within organizations. According to research from IANS, CISO ownership of privacy has surged from 35% to 47% over the past five years. This growing role comes as privacy management and cybersecurity become more intertwined, fueled by regulatory pressures; evolving questions and concerns about certain technologies, like artificial intelligence (AI); and the always present desire to avoid becoming a victim of a data breach.

Traditionally, privacy and security were considered separate domains within an organization. Privacy was the responsibility of legal or compliance teams, while CISOs focused on protecting the organization from cyber threats. However, the line between these two areas is blurring, and more CISOs are being asked to handle privacy functions.

"When a CISO conducts a risk assessment or looks at data flow, they're already thinking about how to protect that information," says Rebecca Herold, CEO of The Privacy Professor and an IANS faculty member. Adding privacy to the role simply formalizes what they're already doing in many cases, she says.

Yunique Demann, senior director and data protection officer at NTT Data Americas, began her career in a security role and then moved into a privacy position, giving her a view into both disciplines.

"With the rise in data breaches, regulations, and regulatory scrutiny outside your legal, risk, or compliance functions, CISOs are becoming a natural fit to oversee privacy controls," she says. "Privacy is one of many areas that have impacted a CISO's role."

Why CISOs Are Taking on Privacy Roles

Another driver behind the shift in responsibility is the ever-changing regulatory landscape. Privacy laws, like the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the US, are placing greater demands on organizations to protect personal data. These regulations require organizations to have robust privacy controls, and, in many cases, the CISO is seen as integral to helping to oversee those efforts. CSC's Eggleston, who has held both CISO and chief privacy officer (CPO) roles, says the shift has been afoot for years, as CISOs have had to work with other departments where privacy is also essential.

"Most CISOs are already working strongly with human resources and legal teams, and the focus on privacy makes it paramount to continue to do so, as both HR and legal have core interest in privacy matters," he says. "Even the NIST Cybersecurity Framework is now integrating privacy into its guidelines."

With CISOs taking on more privacy duties comes a growing need to balance these responsibilities with their traditional focus on cybersecurity. There is also the potential for a conflict of interest, Demann says.

"But this is handled when operational privacy responsibilities are given to a DPO [data protection officer], while keeping the reporting line into security," she says.

In addition to regulatory pressures, advances in technology, such as the widespread adoption of AI, are contributing to CISOs' expanded role in privacy management. A recent survey from the International Association of Privacy Professionals (IAPP) found that 69% of chief privacy officers now have additional responsibility for AI governance, and 37% for cybersecurity regulatory compliance. And for good reason, says Demann, because many areas around AI require more scrutiny from both a privacy and security perspective.

"Privacy risks occur when the use of AI conflicts with these fundamentals and lacks transparency and incorporates bias in the process," she says. "Just because your LLM [large language model] can utilize huge amounts of data points, it doesn't mean it should, especially without consent of the individuals whose data you are using. Consent should be clear and explicit. Unfortunately, we are finding too many situations where consent is hidden."

Reskilling to Handle Privacy

The skills required for privacy management are also evolving, and CISOs must be prepared to adapt.

"Privacy is fundamentally about protecting individuals' rights and ensuring the processing of personal data is performed in accordance with applicable laws," Demann says. "This requires a deeper understanding of legal, ethical, and regulatory frameworks and a focus on data governance, consent management, and transparency."

She encourages CISOs to engage with privacy communities, collaborate with privacy leads, and actively seek opportunities to expand their knowledge of privacy issues.

For CISOs, collaboration with CPOs and legal departments is also key to ensuring both security and privacy compliance within their organizations. Demann recommends regular communication and joint initiatives, such as combined tabletop exercises and industry presentations, to create a unified approach to privacy and security.

"The more privacy and security leads can show up together, the easier it is for the organization to have a strategic approach," she says.

Eggleston stresses the importance of staying informed through think tank digests, privacy updates from legal firms, and ongoing discussions with jurisdictional staff.

"Many EMEA countries have much more detailed and stronger requirements for privacy," he notes, citing Luxembourg's Professional Secrecy obligation as an example.

Looking ahead, CISOs need to be prepared to navigate emerging privacy trends, whether or not privacy is in their purview. As the role expands, they will need to continue building their knowledge of privacy laws and collaborating across departments to protect both company data and individuals' rights.

"Security is about confidentiality, and privacy is fundamentally about confidentiality," Eggleston concludes. "Privacy and security are stronger together."