Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

How Should the CSO Work With the Chief Privacy Officer?

The chief security officer needs to be in constant communication with the chief privacy officer about what's working or not working.

Chris Bush, Chief Customer Officer, Black Kite

September 17, 2021

2 Min Read
One person giving a high-five to another person in an office setting.

Question: How should the Chief Security Officer work with the Chief Privacy Officer?

Chris Bush, Chief Customer Officer at Black Kite: You'll find both a Chief Security Officer and Chief Privacy Officer in heavily regulated industries like pharmaceuticals, finance, and insurance. The CPO is typically responsible for covering scenario situations, policy, and protecting personally identifiable information. The CSO is typically responsible for creating procedures, creating policy, and then implementing technical controls to actually secure everything. So while you can see the delineations and recognize each function is mutually exclusive in their respective disciplines, the CSO and CPO have to come together in several important areas. That would include regulatory issues like the European Union's General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other state and international mandates which demand such expertise. Both the CSO and CPO need to work together on policies to deal with regulatory issues in order to secure the desired outcome. Creating policies without any mechanism for control is useless.

When it is working well, CSO and the CPO both understand each other's function as well as the requirements for the company. They do that by understanding where the responsibilities are siloed and where the responsibilities need to be harmonized. They need to be in constant communication about what’s working or not working.

For the business, harmony between the two Officers leads to a strong understanding of how regulations designed for industry translate into business requirements as well as how they influence tangible technical controls. Furthermore, the company should have a measure for the success of both the controls and the policies to ensure regulatory compliance and internal effectiveness.

You don't want a CPO going in and implementing those tangible technical controls. So they need to be engaged with the CSOs who are ultimately responsible for implementing policy and systems that are aligned with privacy policy and regulatory requirements. For the good of the company, it's necessary for them to be in lockstep.

About the Author

Chris Bush

Chief Customer Officer, Black Kite

Chris Bush has worked more than 20 years in cybersecurity leadership roles, including the former CISO for ObserveIT and Head of Security at Novartis Pharmaceuticals where he managed both operational and information security teams. He is currently the Chief Customer Officer for Black Kite.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights