Blog post discussing why CISOs need to collaborate with privacy, legal, and product teams to effectively identify and mitigate risk in their organization.
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
1. To Be Great Enterprise Risk Managers, CISOs Need to be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs
Need to be Great Collaborators
by Andrew
Migliore
on July 25, 2019
CISOs face pressure on all sides. From their tenuous position in the company
org chart, they're tasked with managing external and internal risk to their
company's sensitive data. And when a privacy or security incident does strike,
often they're the ones who take the blame.
Yet as threats expand and regulations tighten, a CISO's role as enterprise risk
manager has never been more vital. As Leonard Kleinman, a member of the
Forbes Technology Council, succinctly wrote, "The new CISO must know how
to quantify risk and understand business as well as cybersecurity
technologies... They are no longer just the keeper of secrets or guardian at the
gate. They are integrated into the business and taking a risk-based detective/
hunter-style approach."
Know thy risk
Privacy incident response is a critical component when it comes to identifying
and quantifying full-picture, organization-wide risk. With the data gathered from
privacy incidents—things like root cause, incident volume by line of business or
department, category (paper vs. electronic), response timeframes, remediation
efforts, etc.—CISOs can examine and analyze the nature of privacy incidents
over time to understand where the true risks lie. They can thus be more
strategic in their approach to managing risk for the whole enterprise.
2. To Be Great Enterprise Risk Managers, CISOs Need to be Great Collaborators
https://www.radarfirst.com/blog/to-be-great-enterprise-risk-managers-cisos-need-to-be-great-collaborators[7/29/19, 4:14:58 PM]
Incident response is not just the CISO's job, however. To accurately identify,
mitigate, and reduce risks across an organization—be they electronic or paper,
malicious or non-malicious—key departments must share the burden of
privacy incident response and privacy by design. Collaboration is key, as
privacy, security, legal, and product teams effectively work together.
Incident responders, unite!
To ensure collaboration, team members should understand each other's own
roles, responsibilities, and motivations:
Each of these perspectives together rounds out a full view of privacy incident
response. Understanding legal risks, implementing privacy policies and
procedures, safeguarding data, and applying the appropriate controls for that
data throughout the organization and within the company's products and
services—each is a critical aspect of a strong incident response program.
There are simply far too many risk vectors that exist for a single department or
person to manage an organization's privacy incident response program on
their own.
Costly delays in incident
Security approaches incident response from a tactical standpoint, safeguarding
data and ensuring the availability of systems to prevent—or mitigate—improper
disclosures or downtimes.
Privacy focuses on the personal impacts of incident response—how the disclosure
relates to people and the risk of harm to the impacted individual. The privacy team
also considers what regulatory and contractual notification requirements are in
scope.
Legal is integral in understanding the regulatory landscape, setting company
policies, and ensuring business practices—such as third-party vendor agreements
or business associate agreements—are properly set up.
Product determines if and/or how the company's products or services may have
been a factor in an incident—and what remediation may be required to address the
problem. They are also critical when creating new features or services by following
the Privacy by Design framework. In this framework, the product team collaborates
with security, privacy, and legal teams to proactively factor in privacy throughout the
whole engineering process.
3. To Be Great Enterprise Risk Managers, CISOs Need to be Great Collaborators
https://www.radarfirst.com/blog/to-be-great-enterprise-risk-managers-cisos-need-to-be-great-collaborators[7/29/19, 4:14:58 PM]
response
The BakerHostetler 2019 Data Security Incident Response Report shows a
rather depressing average incident response timeline, from the day the event
took place to notification being provided:
This is troubling for a couple of reasons. First, data breach notification timeline
requirements are shrinking—many U.S. states require 30 days or less, and in
the case of the EU GDPR, there are only 72 hours to notify the lead
supervisory authority. Delays at each step of the incident response process
could mean missing regulatory compliance deadlines. This is a huge risk.
Second, research has shown that the longer the time to breach discovery, the
more severe the impact. Organizations participating in the 2018 IBM Cost of a
Data Breach Study experienced increases in both the time to identify and to
contain a breach.
According to the report: "We attribute increases in this year's time to identify
and time to contain to the increasing severity of criminal and malicious attacks
experienced by a majority of companies in our sample."
The longer a potential breach goes undiscovered, be it a cyber-attack or a
misdirected paper fax, the greater the risk of harm to both a company and its
customers. Timely risk identification and mitigation are essential. To ensure this
timeliness, CISOs should continually measure their organization's Mean Time to
Privacy Response (MTTPR).
Invest in collaboration
As the BakerHostetler study shows all too plainly, many companies operate in
departmental silos. CISOs have no way of identifying privacy incidents that may
not include electronic data. Privacy leaders often have no insight into the
status of security incidents that require a multifactor privacy risk assessment to
determine the risk of harm, as the security team is focused on recovery and
availability.
Occurrence to discovery: 66 days
Discovery to containment: 8 days
Discovery to notification: 56 days
4. To Be Great Enterprise Risk Managers, CISOs Need to be Great Collaborators
https://www.radarfirst.com/blog/to-be-great-enterprise-risk-managers-cisos-need-to-be-great-collaborators[7/29/19, 4:14:58 PM]
Topics:
Incident Response Management
Fortune 100 companies and
organizations subject to data privacy
regulations in industries such as
finance, insurance, healthcare and
beyond rely on RADAR for an
efficient and consistent process for
incident response.
SOLUTION
How it works
Features
GDPR
Compare your Options
RESOURCES
Videos
Webinars
Whitepapers & Research
Case Studies
Guides
Product Info
ABOUT
Leadership
Customers
Partners & Integrations
Careers
CONTACT
Events
For true collaboration to happen, organizations need an automated way to
respond to privacy and security incidents—one that allows all employees and
customers to efficiently report incidents, and for the incident response team to
efficiently and consistently perform risk assessment, make a breach or no
breach determination, and provide dashboards metrics and real-time reporting
for organization-wide visibility.
To achieve true success as an enterprise risk manager, CISOs need to
collaborate with their peers across their organization. Only then will they obtain
a 360-degree view of the threats facing their organization. Privacy incident
response automation can help.
The CISO's Secret
Tool for Reducing
Enterprise Risk
Download the whitepaper