To Be Great Enterprise Risk Managers, CISOs Need to be Great Collaborators

CISOs face pressure on all sides. From their tenuous position in the company org chart, they’re tasked with managing external and internal risks to their company’s sensitive data. And when a privacy or security incident strikes, they’re expected to be accountable.

Yet as threats expand and regulations tighten, a CISO’s role as enterprise risk manager has never been more vital. As Leonard Kleinman, a member of the Forbes Technology Council, succinctly wrote, “The new CISO must know how to quantify risk and understand business as well as cybersecurity technologies… They are no longer just the keeper of secrets or guardians at the gate. They are integrated into the business and taking a risk-based detective/hunter-style approach.”

Know Thy Risk

Privacy incident management is a critical component when it comes to identifying and quantifying organizational risk. With the data gathered from privacy incidents—things like root cause, incident volume by line of business or department, category (paper vs. electronic), response timeframes, remediation efforts, etc.—CISOs can examine and analyze the nature of privacy incidents over time to understand where the true risks lie. Thus, be more strategic in their approach to managing risk for the whole enterprise.

Incident management is not just the CISO’s job, however. To accurately identify, mitigate, and reduce risks across an organization—be they electronic or paper, malicious or non-malicious—key departments must share the burden of privacy incident response and privacy by design. Collaboration is key, as privacy, security, legal, and product teams effectively work together.

Incident Responders, Unite!

To ensure collaboration, team members should understand each other’s own roles, responsibilities, and motivations:

• Security approaches incident management from a tactical standpoint, safeguarding data and ensuring the availability of systems to prevent—or mitigate—improper disclosures or downtimes.

• Privacy focuses on the personal impacts of incident management—how the disclosure relates to people and the risk of harm to the impacted individual. The privacy team also considers what regulatory and contractual notification requirements are in scope.

• Legal is integral in understanding the regulatory landscape, setting company policies, and ensuring business practices—such as third-party vendor agreements or business associate agreements—are properly set up.

• Product determines if and/or how the company’s products or services may have been a factor in an incident—and what remediation may be required to address the problem. They are also critical when creating new features or services by following the Privacy by Design framework. In this framework, the product team collaborates with security, privacy, and legal teams to proactively factor in privacy throughout the whole engineering process.

Each of these perspectives together rounds out a full view of privacy incident management. Understanding legal risks, implementing privacy policies and procedures, safeguarding data, and applying the appropriate controls for that data throughout the organization and within the company’s products and services—each is a critical aspect of a strong incident response program.

There are simply far too many risk vectors that exist for a single department or person to manage an organization’s privacy incident management program on its own.

Costly Delays in Incident Response

The IBM 2023 Cost of a Data Breach Report shows a rather depressing average incident management timeline, from the day the event took place to consumer notification being provided:

• Discovery and containment: 277 days
• Discovery to notification: 72 days

This is troubling for a couple of reasons. First, data breach notification timeline requirements are shrinking—many U.S. states require 30 days or less, and in the case of the EU GDPR, there are only 72 hours to notify the lead supervisory authority. Delays at each step of the incident response process could mean missing regulatory compliance deadlines. This is a huge risk.

Second, research shows that the longer the time to breach discovery, the more severe the impact. Organizations participating in the IBM report experienced increases in both the time to identify and to contain a breach. Per IBM, the average costs associated with a data breach lifecycle from occurrence to containment and notification:

• Fewer than 200 days: 3.93 million
• Greater than 200 days: 4.95 million

The longer a potential breach goes undiscovered, be it a cyber-attack or a misdirected paper fax, the greater the risk of harm to both a company and its customers. Timely risk identification and mitigation are essential. To ensure this timeliness, CISOs should continually measure their organization’s Mean Time to Privacy Response (MTTPR).

Invest in Collaboration

As the BakerHostetler study shows all too plainly, many companies operate in departmental silos. CISOs have no way of identifying privacy incidents that may not include electronic data. Privacy leaders often have no insight into the status of security incidents that require a multifactor privacy risk assessment to determine the risk of harm, as the security team is focused on recovery and availability.

For true collaboration to happen, organizations need an automated way to respond to privacy and security incidents—one that allows all employees and customers to efficiently report incidents, and for the incident response team to efficiently and consistently perform risk assessment, make a breach or no breach determination, and provide dashboards metrics and real-time reporting for organization-wide visibility.

To achieve true success as an enterprise risk manager, CISOs need to collaborate with their peers across their organization. Only then will they obtain a 360-degree view of the threats facing their organization.