CISOs face pressure on all sides. From their tenuous position in the company org chart, they’re tasked with managing external and internal risk to their company’s sensitive data. And when a privacy or security incident does strike, often they’re the ones who take the blame.
Yet as threats expand and regulations tighten, a CISO’s role as enterprise risk manager has never been more vital. As Leonard Kleinman, a member of the Forbes Technology Council, succinctly wrote, “The new CISO must know how to quantify risk and understand business as well as cybersecurity technologies... They are no longer just the keeper of secrets or guardian at the gate. They are integrated into the business and taking a risk-based detective/hunter-style approach.”
Know thy risk
Privacy incident response is a critical component when it comes to identifying and quantifying full-picture, organization-wide risk. With the data gathered from privacy incidents—things like root cause, incident volume by line of business or department, category (paper vs. electronic), response timeframes, remediation efforts, etc.—CISOs can examine and analyze the nature of privacy incidents over time to understand where the true risks lie. They can thus be more strategic in their approach to managing risk for the whole enterprise.
Incident response is not just the CISO’s job, however. To accurately identify, mitigate, and reduce risks across an organization—be they electronic or paper, malicious or non-malicious—key departments must share the burden of privacy incident response and privacy by design. Collaboration is key, as privacy, security, legal, and product teams effectively work together.
Incident responders, unite!
To ensure collaboration, team members should understand each other’s own roles, responsibilities, and motivations:
- Security approaches incident response from a tactical standpoint, safeguarding data and ensuring the availability of systems to prevent—or mitigate—improper disclosures or downtimes.
- Privacy focuses on the personal impacts of incident response—how the disclosure relates to people and the risk of harm to the impacted individual. The privacy team also considers what regulatory and contractual notification requirements are in scope.
- Legal is integral in understanding the regulatory landscape, setting company policies, and ensuring business practices—such as third-party vendor agreements or business associate agreements—are properly set up.
- Product determines if and/or how the company’s products or services may have been a factor in an incident—and what remediation may be required to address the problem. They are also critical when creating new features or services by following the Privacy by Design framework. In this framework, the product team collaborates with security, privacy, and legal teams to proactively factor in privacy throughout the whole engineering process.
Each of these perspectives together rounds out a full view of privacy incident response. Understanding legal risks, implementing privacy policies and procedures, safeguarding data, and applying the appropriate controls for that data throughout the organization and within the company’s products and services—each is a critical aspect of a strong incident response program.
There are simply far too many risk vectors that exist for a single department or person to manage an organization’s privacy incident response program on their own.
Costly delays in incident response
The BakerHostetler 2019 Data Security Incident Response Report shows a rather depressing average incident response timeline, from the day the event took place to notification being provided:
- Occurrence to discovery: 66 days
- Discovery to containment: 8 days
- Discovery to notification: 56 days
This is troubling for a couple of reasons. First, data breach notification timeline requirements are shrinking—many U.S. states require 30 days or less, and in the case of the EU GDPR, there are only 72 hours to notify the lead supervisory authority. Delays at each step of the incident response process could mean missing regulatory compliance deadlines. This is a huge risk.
Second, research has shown that the longer the time to breach discovery, the more severe the impact. Organizations participating in the 2018 IBM Cost of a Data Breach Study experienced increases in both the time to identify and to contain a breach.
According to the report: “We attribute increases in this year’s time to identify and time to contain to the increasing severity of criminal and malicious attacks experienced by a majority of companies in our sample.”
The longer a potential breach goes undiscovered, be it a cyber-attack or a misdirected paper fax, the greater the risk of harm to both a company and its customers. Timely risk identification and mitigation are essential. To ensure this timeliness, CISOs should continually measure their organization’s Mean Time to Privacy Response (MTTPR).
Invest in collaboration
As the BakerHostetler study shows all too plainly, many companies operate in departmental silos. CISOs have no way of identifying privacy incidents that may not include electronic data. Privacy leaders often have no insight into the status of security incidents that require a multifactor privacy risk assessment to determine the risk of harm, as the security team is focused on recovery and availability.
For true collaboration to happen, organizations need an automated way to respond to privacy and security incidents—one that allows all employees and customers to efficiently report incidents, and for the incident response team to efficiently and consistently perform risk assessment, make a breach or no breach determination, and provide dashboards metrics and real-time reporting for organization-wide visibility.
To achieve true success as an enterprise risk manager, CISOs need to collaborate with their peers across their organization. Only then will they obtain a 360-degree view of the threats facing their organization. Privacy incident response automation can help.