Can a Virtual CISO also fulfill the role of DPO?

The Role of DPO: Virtual CISO Impact

In October 2016, a business was fined [1] for appointing an IT manager as its Data Protection Officer (DPO). The Bavarian State Commissioner for Data Protection explained that this would represent a conflict of interest. Under German data protection law, a DPO must be able to act independently of operations.

Businesses worldwide are facing similar challenges, particularly in Europe, where GDPR require them to pay close attention to roles connected with data protection. The increasing complexity of cybercrime means businesses must appoint talented security specialists; compliance means they must be seen to do so.

Experienced DPOs and CISOs are becoming highly prized. Large corporations can afford to headhunt the most talented people. SMEs, also subject to GDPR, are finding it increasingly difficult to hire and retain permanent staff. Often their only option is to employ contract or virtual security specialists.

Here we consider whether a virtual CISO can fulfil the role of a DPO by contrasting their job roles and skills.

Business imperatives

For any organisation’s security of its customer’s data is of primary importance. Data protection is critical for a publicly funded organisation such as the NHS to a small business. The increasing sophistication of cybercrime and the use of state actors demands an apposite level of skill in protecting data.

Penalties for data breaches are severe. For example, BA is facing a fine of £183m [2] for its customers’ credit card data breach in 2018. It’s not just about punishment, however. Cultivating a reputation for being trustworthy can take years of strategic product development and branding. It can be destroyed overnight.

Security specialists are, therefore, essential to maintaining the reputation and financial health of the organisation.

CISO role

The chief information security officer (CISO) is responsible for establishing and maintaining a strategy to protect the organisation’s technology and information (data) assets. The CISO must have the following:

– Strong technical understanding as to how criminals could target this technology and where they may attack

– Solution-focused thinking to devise and implement defences

– Interpersonal skills to communicate at the executive level, such as business and financial risks, but also at a technical level, with the staff implementing the defences

DPO role

The data protection officer (DPO) must ensure that the organisation’s data management and handling comply with regulations. GDPR article 37 [3] identifies the DPO as a person with “expert knowledge of data protection law and practises”. The DPO will:

– Be the source of knowledge on regulation requirements (training, promoting, evangelising)

– Assess adherence to regulations

– Be a contact point for GDPR supervisors

– Maintain a record of data protection measures

– Ensure customers are informed about their rights

GDPR states that the DPO should report to the highest management level [4] rather than senior or middle management. This means that they can act independently with no conflict of interest.

Virtual roles

Given this combination of skills and the salaries they command, it’s not surprising that smaller organisations are turning to virtual specialists.

The virtual CISO (vCISO) post is familiar to organisations unable to recruit a full-time specialist. However, a vCISO is a good choice for a business with little prior investment in security and urgently needs a security strategy.

A vCISO can support several businesses that would not otherwise be able to afford these skills. In addition, they can act as a consultant in developing strategy and bring a security-focused view into discussions rather than a tactical or business view.

An ongoing engagement with multiple businesses has a drawback if a cyber attack hits one company. It will expect the vCISO to be available immediately on-site for as long as is needed. This has given rise to the Managed Security Service Provider (MSSP) supplying cybersecurity management against a service-level agreement. This, too, can lead to issues, as a stand-in vCISO will be unfamiliar with the business; there is also a tendency for MSSPs to try to upsell other services to clients.

The virtual DPO (vDPO) position is new and less familiar. It requires knowledge of regulations in a particular business sector, so there are few generalist vDPOs. However, since the role is focused on compliance, it is proactive and does not necessitate the same urgent on-site presence as a vCISO.

GDPR allows for the DPO role to be virtual. For example, GDPR article 37 states that “a group of undertakings may appoint a single DPO” although they must be “easily accessible from each establishment”.

Can a virtual DPO also be a CISO?

On the face of it, combining the two roles sounds convenient; they are both part-time senior technical posts, and they would have to spend time analysing internal systems and data. However, there is a serious question on skills; it’s doubtful that the same person would have the technical grasp of ever-evolving cyber attack techniques alongside data protection regulations for a specific business sector.

The critical point in combining the roles is, ultimately, organisational. GDPR requires the DPO to report to the highest position in the organisation, such as the board of directors, whereas the CISO will typically report to the CIO. Connect with Gradeon to understand how we can help you to achieve business compliance!