• United States




The CSO and CPO role just dramatically expanded overnight

Feb 25, 20195 mins
CSO and CISOData and Information SecurityData Breach

How two high-profile incidents highlight the changing definition and scope of security and privacy.

Sadly, It has become so commonplace to see ethical missteps from top companies that you can be forgiven for starting to turn a deaf ear. But two high-profile incidents from two of the biggest names in the tech business – Google and Facebook – should cause us to really sit up, take notice. And demand of CISOs and CPOs of companies of all sizes to rethink their role and responsibilities.

Before delving further, let’s quickly recap the two exposes. The first – from Nest (part of Google) – was the sheepish admission that they had slipped in a somewhat important feature – a microphone – into the Nest Guard (part of the Nest Secure home security and alarm system) without any obvious intimation to its customers in its tech specs.

The second is even more invasive and broad-reaching: Several high-profile applications on smartphones have been sending sensitive user data to Facebook regardless of whether the user has a Facebook account or not. And the user has no control, even if he or she was tech savvy and privacy intentioned, to stop this.

As expected, both in Europe and in privacy-minded states in the US led by California and New York, the regulators are not letting this one slip by.

What does this have to do with the redefinition of the CISO and CPO role?

Before the smartphone, IoT and yes, AI invasion, there was a clear demarcation between tech and non-tech companies. Not anymore. Every company is a tech company. And that implies that every company has to deal with troves of digital data that needs to be secured and treated with respect when it comes to privacy.

The traditional definition of CISO and CPO was all about ensuring business continuity, lowering business risk and keeping compliant. But now, as these high-profile events are showing us, this is clearly not enough. Not by a long stretch. So, what does the new-age CISO and CPO have to do?

Embed yourself in the product definition and execution phase

To traditionalists, this may sound outlandish. Product definition and development is the onus of the lines of businesses and as long as they comply with secure coding practices and use tools like vulnerability scanning the organization is safe. Not true anymore. Why? Because by using third-party SDKs (as in the case of the Facebook example), the new lines of communication are established with partners. This should also fall under the purview of the CISO.

Ask the right questions. For the CPO, if your R&D teams are developing these SDKs that are being distributed, are you now the recipient of a lot of intimate customer (not yours but your SDK customers) information that these unsuspecting souls may not be aware of? Should you be getting this in the first place? And if so, are you letting your partners and potentially the end users know in a language they can understand?

Understand and advocate for transparency and control for your end customers

Leaving this to the product managers, engineers or even customer success teams is no longer good enough. As a CISO and CPO, your understanding of how to interpret EULA and T&C is far superior to anyone else in the organization as it relates to what the end user is bartering, and you need to become your customer’s CAO – Chief Advocacy Officer.

Is it going to be easy? Absolutely not. But is it the right thing to do for by the business, your customers and ultimately for the broader industry? Undoubtedly so. And as in the case of Alex Stamos (ex-CISO of Facebook), it may even lead to the parting of ways on differences as to what he stood for versus what Facebook had become.

Become the interpreter of the laws of the tech land for your organization

Yes, GDPR may be the one (still) getting a lot of attention, and yes there is still a lot of work to do to both interpret it correctly and implement it, but that is just the beginning. The CCPA (California Consumer Privacy Act) and NY Senate Bill S224 (under committee review) show how a few progressive states getting into the act as well.

And while (expensive) GDPR consultants may help with the initial implementation, the onus to keep up with expanding legislations and its impact on the business needs today and tomorrow is the burden of the organization. And security and privacy will lead the focus of most of these legislations. And who better to interpret, advocate and recommend options to the product organizations? You guessed it.

We are entering unchartered territories in this hyper-connected, hyper-social and hyper-distracted world. And the CISO and CPO can bring an ounce of sanity and calm to their organization by expanding their role and influence for the greater good of both the organization its customers and the community overall. Is that asking for too much?


Ashwin Krishnan is the COO of UberKnowledge, a cybersecurity knowledge sharing, training and compliance organization.

As a former vendor hi-tech executive in the cybersecurity and cloud domain he has turned writer, podcaster and speaker. His focus is on simplifying technology trends and complex topics such as security, artificial intelligence and ethics through enduring analogies which he shares on his blog and his talks. Ashwin is the author of “Mobile Security for Dummies,” and as a recognized thought-leader he contributes to a variety of publications, including Entrepreneur Magazine.

Ashwin is a regular host with CISOs on podcasts such as the Cyber Security Dispatch where he bridges the education gap between what the security practitioners need and what the vendors provide; as a tech ethics evangelist he is frequently on main stage at conferences educating and empowering consumers and vendors alike on the role of ethics in tech; his recent speaking engagements include the Smart Home Conference, Fog Computing Congress, and the Global AI Conference.

The opinions expressed in this blog are those of Ashwin Krishnan and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.