Cybersecurity pros’ haphazard participation in data privacy raises concern

Before the General Data Protection Regulation (GDPR) became official in May 2018, I heard a similar story from many CISOs. Data privacy programs were legal exercises focused on data classification and governance. Yes, there were security angles around compliance, DLP, and incident response, but legal had oversight around which data was considered as private and what could and could not be done with sensitive data.

GDPR changed everything. Data privacy was no longer a background legal project but rather a set of business-critical processes, and this impacted the cybersecurity team.  CISOs were asked to utilize their operational expertise to help operationalize data privacy programs. 

Not surprisingly, CISOs dragged the cybersecurity team along for the data privacy ride.  According to a recent research report from ESG and ISSA, 40% of cybersecurity professionals surveyed say the cybersecurity team has taken a significantly more active role around data privacy over the past 12 months, while another 44% claim that the cybersecurity team is somewhat more active around data privacy during this timeframe. (Note: I am an employee of ESG.)

Now, it’s important to remember that cybersecurity pros are not exactly waiting around for things to do. In fact, the research indicates that 74% of organizations have been impacted by the global cybersecurity skills shortage, resulting in an increasing workload for the infosec team. Add data privacy responsibilities to the list. 

Piling data privacy responsibilities onto an already-overwhelmed cybersecurity staff comes with some risk. To mitigate this risk, cybersecurity professionals should receive appropriate data privacy training, roles and responsibilities should be well defined, all data privacy processes should be documented, and the cybersecurity team should have the proper data analytics tools to monitor program successes.

Cybersecurity staff aren’t getting needed data privacy training

Unfortunately, the cybersecurity team isn’t getting those things. The research indicates:

• 23% of survey respondents don’t believe they have received the right level of training for their tasks related to data privacy.
• 21% of survey respondents don’t believe that the cybersecurity team has been given clear direction around their responsibilities for data privacy.
• 17% of survey respondents believe that the cybersecurity team is generally uncomfortable with this new data privacy responsibility.

Too often, privacy and security are thrown in the same bucket. That is a mistake. Data privacy is all about data classification and life cycle management of sensitive data (i.e. who can access it, where it should be stored, how it should be destroyed, etc.).  Alternatively, security teams are responsible for building, maintaining, and monitoring walls around sensitive data. 

Yes, GDPR and the impending California Consumer Privacy Act (CCPR) will bring security and data privacy closer together, but this merger should be done carefully, not haphazardly. The ESG/ISSA data demonstrates that there’s a lot of work ahead to bring data privacy and security together in a way that mitigates risk and doesn’t disrupt ongoing processes. 

The ESG/ISSA research report, The Life and Times of Cybersecurity Professionals, is available for free download here.