Ensuring the security of information systems requires strict compliance with the standards and constraints applicable to each sector of activity and each organization. Chief Information Security Officers (CISOs) and Data Protection Officers (DPOs) each contribute their expertise to serve this common goal.
But the line between responsibilities and missions can sometimes seem blurred. Who is responsible for what? And how can we work together effectively to ensure the operational continuity and security of the organization?
IT compliance: a strategic security issue
In a context where cyberattacks are on the rise and the geopolitical climate is increasingly threatening, cybersecurity is inevitably taking on a prominent role in organizations' security and financial concerns. To ensure that their IT systems and data are effectively protected, companies must adopt a series of measures and comply with requirements and standards commonly referred to as IT compliance. Â
This information system security (ISS) compliance ensures that IT infrastructures are in optimal security condition and comply with the company's security policy.
Organizations must apply or follow numerous texts, obligations, and recommendations. Countless regulatory and normative texts have been drafted in recent years to ensure IT security compliance.
At the same time, in 2018, the implementation of the General Data Protection Regulation (GDPR) defined new methods (security by design, privacy by design) to be applied in the context of data processing compliance. A new role has therefore emerged within public and private companies to ensure its proper application: the data protection officer, or DPO.
Ensuring IT compliance: the common challenge for CISOs and DPOs
Between GDPR compliance, operational security, and risk management, it is difficult to know clearly who is in charge of compliance within an organization. Dominique Soulier, a member of the CLUSIF DPO/RSSI working group during the implementation of the GDPR in 2018, presented this consensus as a conclusion: " There are many similarities and synergies between CISOs and DPOs. Both in terms of skills, technical or legal for example, and in terms of their interpersonal skills (popularizing, communicating, having good interpersonal skills)."
CISO: the guardian of the organization and its employees
The information systems security manager defines the information system security policy (ISSP) for their company and ensures that it is properly implemented. This involves assessing the risks to their organization's IS and overseeing solutions to guarantee the availability, security, and integrity of the information system and the data it contains.
One of the main tasks and responsibilities of a CISO is to have a thorough understanding of their company's regulations and compliance obligations. To achieve this, they establish a regulatory and standards monitoring system with their team of security experts. They propose a roadmap of the changes needed to ensure the information system remains compliant.
Among the long list of responsibilities of a CISO, we can mention:
- monitoring new regulations;
- the definition of security objectives and procedures;
- risk and threat analysis;
- raising awareness and training employees on cybersecurity issues;
- management of security tools;
- the compliance action plan;
- the implementation of a Disaster Recovery Plan (DRP);
- correction of non-conformities... ‍
‍
DPO: the guarantor of corporate data protection
The Data Protection Officer (DPO) is defined by the French Data Protection Authority (CNIL) as the " conductor of data protection compliance within the organization." They helpsupporting GDPR compliance, respond to requests to exercise and reduce the risk of litigation ."
When it was created in 2018, 21,000 designated DPOs were registered with the CNIL. By 2022, this figure had jumped by 38% to nearly 29, 000 DPOs.
Here are some examples of tasks that the DPO must perform:
- regulatory and competitive monitoring of issues relating to personal data management;
- mapping of data processing operations and creation of a processing register;
- protection of sensitive data;
- self-assessment of the organization's compliance with the GDPR;
- definition of the privacy policy and compliance with the French Data Protection Act of 1978;
- raising awareness of personal data protection among employees and management;
- cooperation with the CNIL(French Data Protection Authority)…
According to the latest annual survey by the Department of Labor, DPOs, whose profiles are becoming increasingly diverse, feel better integrated within organizations. It is clear that the balance between the roles of a CISO and a DPO is better understood within organizations. These two highly complementary professions enable companies to achieve their compliance objectives, both in terms of IT systems and data.
Matthieu Grall, representative of the CNIL in 2018, stated that: " The CISO and the DPO must work together and involve the business units that are best placed to describe the processing operations." Four years after this statement, and withthe evolution of cyber threats, the common challenges facing CISOs and DPOs continue to grow.
‍
‍
‍
![[White paper] 5 keys to managing your cybersecurity](https://cdn.prod.website-files.com/68eccb60f9cf9c228c061b75/695f73ba996b3472b4fa4e34_visuel-tenacy%20(2).jpg)
