Chief information security officers (CISOs) and data privacy officers (DPOs) have undoubtedly been busy in 2022 — and the new year will bring all kinds of new challenges. But something will change in 2023. In the past, many companies built their data security strategies upon several major assumptions — about where data gets stored, what data is necessary and how they should handle data internally. Over the coming year, executives will help their companies overcome these dogmas to implement stronger and more comprehensive data security strategies based on proven facts. Let’s look at these changes and their benefits.
- CISO turnover results in fresh perspectives.
It’s no secret that the average total tenures of CISOs are short, largely because of burnout, aggressive recruiting from other companies eager to level up their security strategy, and the fact that a longer tenure as a CISO increases the chance of presiding over a breach. As a result, many new CISOs will take up the reins in 2023 and look to bring positive change to their new firms.
Newly arrived CISOs will look to make the biggest impact possible. To do this, they’ll question whether the organization keeps an authoritative record of the data it stores. Surprisingly often, no such record exists, and instead, the security team thinks it knows where data lives. New CISOs will often discover data in surprising places by performing a thorough discovery process and use this to build their authority quickly.
Even so, it’s often challenging for first-time CISOs to establish the credibility they need to confidently guide executive conversations. CISO mentorship programs will thrive over the next year, as younger CISOs look to balance their perspectives with the guidance and experience of a mentor.
- DPOs question the “why” of data collection.
For DPOs, the growing number of data protection and privacy regulations offers a complicated tangle of rules and guidelines to negotiate. In 2023, we may see the passage of the American Data Privacy and Protection Act (ADPPA), which will increase data scrutiny further. DPOs will need to challenge conventional logic about what kinds of data their companies need from their customers if they want to stay compliant with new regulations and remain on good terms with customers.
With some digging, DPOs will likely identify data that seems obvious to collect, but unnecessary. One example: obtaining a customer’s gender for the sake of using salutations like Mr. or Ms. in emails. DPOs don’t need gender for this purpose, as many companies have adopted the more casual approach of saying “Hello [Name]” instead. Identifying similar scenarios that allow for scaling back on data collection can make the lives of DPOs easier.
DPOs will also focus on identifying sensitive personal information (SPI), a special category of data (such as genetic information) increasingly recognized in new legislation. As with incoming CISOs, DPOs will need to push against assumptions about the SPI present and instead build a comprehensive inventory based on targeted data discovery. Even if a company thinks there’s no way it collects certain data types it doesn’t know about, it’s essential to make absolutely sure, as there’s no room for error.
- CISOs and DPOs help the C-Suite reach a middle ground on data.
High-profile news stories about data breaches have made data security a source of anxiety for the entire C-suite, not just those in charge of data. And, as evolving deepfake technology allows deceptions like voice messages that imitate executives, paranoia has skyrocketed. In 2023, this fear will come to a head as the C-suite confronts the value of data.
Some executives (like the chief marketing officer) often refer to data as “oil” — an essential fuel that the organization should stockpile whenever possible. Other executives (possibly including the CISO and DPO) assume that data functions as “uranium” — a toxic hazard that they should discard whenever possible.
Neither of these viewpoints makes sense long-term. We can find a middle ground between the two, and companies will have to reach it if they want to stand strong in the face of incoming threats over the next year. It’s possible to recognize the value of data while also questioning whether the company really needs certain data. For mission-critical data, it’s essential to create an inventory and keep all data secure. The entire C-suite will need to agree on and work to implement this data-first mentality to keep the company safe.
For many CISOs and DPOs, there are challenges ahead in 2023. Expect a year of discovering that the facts of data security do not align with the assumptions-based strategies their firms have used for years. It will also mark the year that many firms finally get an accurate and evolving inventory of their data. This will help them better determine their vulnerabilities, remediate them, and minimize the chance of a data breach or a violation of a consumer’s privacy rights.
Stephen Cavey, co-founder, chief evangelist, Ground Labs