CISOs are not just the keepers of our data – they must be its custodians

The frequency and sophistication of cybercrime have risen enormously in recent years. According to Deep Instinct’s research, 75% of security professionals observed an increase in cyberattacks in 2023, with 85% of them attributing the rise to generative AI. These attacks come in various formats, often including accessing private data through phishing, which AI is making harder and harder to detect.

As our data becomes more and more vulnerable online, its protection has become more and more of a priority. Changes to social expectations surrounding privacy have led to individuals wanting transparency and security from the entities that collect and process our data.

At the forefront of this battle is the Chief Information Security Officer (CISO), an instrumental figure entrusted with the huge responsibility of safeguarding an organization’s invaluable data assets. However, as the word safeguarding suggests, two responsibilities are inherent here: securely storing data, and protecting it from external threats. CISOs stand not merely as overseers, but as architects of crucial security postures.

Data ownership is not enough – the evolving challenges posed by technology and the ever-advancing spectrum of security threats call for data custodianship.

The current compliance landscape

The volume of digital data produced and collected is higher than ever before, and privacy compliance aims to ensure that this information is handled appropriately at every stage. Often, compliance frameworks delineate the legal and ethical boundaries governing organizations’ management of this sensitive data.

In our contemporary digital milieu, a convergence of global, regional, and industry-specific regulations shapes a dynamic environment, requiring meticulous adherence to stringent data protection and privacy standards. The compliance landscape is becoming ever more intricate and complex in response to increased cyber threats.

For example, the European Parliament passed a Data Act in November, expected to go into force early next year, and the UK House of Lords is currently debating its own Data Protection and Information Bill. In the US, 12 states have already signed comprehensive privacy laws, and eight have them in process. On a federal level, the American Data Privacy and Protection Act (ADPPA) is making its way through Congress, gaining wide bipartisan support when it was first introduced in 2022.

As well as these regional standards, industry-specific frameworks like the Health Insurance Portability and Accountability Act (HIPAA) and payment card industry (PCI) compliance standards exist.

These regulations serve the dual purpose of protecting individuals’ privacy and security while establishing ethical standards for responsible data handling. Companies must remain informed about existing legislation and proactively anticipate and adapt to forthcoming changes.

CISOs as custodians – proactive defenders of our data

Effective navigation of this intricate regulatory landscape extends beyond mere compliance: it necessitates strategic, ongoing commitment. While data owners may define policies, custodians are responsible for implementing and ensuring adherence to these policies.

The landscape of data custodianship in the digital age is one defined by constant evolution, where CISOs emerge as the linchpins of responsible information management. As organizations navigate the complexities of the regulatory and compliance landscape, understanding and embracing the essentials of data custodianship becomes paramount to fostering a culture of trust, accountability, and ethical data practices.

The proactive role of CISOs, positioned as natural custodians, is central to fortifying organizations against evolving cyber threats and ensuring compliance with privacy regulations. By systematically integrating stringent measures aligned with prevailing industry standards, these CISOs exemplify the commitment required to uphold privacy and security imperatives. In the face of an ever-evolving regulatory panorama, such organizations demonstrate the resilience necessary to navigate complexities and ensure ethical data practices.

CISOs are supported in their quest to stay up-to-date with changing legislation by companies like Cypago, a SaaS-based cyber GRC automation provider that helps CISOs prepare for audits. CISOs can smoothly ensure ethical data practices, enabling them to earn their desired cybersecurity certifications easily. By doing so, organizations reinforce the trust of their various stakeholders and mitigate risks associated with data breaches and privacy infringements.

Steps to put data custodianship into practice

What does this strategic, ongoing commitment needed from CISOs look like regarding tangible actions? CISOs would do well to view compliance regulations as more than mere to-do lists to check off, but as steps that help them to build an overall stronger, more resilient cybersecurity posture.

For example, the California Consumer Privacy Act (CCPA) requires businesses to update their online privacy policies at least once a year. Rather than treating this as a burdensome yearly requirement, CISOs should embrace the opportunity for dynamism.

Cybersecurity is becoming a key part of organizations’ overall business strategy. In the past, the CISO would mainly report to the CIO. Nowadays, they need to work alongside the CIO, in ongoing contact with all different company sectors as more and more business operations move online.

To remain compliant (and secure) over time, people across all departments – code and cloud infrastructure teams, HR employees who manage platform access, and anyone who uses SaaS that connects to sensitive data sources – must ensure everything they do is always up to standard.

In addition, compliance deserves its place as an ongoing company priority and not something CISOs can merely set and forget. As cybersecurity is taken more seriously by senior leadership, they must encourage caution and compliance from the top. These executives can support the CISO by advocating for and setting the example of a strong data governance culture throughout the organization.

CISOs must also insist on regular and ongoing cybersecurity training, given the high turnover in company roles and the rapid evolution of both threats and compliance standards. Finally, they must establish detailed records and processes, as accountability relies on accurate record-keeping.

A culture of compliance

In the face of rising threats to our online data, the principle of custodianship requires CISOs to remain proactive, staying as vigilant as possible to keep cybercriminals at bay. By leaning into this mindset of data custodianship, organizations can establish robust frameworks that extend beyond mere compliance to embody a culture of ethical data management.

In its full meaning, this dynamic safeguarding fosters a collaborative environment where policies are defined and rigorously implemented throughout an organization. Recognizing the significance of data throughout its lifetime, from creation to disposal, enables organizations and their security teams to prioritize the sanctity of information.