GDPR : What role for the CISO?

The General Regulation on the Protection of Personal Data (RGPD), which came into force on May 25, 2018, led Information System Security Managers (CISOs) to be called upon in the system of compliance of organizations. The question then arises of their degree of involvement in the compliance project.

To answer this question, we suggest that you discuss three topics in the form of three articles:

• A clarification of the role of the CISO in the company, which, as we will see, has evolved over time.
• The complementarity of the missions of the DPO and the RSSI
• The work of the RSSI that makes it possible to accelerate compliance

The RSSI, from technical expert to pilot the IS security strategy.

From the security expert to the security manager

The image and role of the Information System Security Manager (CISO) have evolved considerably in 30 years.

At the beginning, the CISO, most often from computer infrastructures and networks, had the role of technical expert. Security was treated through infrastructure projects with the implementation of firewalls, proxies or other anti-viruses. At that time, we were working more on what is called perimeter security, which consists in creating a protective wall between the outside of the IS and the inside of the IS.

Then the foundations for securing the IS were laid, in particular with the arrival of the ISO 2700x standards published in the 2000s and radically transforming the position of the CISO within companies.

From a set of projects and independent activities, we have moved on to a global, transversal vision of securing an information system around the Deming Wheel (Plan-Do-Check-Act).

The security of an IS is built through the definition of a security policy, accompanied by control and audit mechanisms, through reporting tools and by the establishment of operational processes and procedures.

This evolution of the CISO profession has greatly improved the security of information systems.

• a continuous improvement process (the ISMS);
• an approach to optimizing investments according to risks (relevance of investments);
• a principle of in-depth security which, in addition to perimeter protections, covers
  • securing networks through their segmentation,
  • securing hosts (workstations and servers), especially in a context of nomadism,
  • human security, which consists in paying attention to the risks that may come from and may affect personnel.

Thus, the CISO in the 2010s organizes and supervises the security of his organization's information systems.

“The CISO is no longer the security contractor, he is in charge of project management.”

He is responsible for defining the security policy, putting in place processes to ensure that it is applied and implemented. Its objective is to guarantee the confidentiality, availability, integrity of the information system and the traceability of the actions that are likely to make it evolve. Without denying their technological or IT expertise, the CISO must work on a wider perimeter.

• The IT infrastructures that make it possible to operate the IS. By this we mean the classic components that are the means of communication (computer network, telecommunications), infrastructure hosting environments (Data center, machine room, etc.), computer servers, etc.
• The company's information capital;
• The configuration related to the use of the premises to define the areas to be secured and the principles of physical access to the company;
• People through training and raising staff awareness about security issues;
• Processes by setting up mechanisms for monitoring, auditing and managing incidents, even crises.

Collaborative work at the heart of the success of tomorrow's IT security objectives

For the CISO of the 2020s, this evolution in his role and posture will continue.

He will have to continue his communication, training and awareness-raising work for staff and management. This should make it possible to improve its positioning so as to no longer be seen as an obstacle to the development of new projects but as a partner in the smooth running of the company.

This is why many CISOs have set up a network of SSI correspondents, the linchpin of security in the company. These correspondents are technical experts, database administrators, system administrators, system administrators, legal experts, legal experts, application managers, business referents (business process experts), etc. It is on these correspondents that the CISO will rely on to define and develop security rules, to ensure their correct application, to assess risks and to identify incidents/threats.

This partnership role, which he has been able to develop with judicial or administrative authorities or even the IT department, will therefore have to be strengthened in relation to business departments.

“The right CISO has become a source of proposals to reconcile business challenges and IS security”

To be a good CISO, he must be a source of proposals to find solutions that meet business needs and challenges while protecting the IS.

The arrival of new interlocutors such as “DPOs” or “Risk Managers” will force CISOs to work more and more on regulatory compliance aspects (RGS, RGPD, etc.).

On a daily basis, this will result in the establishment of common rules and common management processes. During the phases of updating its PSSI, these actors will think together about adapting the rules, security measures or processes to be put in place.

The new challenges of IS, an opportunity for the CISO

Understand risk management to address new IS challenges.

Recent years have seen information systems open up more and more (multi-channel customer vision, data sharing between stores, etc.) with the use of IS tools in mobility (teleworking, business outsourcing, use of SaaS solutions, etc.), the proposal of new services to customers (mobile or web application). This trend makes it more difficult for the CISO in the 2020s to monitor IS security.

To deal with it, you have to move from a detection/reaction posture to a posture of expectation.

This evolution is reflected in its daily life by the generalization and industrialization of procedures for identifying risks related to the information system in the company. This is all the more necessary since with the resurgence of security incidents (data theft, ransomware attacks, etc.), French companies now consider cyber incidents to be the first business risk according to the Allianz 2019 barometer.

A new cycle for the CISO within his organization

Tomorrow's CISO must therefore strengthen its risk analysis approaches to better understand the various threat scenarios that are becoming more complex. It will be able to rely on new classical defense analysis methods or those oriented attack such as EBIOS RM. It will complete its IS resilience strategies by implementing Business Continuity Plans (PCA/PRA) with a crisis management approach that will make it possible to deal with cyber incidents, human resources losses, supplier losses, and not just a loss of the machine room.

In the years to come, the role of the CISO within the company will therefore be strengthened and not diluted with the arrival of new players such as the DPO.

His activity in developing a strategy to defend the IS and to maintain the proper functioning of IS security measures will become crucial for his organization.

The impact of its decisions and actions will have a major effect on the development of its business.

To succeed in this new cycle, the CISO job will require more tools (method, software), more partnership aspects (management, communication) and more visibility/readability through reporting for COMEXs in particular.

He must therefore be fully involved in the GDPR compliance process and become a co-pilot with the DPO of this project. His goals of securing his company's IS depend on it.