The Information Security or Cybersecurity organization has its origins in two different but related corporate functions. Network security, which largely grew out of the network infrastructure and systems administration disciplines, and what is commonly referred to Governance, Risk and Compliance (GRC) which often traces its roots to internal audit and program management. While network security was focused on protecting the network from unsanctioned activity, GRC was tasked with assessments and demonstrating compliance with standards, frameworks, and contracts. These two functions often worked hand-n-glove, defining proper hygiene, implementing controls, assessing network health, and monitoring for compliance.
The CISO Desk Reference Guide: Security Compliance is being developed to address the GRC function within the organization, whether it formally resides in the Information Security function or not.
The CISO Desk Reference Guide: Data privacy is intended for the Chief Privacy Officer (CPO), recognizing that while a younger sibling in many organizations, the role of the CPO is rapidly maturing, acquiring a larger and larger portfolio, both for customer advocacy and data privacy regulations, and is inexorably tied to information security.
Third-party risk, as introduced and covered in the CISO Desk Reference Guide, Volume 1, is a growing concern as access and data are shared in every more complex ways across a vast ecosystem of vendors and business partners. The CISO Desk Reference Guide: Vendor Management will provide a comprehensive approach to managing vendors and the risk derived from these relationships.
The topic of privacy has become a priority for boards of directors, the executive leadership team, and privacy and security leaders alike. Regulations including the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and sector-specific regulations including the Health Insurance Portability and Accountability Act (HIPAA) all require important treatment of personal data, personal information, personally identifiable information and protected health information. Security and privacy are intertwined. As the saying goes, you can have security without privacy, but you cannot have privacy without security. Privacy, like security, is a multi-disciplinary domain that requires insight and collaboration across a host of corporate functions including sales and marketing, legal, IT, HR, security, among others. Similar to security, privacy has ascended as a C-level function and consequences of poor privacy practices include damaged reputation, regulatory intervention (e.g., a consent order), fines and other financial impacts and clearly data breaches when sensitive information is not adequately secured throughout its lifecycle.