Up next in 10
The Cybersecurity and Privacy Divide: CISO vs. DPO in the Age of GDPR
Oct 5, 2025
We break down the crucial differences between the Chief Information Security Officer (CISO), who is responsible for protecting information assets against cyber threats, and the Data Protection Officer (DPO), whose primary focus is ensuring compliance with privacy laws and regulations. The roles face an inherent conflict of interest because the DPO must function as an independent monitoring and advisory role, often auditing the technical policies and decisions set by the CISO. Discover why organizations must ensure clear organizational separation to avoid potential conflicts and how seamless, cross-functional collaboration between these executive roles is vital for achieving organizational resilience and unified incident response. www.securitycareers.help/the-ciso-vs-dpo-debate-why-security-and-privacy-must-collaborate-but-never-merge (http://www.securitycareers.help/the-ciso-vs-dpo-debate-why-security-and-privacy-must-collaborate-but-never-merge) Sponsor: www.cisomarketplace.com (http://www.cisomarketplace.com)
View Video Transcript
0:00
Welcome to the deep dive. Today we're uh
0:03
really trying to cut through some of the
0:04
fog around modern digital governance.
0:06
We're heading straight into the
0:07
executive offices.
0:08
That's right. We're talking CIO, CISO,
0:11
and the privacy leads, the CPO or DPO, a
0:14
critical group.
0:15
Exactly. And specifically how these
0:18
roles um interact, sometimes clash, and
0:21
why getting that balance right is so
0:23
real for any business today.
0:24
And it's fascinating because the
0:25
landscape has shifted so dramatically,
0:27
hasn't it? You've got these huge cyber
0:29
attacks, consumers genuinely worried
0:31
about their data, and then this wave of
0:33
regulations like GDPR, CCPA. It's really
0:37
forced these roles together.
0:38
Yeah, blurred the lines, maybe created
0:40
some confusion.
0:40
Definitely blurred the lines. And that
0:42
blurring, well, that's where the risk
0:43
often creeks in.
0:44
Right. So our goal today for you
0:46
listening is to get really clear on what
0:48
each role actually does, their distinct
0:50
responsibilities and crucially why their
0:53
collaboration is absolutely fundamental
0:55
for resilience and you know for growth
0:57
too.
0:58
Couldn't agree more. It's not just about
0:59
avoiding disaster. It's about enabling
1:01
the business securely and ethically.
1:03
Absolutely. And we want to give a quick
1:05
shout out and thank you to our sponsor
1:07
www.cedtoarketplace.com
1:09
for supporting this deep dive. We
1:11
appreciate them helping us tackle these
1:12
complex topics. Indeed. Thanks to M.
1:15
Okay. So, let's kick off with a quick
1:16
overview. The three main roles we're
1:18
unpacking today, CIO, CISO, CPO, DPO.
1:23
Can you give us the uh the elevator
1:26
pitch distinction?
1:27
Sure.
1:28
Yeah.
1:28
So, the CIO, chief information officer.
1:30
Think of them as the um the IT
1:32
strategist, the big picture person
1:35
focused on the tech infrastructure,
1:36
right? Making sure it supports the
1:38
business goals. They're driving things
1:39
like IT modernization, making sure
1:41
services are up and running, cloud
1:42
strategy.
1:44
They're enabling the business through
1:45
technology.
1:46
Okay, the enabler. Then the CISO, chief
1:49
information security officer.
1:50
The CISO is the specialist protector.
1:52
Their world is cyber security.
1:54
Protecting the company's information,
1:56
its systems, its secrets,
1:58
you know, from threats.
1:59
So defense is the key word there.
2:00
Defense absolutely building the security
2:02
strategy, managing frameworks,
2:04
responding to incidents when they
2:06
happen. crisis management. That's the
2:08
CISO's domain.
2:09
Got it. And the third leg of the stool,
2:11
the CPO or DPO, chief privacy officer,
2:14
data protection officer,
2:16
right? These are the compliance
2:16
commanders maybe. Their focus is
2:18
ensuring the organization follows the
2:20
rules about data. Specifically, privacy
2:23
laws and regulations
2:24
like GDPR, CCPA, those big ones.
2:27
Exactly. Making sure personal data is
2:29
handled lawfully, transparently,
2:31
ethically. It's about respecting
2:32
individual rights concerning their data.
2:34
Okay. That's a helpful starting point.
2:36
CIO enables, CISO protects, CPO, DPO
2:40
ensures compliance.
2:42
Let's dig into the CISO role a bit more.
2:45
You mentioned it's become incredibly
2:46
important. Why the big shift?
2:48
Oh, it's been a massive shift. It really
2:50
comes down to two things. The sheer
2:52
volume and sophistication of cyber
2:53
attacks just reaching unprecedented
2:55
levels and maybe more importantly,
2:57
accountability.
2:58
Accountability. Exactly. governments,
3:00
regulators, they started really holding
3:02
companies responsible financially,
3:03
legally. Suddenly, a security lapse
3:06
wasn't just an IT problem. It was a
3:08
major business crisis, potentially
3:09
hitting the share price, attracting huge
3:11
fines.
3:12
So, the CIO had to step up, move beyond
3:14
just the tech.
3:15
Absolutely. Their scope just exploded.
3:17
It became about enterprise risk, not
3:19
just it risk. Thinking about business
3:21
processes, supply chain vulnerabilities,
3:23
vendor security, the whole ecosystem.
3:26
And that strategic importance uh we see
3:29
it reflected in where they sit in the
3:30
org chart now right the old model of the
3:33
CISO reporting to the CIO that seems to
3:36
be fading
3:36
it is and for good reason
3:38
data from around 2019 showed a big
3:40
change only about what 24% of CISOs
3:43
reported to the CIO then
3:44
wow only a quarter where did the others
3:46
report
3:46
well about 40% went straight to the CEO
3:48
and 27% reported directly to the board
3:51
of directors
3:52
that's a huge statement about
3:53
independence
3:54
it is and it's necessary Think about it.
3:57
The CIO is often incentivized for speed,
3:59
efficiency, cost savings. Sometimes
4:01
security measures, well, they cost money
4:03
and can slow things down.
4:04
Creates a natural conflict of interest.
4:06
A potential one, definitely. If your
4:08
boss, the CIO, is pushing for a fast,
4:11
cheap roll out. It's harder for the CISO
4:13
to say, "Hang on, we need these extra
4:15
controls, this extra testing." Reporting
4:17
higher up gives the CISO the
4:19
independence to make those tough calls
4:22
without that direct pressure.
4:23
That makes sense. But uh doesn't
4:25
reporting directly to the board say risk
4:28
creating a different kind of tension
4:30
maybe with the CEO if the CISO seems to
4:32
be constantly hitting the brakes.
4:33
Oh, absolutely. It's a constant
4:35
balancing act. The CISO's role
4:36
inherently involves restriction. You
4:38
know, managing risk by sometimes saying
4:40
no or not yet. The board needs that
4:42
unfiltered risk perspective
4:44
even if it slows down innovation.
4:45
Sometimes
4:45
even then it's a trade-off between
4:47
agility and security or integrity. And
4:50
this is super critical when you look at
4:52
say third party risk management, vetting
4:54
vendors, checking their security. It's
4:56
complex.
4:57
And that complexity in managing vendor
4:59
risk really underscores why CISOs need
5:02
the right tools and resources, which
5:04
actually is a good moment to thank our
5:06
sponsor again, www.csoarketplace.com,
5:10
because navigating that whole third
5:11
party security landscape is exactly the
5:14
kind of challenge they help
5:15
organizations tackle.
5:16
It's a huge piece of the puzzle today,
5:18
no doubt. Okay, let's shift gears now to
5:20
the privacy officer, the CPO or DPO.
5:24
This role seems to have emerged more
5:26
from the legal and consumer side than
5:28
pure tech risk.
5:29
That's a good way to put it. While the
5:30
CISO is fighting off, you know, external
5:33
attackers or internal mistakes leading
5:34
to breaches, the CPOD is focused on
5:37
ensuring the way data is collected,
5:39
used, and stored is lawful and ethical.
5:41
So, it was really regulations like GDPR
5:44
that gave this role its teeth.
5:46
Absolutely. GDPR was the watershed
5:48
moment. It and laws like CCPA that
5:50
followed put data privacy rights firmly
5:52
on the map. Suddenly, organizations
5:54
needed someone specifically focused on
5:56
navigating these complex rules, working
5:58
with legal teams, ensuring transparency,
6:00
managing consent.
6:01
And under GDPR, the DPO role isn't
6:04
always optional, is it? Sometimes it's
6:05
legally required.
6:06
That's right. It's mandatory under GDPR
6:09
if your core business involves
6:10
large-scale regular monitoring of
6:13
individuals think tracking online
6:15
behavior or processing large amounts of
6:17
sensitive data.
6:18
Sensitive data like health records,
6:21
biometrics.
6:22
Exactly. Health data, genetic data,
6:24
biometric data, information about race,
6:26
religion, political opinions. If you
6:29
process that on a large scale, you
6:31
likely need a DPO by law.
6:33
And you mentioned independence being key
6:34
for the CISO. Is it the same for the
6:36
DPO?
6:37
Even more so perhaps the requirement for
6:39
DPO independence is really strong in the
6:42
regulations. They must report to the
6:44
highest level of management CEO board
6:46
level.
6:46
I so strict
6:47
to avoid conflicts of interest. The
6:49
DPO's advice needs to be impartial,
6:51
focused purely on compliance and data
6:53
subject rights, not swayed by, say,
6:55
business targets or operational
6:57
pressures.
6:57
Can you give an example of a conflict?
6:59
Sure. There's a well-known case where
7:01
the Belgian data protection authority
7:02
actually find a company because they
7:04
appointed their director of audit risk
7:06
and compliance as their DPO.
7:07
Ah, so the person responsible for
7:09
checking compliance couldn't also be the
7:11
person in charge of compliance.
7:12
Precisely. The regulator said that
7:14
created an inherent conflict. You can't
7:17
effectively oversee your own work. The
7:20
DPO needs freedom from internal
7:22
influence.
7:23
That makes the CPO DPO a really high
7:26
stakes role. They're often dealing
7:28
directly with regulators, maybe even the
7:30
public during a breach. That sounds like
7:32
it requires a unique skill set.
7:34
It does. You need legal understanding,
7:36
technical awareness, strong
7:38
communication skills. They often become
7:40
the face of the company on privacy
7:42
matters. And that expertise, well, it
7:44
commands a significant salary.
7:46
I saw a figure mentioned something like
7:47
$200,000 median globally back in 2021.
7:50
That sounds about right. And honestly,
7:52
given the increasing complexity, I'd
7:54
only expect that to have gone up. It's a
7:55
critical role. Okay, so we have these
7:57
three key players. The CIO driving
7:59
forward, the CIO putting up guard rails,
8:01
the CPO DPO checking the map in the rule
8:03
book. It sounds like well like potential
8:06
for friction is built in.
8:07
Oh, it's definitely built in.
8:09
You've got fundamentally different
8:10
sometimes competing priorities in that
8:12
triangle.
8:13
The CIO or CTO is pushing for
8:16
innovation, efficiency, growth speed,
8:18
go faster,
8:19
right? The CISO is focused on
8:20
protection, which often means slowing
8:22
down, adding checks, restricting access,
8:25
caution.
8:25
Hold on.
8:26
And the DPO is focused on compliance,
8:28
lawfulness, rights, which means ensuring
8:32
every step is documented, justified, and
8:34
meets regulatory standards. Procedure,
8:37
so speed versus caution versus
8:39
procedure. What happens when those
8:40
priorities clash? It's more than just
8:43
heated meetings, I imagine.
8:44
Much more. The real cost is operational.
8:47
Think about project delays. A new data
8:49
analytics platform promises huge
8:51
business value, right?
8:52
But the CISO might flag risk about how
8:54
data is aggregated.
8:55
Okay. Security concern.
8:56
Then the DPO steps in and says, "Wait,
8:58
do we have the right consent to use this
9:00
customer data in this new way?"
9:02
Compliance concern.
9:03
Exactly. And suddenly that project is
9:05
stuck. Functional testing gets held up.
9:07
The value realization is delayed. Costs
9:09
mount. Misalignment directly impacts the
9:12
business potentially leading to
9:14
regulatory fines or brand damage if they
9:16
push ahead recklessly. So getting them
9:18
to collaborate effectively isn't just
9:20
nice, it's essential. Especially, I
9:23
guess, when you bring in third parties,
9:24
that adds another layer of complexity.
9:26
Huge layer. Most organizations rely
9:29
heavily on third parties for critical
9:30
functions, payroll, cloud hosting,
9:33
marketing, analytics,
9:36
you name it. And statistically, a large
9:38
chunk of data breaches and compliance
9:40
failures involve these third parties.
9:42
So you can't just sign a contract and
9:44
hope for the best.
9:44
Absolutely not. Effective thirdparty
9:46
risk management or TPRM is crucial. It
9:49
means doing proper due diligence before
9:51
signing, making sure contracts have the
9:53
right security and privacy clauses, risk
9:55
ranking your vendors,
9:56
and it doesn't stop there.
9:57
No, it's ongoing. You need to
9:59
continuously monitor their performance,
10:01
their security posture, not just rely on
10:03
a point in time check when the contract
10:05
was signed. The risk landscape changes
10:07
constantly.
10:08
Okay? And managing that third party
10:10
relationship often brings up this uh
10:12
this legal distinction that can be
10:13
confusing. Controller versus processor.
10:16
Can we clarify that?
10:17
Yes, definitely. This is fundamental
10:19
under laws like GDPR and it dictates
10:22
responsibility and liability. So, the
10:25
controller is the organization that
10:27
decides why and how personal data is
10:30
processed. They're the decision maker.
10:32
They're in charge of the purpose.
10:34
Exactly. They determine the purpose and
10:35
the essential means of the processing.
10:37
The processor, on the other hand, is an
10:39
organization that processes the data on
10:41
behalf of the controller. They act on
10:43
the controller's instructions.
10:44
Can you give a quick example?
10:46
Sure. Let's say company A, a retailer,
10:48
collects customer data. They decide they
10:50
want to run a targeted email campaign.
10:52
They hire company B, a marketing agency,
10:55
to send the emails using company A's
10:57
customer list. In this case, company A
10:59
is the controller.
11:00
They decided why the data was being used
11:02
marketing essentially how email campaign
11:06
targeting specific customers. Company B
11:08
is the processor. They're just ex
11:09
executing the task based on company A's
11:11
instructions. So if company B messes up
11:14
and causes a data breach with that list,
11:17
company A, the controller, is ultimately
11:19
responsible to the customers and
11:21
regulators, although company B also has
11:23
direct obligations under GDPR. The
11:26
contract between them should clearly
11:27
outline responsibilities, but the
11:29
controller holds the primary
11:30
relationship with the data subject.
11:32
Got it. That clarity is vital for
11:34
managing risk. So how did this ALISO and
11:37
DPO actually work together on the ground
11:39
to manage all this risk? It sounds like
11:41
risk assessments are key.
11:42
They absolutely are. It's the common
11:44
ground. And data privacy risk isn't just
11:46
a siloed issue anymore. It's
11:48
increasingly seen as part of the broader
11:50
enterprise risk management or ERM
11:53
framework.
11:53
You even hear it mentioned in ESG
11:55
discussions. Now,
11:56
yes, particularly under the the social
11:58
pillar of ESG reporting. Respecting data
12:01
privacy is increasingly viewed as a
12:03
fundamental social responsibility,
12:05
almost a human rights issue in some
12:06
contexts.
12:07
Okay. So practically speaking, when a
12:09
new project or system involving personal
12:11
data comes up, how does the risk
12:12
assessment process work? Ideally,
12:14
well, the standard approach is
12:16
riskbased. You start by figuring out the
12:18
inherent risk. That's the level of risk
12:21
before you apply any controls or
12:22
safeguards. What's the worst that could
12:24
happen if we did nothing?
12:25
Okay, the baseline risk,
12:27
right? Then based on that inherent risk
12:30
level and the organization's predefined
12:32
risk tolerance, how much risk they're
12:34
willing to accept you determine the
12:36
necessary controls,
12:38
security measures, privacy policies,
12:40
training, technical safeguards,
12:42
and the goal is to reduce the risk down
12:44
to
12:45
down to an acceptable residual risk
12:47
level. The risk that remains after
12:49
controls are implemented. Now, doing a
12:52
full deep dive risk assessment for every
12:55
single change or new feature sounds like
12:57
it could grind everything to a halt. Is
12:59
there a way to streamline that?
13:00
Yes, and that's where the tiered privacy
13:02
impact assessment or PIA process comes
13:04
in. It's designed to focus effort where
13:06
it's needed most.
13:07
So, like a filter.
13:08
Exactly. It often starts with a
13:10
screening PIA, sometimes called a part
13:12
A. It's a short set of initial questions
13:14
to quickly identify if a project or
13:16
process involves personal data and if
13:18
it's likely to be low risk. So many
13:20
things might get screened out quickly.
13:21
Hopefully, yes. If it's clearly low
13:24
risk, you document that and you're done.
13:26
But if the screening flags potential
13:28
high risks, maybe it involves sensitive
13:30
data like health info or large-scale
13:32
monitoring or new technology like AI,
13:35
then you proceed to the next level,
13:37
which is the deeper dive,
13:39
right? That's the extended PIA or part
13:41
B. This is a much more detailed
13:43
assessment. And if the processing
13:45
involves high risk, especially
13:47
concerning data subjects in the EU, this
13:49
extended PIA essentially becomes the
13:52
mandatory data protection impact
13:54
assessment or DPIA required under GDPR.
13:57
So it ensures the heavy lifting is
13:59
reserved for the high-risk stuff.
14:01
Precisely. It makes the process
14:03
manageable while still ensuring
14:04
significant risks are properly analyzed
14:06
and mitigated before launch.
14:08
This really shifts the perspective,
14:10
doesn't it? Instead of privacy being
14:11
just a compliance hurdle, this approach
14:13
frames it more strategically.
14:15
That's the goal to move beyond seeing
14:17
privacy as just a cost center or a legal
14:19
obligation. When you handle data
14:21
responsibly, transparently, ethically,
14:23
you build trust
14:24
and trust becomes a competitive
14:25
advantage.
14:26
Absolutely. In today's world, customers,
14:29
employees, partners, they care about how
14:31
their data is treated. Demonstrating
14:33
strong privacy practices can enhance
14:35
your brand reputation, build loyalty,
14:37
and ultimately drive value. It's not
14:39
just about avoiding fines. It's about
14:41
being a trustworthy organization.
14:43
Okay, let's try and wrap this up. We've
14:45
covered a lot of ground. The key
14:46
takeaway seems to be CIO drives the IT
14:50
engine. Cso builds the security
14:52
defenses. CPO DPO navigates the legal
14:55
and ethical map. Is that a fair sum?
14:58
I think that captures the core functions
14:59
well. Yes. Enablement, protection,
15:02
compliance, and crucially understanding
15:04
that they need to work in concert, not
15:06
in opposition,
15:07
especially with third parties involved.
15:08
especially then and underpinning all of
15:10
this is the need for the organization
15:12
led by its executives to consciously
15:14
decide on its risk tolerance. How much
15:16
risk are we willing to live with?
15:18
Which often comes down to tough
15:19
negotiations. I guess
15:21
it does. You see legal teams heavily
15:23
involved negotiating indemnity clauses
15:26
with vendors trying to transfer risk
15:28
contractually where possible but also
15:31
advising leadership on where residual
15:34
risk simply has to be accepted to move
15:36
forward. It's constant balancing act. It
15:38
really highlights the growing value of
15:39
these roles. We mentioned the CPO median
15:41
salary hitting $200 back in 2021. That
15:45
leads to a fascinating final thought for
15:46
our listeners.
15:47
How?
15:48
Well, think about the future. We've got
15:49
even more complex regulations coming
15:51
down the pike. Things like the EU AI
15:53
act, the NIS-2 directive focusing on
15:56
critical infrastructure cyber security.
15:58
The demands on these roles are only
16:00
increasing. So the question is how much
16:03
higher will the value and maybe the
16:04
compensation for these critical risk
16:06
mitigating executives climb by say the
16:09
end of this decade.
16:10
That is a provocative thought. The need
16:13
for this expertise certainly isn't going
16:14
away. It's only becoming more central to
16:16
business survival and success. Thank you
16:18
for guiding this discussion
16:19
and thank you for the insights. A final
16:21
thank you as well to our sponsor
16:23
www.sisomarketplace.com
16:26
for supporting this deep dive into the
16:27
complexities of digital risk management.
16:29
We hope this has been valuable for
#Business & Industrial
#Computers & Electronics