Back to Blog Lobby

Getting Started: The Evolving Roles of CISOs, CDAOs, and CPOs

For years, there’s been talk about the need for more technical leadership positions, like the CIO and CISO, to become more in-tune and involved with the creation and enablement of business growth objectives rather than left to the end. But, that shift is easier said than done. To add to the complexity, it’s not just Security leadership in this position. Data and Privacy leads also find themselves meeting the same type of challenge amidst an onslaught of new regulations. This leaves many wondering how to take that first step without being told to “stay in your lane” or “you’re slowing us down”. To avoid such push back as data and risk leaders, they must find a common, valuable, and risk-filled area to prove their worth: data and data use.

Using data is both an organization’s greatest asset for growth and its greatest risk. This means any conversation about data and its use is absolutely appropriate for discussion and involvement. Today, organizations use data to drive growth and innovation, usually accepting increased risk to do so. For risk leaders, the daily headlines about breaches through 3rd party data arrangements makes this trend uncomfortable (to say the least). Furthermore, there’s no sign of slowing down and seemingly few viable options to pursue data-driven growth while simultaneously maintaining or improving overall risk posture. That’s the gap we’re filling. Through our zero-access data analytics platform, Duality provides a way to eliminate risk, reduce costs and time to value while allowing data teams to generate the insights needed to drive growth. Win, win, win. But, how?

Start Here: Third Parties, Growth, and Risk

Almost every organization has arrangements with third parties wherein access to, and exchange of, sensitive data is required. This makes such relationships a great starting point – they’re common. While organizations engage in third party data arrangements for a variety of reasons, almost all are valuable relationships driving growth or reducing costs. However, most arrangements rely upon “trust” – often captured in a legal contract with virtually no hard, technical controls. After all, using data traditionally necessitates access, which means more risk. But, wouldn’t it be great if we could somehow allow teams to generate insights without adding more access points? We agree. That is exactly why we’ve built a zero-access data analytics platform with hard technical controls so you know that you are protected.

Through the platform, analysts and data teams can generate insights without ever needing nor having access to the raw data. This eliminates significant privacy, security, and governance risks and simplifies regulatory compliance despite the accelerating trend of risky, yet valuable, data-driven growth initiatives with third parties.

The Stakeholders: CISO, CPO, CDAO

At the center of this “business growth versus risk” melee are the evolving C-suite roles, notably the CISO (Chief Information Security Officer), CDAO (Chief Data and Analytics Officer), and CPO (Chief Privacy Officer). These players are the keys to enabling organizations to leverage data effectively while preserving privacy, security, and compliance. Yet these same players are often not consulted when business teams make important strategic decisions. Moreover, they often fail to collaborate with each other – or worse, have conflicting priorities.

The way out of this impasse involves forward-thinking leaders who collaborate with each other to make data use, privacy, and security complementary aspects in approaching growth objectives.

Avoiding “I told you so” with Collaboration

Despite some differences in priority (data teams want to use data, security teams want to limit data use), there are enough overlapping interests among them to successfully help each other while helping the business.

When business teams lead with a focus on revenue, security and privacy requirements are often afterthoughts. New technology adoptions, especially, often result in explosive growth across all metrics – including in risk. Many business teams take an “ask forgiveness later” approach; the already under-resourced security and privacy teams are forced to play catch-up with bolt-on workarounds rather than solutions incorporated into core products or operational design.

The divide in worldview between business leaders and technical specialists is never starker than when the latter try to explain to the former the resources they need to safeguard security and privacy. As Rob Wood, CISO for the US Centers for Medicare and Medicaid, compellingly argues, successful, clear communication is crucial yet frequently overlooked in cybersecurity environments. Technical and specialized people often struggle to translate the importance of their needs in language understood by their non-specialized counterparts. The result is not gaining approval. When those risks become realities, it’s the technical teams stuck with the clean-up work and a stack of I-told-you-so’s; everyone loses when this happens.

The results are all too predictable. Forbes reports that in 2020, 73% of all ransomware attacks were successful. Eighty percent of breaches involve customer PII and most are due to rather mundane issues and unlocked doors rather than elaborate heists as represented in Hollywood. After all, CISOs need to be 100% right whereas attackers only need to find one opening. CISOs especially carry a lot of responsibility (infamous case in point: former Uber security chief’s guilty verdict for a data breach cover-up) that is often not matched by the resources at their disposal. In reaction to this plus many others, there’s been a shake-up in confidence among the new generation of risk leaders, worried about being left out to dry. Who would want to sign-up for failure?

CDAOs and CPOs are in a similar position. In his keynote at the Gartner Data & Analytics Conference in March 2023, Saul Judah, Gartner’s VP of Data and Analytics, shared that data leaders “are not great at having discussions with the CEO. Business value must precede use cases and [they] need to engage with CEOs rather than simply ask for approvals.” Privacy was highlighted as lagging even further behind in priority, regarded as a legal matter. That being said, all three of these rather specialized roles share a common goal of supporting the business while reducing risk, and therein lies the opportunity to find success.

The Data-Driven C-Suite

Together, the CISO, CDAO, and CPO carry data governance, security, privacy, and compliance requirements, and often, security and privacy teams are perceived as hindering the data teams’ pursuit of business objectives. This adversarial relationship benefits nobody. According to Gartner, less than half of data and analytics leaders (44%) report that their team is effective in providing value to their organization. Meanwhile, only 12% of CISOs excel in the Gartner CISO Effectiveness Index. 

As new roles form and evolve around how we think about and use data, more collaboration between the technical and non-technical C-suite and their respective functions is a must.

Bringing Down the Walls

In a data-driven organization, data and analytics do not merely support business initiatives but create opportunities. This is achieved by breaking down silos.

How might CISOs shift to work more closely with CDAOs to better support the business? The CISO, responsible for determining how data can be used by the CDAO and the rest of the organization, could view the CDAO as a primary customer. Together, the two can identify new technologies to help the CDAO do their work with less risk and in less time, or even to accomplish projects that were previously blocked by risk or regulations. Working separately, the CDAO may not have the expertise to identify the technology, while the CISO may not know enough about the needs of the data teams. Collaboration is key.

By teaming up with the CISO, both are better equipped to show their CEO the value they can provide through new technologies.

Keep calm and share on

The thorny landscape of third-party data arrangements can present an ideal opportunity to begin operating as a collaborative, data-driven organization. Third-party data analysis is growing fast. These arrangements bring a variety of business benefits – and significant risks. In a recent Gartner survey, 84% of executive risk committee members said that third-party risk “misses” resulted in operations disruptions. In part due to siloing among security teams, these misses can take weeks or even months to identify.

All third-party data arrangements begin with a Partner Sharing Contract or Business Associate Agreement, but these do not necessarily address security or privacy. CISOs can find themselves in the uncomfortable position of waiting for when, not if, a breach is going to occur. One recent example is the breach of Atlassian employee data through the third-party workplace management app Envoy; hackers used an Atlassian employee’s Envoy credentials to access data.

In third-party data arrangements, data is often shared in one of the following ways:

  • Raw data transfers encrypt data for sending, but the data is then decrypted for use in the open by the third party. Raw data transfers lead to excellent utility and accuracy in data analysis, but security is compromised: the data is vulnerable in the event of a breach.
  • De-identified data involves removing or obscuring enough personally identifiable information so that individuals cannot be identified. De-identifying data is expensive, time-consuming, and requires negotiations over goals and minimally accurate data analysis. It also doesn’t inherently satisfy GDPR requirements and is prone to re-identification. Data utility and accuracy are compromised, but risk is lower than in a raw data transfer.
  • Trusted Execution Environment (TEE) is an isolated, secure data processing environment. Costly and time consuming to configure, TEEs have their place, but aren’t always necessary. They also require trust in the person(s) or organization running the environment. The benefits are that the quality of insights are better than from deidentified subsets of data and the security is far improved over raw data access.

All three of the above offer process-driven rather than technical solutions for the problem of protecting data-in-use. A CISO and CDAO who are collaborating to identify solutions for sharing data in a privacy protecting way might explore a fourth, newer option.

  • Zero-access analytics addresses utility and accuracy goals on the one hand, and security and privacy concerns on the other. Privacy, security, and governance requirements are built into a zero-access analytics platform, like Duality. Duality uses a number of privacy technologies like homomorphic encryption, federated learning, and multiparty computation (among others) to enable privacy-protected data science and analytics, so organizations can participate in third-party data arrangements knowing, rather than trusting, that they are not risking their data. And because privacy, security, and governance are all included into the core of the platform, there is no lengthy process to reduce risk of data use. Users spend less time figuring out how to do the work, and more time doing it.

It’s real. It’s here. It works.

A compelling proof point for zero-access analytics is Duality’s collaboration with Tel Aviv Sourasky Medical Center (TLVMC)

Duality partnered with the Tel Aviv Sourasky Medical Center (TASMC), Israel’s leading multidisciplinary healthcare institution, to facilitate collaborative oncological real-world evidence (RWE) studies while protecting private health information (PHI).

TLVMC has a trove of valuable data that would be useful to any of the hundreds of healthcare and life sciences organizations around the world. However, compliance, privacy, and security regulations put a massive limit on what could be shared and with whom. Previously, deidentification was the primary means of collaboration, which wasn’t 100% satisfactory because of the risks discussed above, as well as the limits on accuracy, precision, and utility of the data (for example, deidentified data can’t be linked with other data sources). They needed a better way.

TASMC found that Duality enables both the utmost degree of data utility, as well as data privacy and compliance, which culminated in a formal partnership. Duality was proven to not only exceed privacy and security expectations, but also in the quality of the insights and the expanding utility of how their partners could utilize the data.

What next?

Let’s assume you were able to establish a coalition with your technical counterparts to successfully prove that security, privacy, and growth can live together via third party data arrangements. You’ve established some traction, but need to keep that momentum. In our next blog, we’ll talk about how data and risk leaders can use technology to bring new, innovative options to the table by simply taking a trip down memory lane.

This is blog 1 of a 3 part series, click here to read the next installment.

Have quick questions? Visit our homepage or contact us for quick answers.

Sign up for more knowledge and insights from our experts