The dual role of Chief Information Security Officers (CISOs) and Data Protection Officers (under EU law) or the Data Protection Officer (DPO) in accordance with Art. 10 of the Swiss Data Protection Act (DPA) does not have to be a balancing act. But how can this dual role be managed efficiently? This earlier article provides answers to this question and shows how an integrated management system (IMS) can create synergies and significantly reduce the workload for companies.
What is an integrated management system (IMS)?
An integrated management system (IMS) combines the processes and guidelines from the information security management system (ISMS) and the data protection management system (DSMS). This creates a central structure in which companies:
- Avoid redundancies, similar tasks do not have to be documented and maintained twice.
- Reduce audit costs by conducting joint audits for multiple systems to save time and money.
- Standardize documentation; policies, procedures and work instructions cover both security and data protection aspects.
Especially when personnel resources are scarce, an IMS offers an efficient way of managing security and data protection requirements under one roof.
Roles and responsibilities: CISO versus DPO
Although the CISO and DPO both have sound technical and legal knowledge, their main responsibilities differ:
The CISO role profile:
- Developing security strategies: Ensures their implementation to protect the IT infrastructure from cyber attacks.
- Risk management: Identifies vulnerabilities and defines measures to minimize risk.
- Incident handling: Responds to security incidents and manages the incident response processes.
The DPO role profile:
- Establish legal requirements: Ensures that personal data is processed in accordance with the Swiss Data Protection Act (DPA).
- Internal training: Raising employee awareness of data protection policies and procedures.
- Independent advice: advises companies on data protection issues, is not bound by instructions and is the point of contact for data subjects and authorities (DPA Art. 10).
The dual role: opportunity or conflict between cyber security and data protection?
An overview of the synergies:
- A holistic view
If CISO and DPO tasks are performed by one person, a consistent security and data protection concept is created.
- Shorter decision-making paths
As only one authority makes decisions, measures can often be implemented more quickly.
- Efficient use of resources
In times of staff shortages, a dual role can help to bridge personnel bottlenecks and reduce costs.
Possible conflicts that should be taken into account:
- Conflicts of interest
While the CISO focuses on comprehensive security measures, the DPO primarily safeguards the rights of affected persons. These objectives can be contradictory.
- High workload
The demands on technical, compliance and legal knowledge are enormous. One person can quickly become overwhelmed.
- Independence
The Federal Act on Data Protection (FADP) requires the DPO to act independently. This is not always guaranteed in a dual function, for example if the company's security interests are paramount.
The dual role in the acid test: security gap with personal reference
If a critical security vulnerability is discovered that could allow customer data to fall into the wrong hands, two roles must act quickly and purposefully:
- CISOs close the gap and initiate technical countermeasures.
- DPOs check whether a notification to the data protection authority (Art. 24 FADP) is necessary - and whether data subjects need to be informed.
In a dual role, it is particularly important that roles and responsibilities are clearly defined - especially for security-relevant measures that affect personal data. It is crucial that it is clearly documented at all times whether an action is carried out in the role of CISO or DPO. This is the only way to independently check data protection requirements and identify potential conflicts of interest at an early stage.
To ensure the independence of the DPO in accordance with Art. 10 DPA, decision-making and escalation channels must be structured accordingly. In addition, automatic review processes should be implemented - for example through internal audits or regular external checks - to ensure that security measures relating to data protection are identified and correctly assessed in good time.
Recommendations for practice
- Define tasks in writing
Clearly define the area in which the CISO role and the DPO role operate, even if they are the same person.
- Continuous training
As security and data protection requirements change rapidly, regular training in technology, law and compliance is essential.
- Obtain external support
A neutral view from the outside helps to identify conflicts of interest and ensure that everything runs smoothly. InfoGuard can provide support with its experience and expertise.
- Regular re-evaluation
Continuously review whether the dual role is still fit for purpose - especially in view of increasing legal requirements.
3 success factors and the dual role of "CISO & DPO" succeeds!
A dual role of CISO and DPO can bridge staff shortages and at the same time provide a holistic view of security and data protection risks.
For this balancing act to succeed in practice, it is essential:
- Clear responsibilities,
- transparent decision-making channels and
- independence in data protection issues.
If companies meet these three requirements, they benefit from:
- Faster reactions,
- fewer frictional losses and
- greater trust among customers, employees and supervisory authorities.
Efficiency, compliance and clarity - all in one role
The growing complexity of cyber security and data protection calls for integrated solutions instead of isolated silos. A combined CISO/DPO role can do just that - provided it is well thought out and clearly anchored strategically.
Companies that take action now and review their structures will benefit twice: they will gain efficiency and at the same time strengthen their compliance - towards customers, partners and supervisory authorities.
If you want to know how to design such a key role in a lean, effective and legally compliant way, InfoGuard is the right place for you. Our experts will show you in a practical way how you can seamlessly combine information security and data protection - whether you are setting up or optimizing your existing management system.
Regardless of how you are currently set up, we will support your CISO/DPO specialist with the necessary CISO or DPO skills. Contact us without obligation.
Caption: Image generated with AI