In the realm of data protection, compliance is the floor, not the ceiling

In an exclusive interview with Robyn Wright, Chief Information Security & Data Privacy Officer at Wiley, a global knowledge company, we delve into the impact of recent regulations on data handling, the challenges organizations face, and the pivotal role of a CISO in compliance. Recent regulations like India's DPDP Act have sparked seismic shifts in how organizations approach safeguarding personal data. These mandates have triggered extensive adjustments, compelling a closer look at cybersecurity programs and necessitating revamped strategies for compliance.

Robyn Wright, Chief Information Security & Data Privacy Officer at Wiley, shares invaluable insights into the profound impact recent data regulations have had on organizational operations. From the ripple effects on cybersecurity strategies to the pivotal role of the CISO in steering compliance efforts, Wright's perspectives shed light on navigating this evolving landscape. Excerpts:

How have recent regulations, such as DPDP (Digital Personal Data Protection Act, 2023) in India and others, influenced the way organizations handle personal data?

In light of recent data and privacy regulations, organizations have been compelled to make significant adjustments to their data protection/cybersecurity programs to ensure compliance. This includes the establishment of new, and adjustments to existing teams and departments dedicated to compliance. Cybersecurity teams have seen an increase in compliance responsibilities and a heightened duty to safeguard data against breaches and threats. Furthermore, organizations are now required to provide comprehensive training to their staff, encompassing not only security awareness but also data protection and appropriate data handling practices in the workplace.

What key challenges do organizations face in complying with data protection regulations, and how have they adapted their cybersecurity strategies to meet these requirements?

Organizations, especially multinational ones operating in regions with diverse data protection laws, encounter several compliance challenges. They must navigate and harmonize these numerous, varying regulations, requiring a thorough interpretation and the development of strategies for cross-regional compliance.

The organization's structure plays a pivotal role in addressing these challenges. Typically, cybersecurity and data protection fall under the purview of IT, with the Chief Information Security Officer (CISO) reporting to the Chief Technology Officer (CTO) or Chief Information Officer (CIO). Privacy of personal information usually comes under the organization’s Compliance function.  Both are typically supported by the company's legal team. To ensure compliance, it's essential for these teams, and other applicable stakeholders within an organization responsible for risk management, to collaborate closely and align their strategies and roadmaps. This collaboration is crucial for the effective implementation of selected technologies and controls to meet strategic compliance objectives.

How does a CISO contribute to an organization's overall risk management strategy?

The CISO plays a pivotal role in an organization's comprehensive risk management strategy. This involves the implementation and oversight of technical data controls to ensure compliance with various laws, rules, regulations, and standards such as Sarbanes-Oxley (IT General Controls), privacy laws, PCI compliance, and more. Moreover, in today's corporate landscape, the Board of Directors is increasingly held responsible for risk management, with cybersecurity playing a significant role. CISOs are tasked with educating the Board about emerging cyber risks and articulating the organization's strategies for mitigating and managing these risks enterprise-wide. The seamless integration of cyber risk management into the broader organizational risk management strategy is essential for thorough risk management.

How does the role of a CISO align with compliance and regulatory requirements in various industries?

The role of today's Chief Information Security Officer (CISO) is intricately linked with compliance and regulatory mandates on multiple levels. The ever-rising instances of cybersecurity breaches that regularly capture the spotlight have spurred a broader spectrum of compliance and regulatory demands as a countermeasure to the escalating cybersecurity risks.

Significantly, with the heightened stringency of SEC cybersecurity disclosure regulations, publicly traded companies are now mandated to disclose significant cyber incidents. This elevation in requirements places a greater onus on organizations, their governing boards, and senior leadership.

As stated previously, the CISO and their team play a pivotal role in not only implementing and overseeing technical safeguards but also in informing and educating the Board, senior management, and employees on matters pertaining to data protection and cybersecurity.