Data Protection Law Shifts Spotlight on CISOs

India goes for its own version of GDPR which will place more responsibility on CISOs. They seem to have merged the DPO and CISO roles together…:

The Personal Data Protection Bill cleared by the Union Cabinet last week would set legislative proceedings in motion that would culminate in India joining the legion of nations where protection of one’s data is given as much importance as that of one’s life and belongings. Once approved by Parliament as law, it would require all organizations, both public and private, to comply with provisions related to data security and usage.

Based broadly around the contours of European Union’s General Data Protection Regulation (GDPR), the immediate impact that the law would have on enterprises would be to enhance the role of leaders handling security. The Chief Information Security Officers (CISO) would move beyond advising the leadership on data security matters and become a sort of ombudsman on all matters related to privacy and usage of data in all forms.

The Change Agents

Security experts believe the new law would endorse a risk-based approach to delivering the latest security best practices to protect any type of sensitive data. So, it is largely the function of an officer who has been dealing with information security for some time and with some insight.  However, examining the CISO’s responsibilities in the light of the PDP bill is not as simple as it may sound.

More so because, presently, there are no laws on the utilization of individual information and forestalling its abuse in the country, even though the Supreme Court maintained the right to privacy as a fundamental right back directly in 2017. It is only in line with the GDPR, the Indian government, a year ago, presented a draft Personal Data Protection bill on how individual data information can be stored and processed by both the public and privately-owned businesses.

“The biggest challenge is that in India, most firms go to market without considering embedding security in the product or service,” says Sriram Laksmanan, Vice President – Cyber Security Assurance, Genpact. With the advent of PDP, instead of cybersecurity being an afterthought, CISOs will be involved from the scratch to ensure all new offerings are compliant to the PDP (as well as GDPR) and secure by design from a business, legal and technical standpoint, and that he believes can be a mammoth task.


Original article here