Who’s the Boss?

One question I hear from clients all the time is “who has to be the decision maker about data security?” Companies that have a C-Suite will rely on a Chief Information Officer (CIO), a Chief Technology Officer (CTO), or even a Chief Information Security Officer (CISO).  These are great options, and worth discussing on their own.  Other companies place the responsibility in the head of IT or with whoever oversees compliance issues.  There is no one-size solution to overseeing data security, but it’s important to ask the question.

Like all lawyers, I often answer that question with a question of my own (it’s why everyone loves lawyers): who does your data security chief report to?  It’s good, and necessary, to have someone thinking about data security at your company, but what happens when they’ve made a decision or reached a conclusion?  Do they make a presentation to the Board once a year and then go on their way?  Is there a circular file with all of their recommendations?  Or do they get meaningful face time with company leadership and have a seat at the table?

To put it another way, placing responsibility for data security is only half the task; listening and following through on data security plans is the other.  It’s a logical point, but one that’s often missed — with real consequences.  FTC enforcement actions often revolve around broken promises to handle data securely or take steps to prevent a breach.  One way to ensure follow-through is to make datasec a routine part of company decision making.  Give the data chief the right to speak at every Board meeting, and make data security checkups a quarterly practice.

Another way is to have your data chief partner with someone who understands how to craft and execute intelligent data strategies — strategies that incorporate both a business and a legal component. Finding the right help for your data chief is essential to making DataSmart choices.

Leave a Reply