Bridging the CISO-DPO Divide: Uniting Cybersecurity and Data Privacy

In today's data-driven world, the roles of Chief Information Security Officer (CISO) and Data Protection Officer (DPO) are vital.

Both safeguard data, yet they often operate in silos, leading to security gaps and regulatory risks. Think of the stringent demands of the EU’s GDPR or California’s CCPA.

To truly protect information and ensure compliance, organizations must transform the CISO-DPO relationship from one of conflict to one of collaboration.

Two Sides of the Same Coin: Understanding CISO and DPO Roles

While both CISOs and DPOs protect data, their approaches and mandates differ significantly.

The CISO's Mandate

The CISO, typically from a cybersecurity background, focuses on defending an organization's information and systems. Their priority is the "CIA triad": confidentiality, integrity, and availability of data.

This involves implementing measures to prevent breaches, ensure data accuracy, and maintain operational continuity against attacks - a core aspect of GDPR’s Article 32.

The DPO's Mandate

The DPO, usually with a legal or compliance background, focuses on safeguarding individual rights and personal data, ensuring compliance with privacy laws.

Under regulations like GDPR, DPOs oversee lawful processing, advise on data protection impact assessments (DPIAs), handle data subject requests (like access or deletion), and report privacy risks.

They ensure data isn't misused; for example, data collected for one purpose isn't used for marketing without proper consent.

The DPO often acts as the individual's advocate, ensuring transparency and privacy rights.

Overlap and Healthy Tension

Despite different mandates, CISO and DPO roles intersect. Both aim to prevent unauthorized data access and contribute to risk management. This can create a "healthy tension."

A CISO focused on detailed logs for threat detection might clash with a DPO concerned about employee privacy or excessive data retention. This push-and-pull, when balanced, helps each role identify the other’s blind spots.

However, without clear boundaries, confusion over responsibilities can arise.

Organizational Placement

The formalization of the DPO role by GDPR in 2018 led to over half a million DPO appointments in Europe. Many DPOs report directly to the board, as legally required, while CISOs historically reported to IT.

Although 72% of organizations in the EU and US have a DPO, only about 10% combine the roles, which is only permitted if there's no conflict of interest (GDPR Article 38).

Regulators have even fined companies for blurring these lines, emphasizing that CISO and DPO roles, while complementary, are not interchangeable. Clarity is a regulatory expectation, not just a best practice.

Where Friction Arises: Security vs. Privacy (and the Risks of Misalignment)

Without concerted effort, CISOs and DPOs can find themselves at odds, leading to dangerous gaps and compliance pitfalls.

Breach Response and Notification

When a data breach occurs, tension can rise.

CISOs may focus on technical containment to protect reputation, while DPOs are legally obligated (GDPR Article 33) to assess and report breaches involving personal data within 72 hours.

Lack of coordination can lead to delayed or omitted reporting, resulting in hefty fines.

For example, the ICO fined Marriott Hotels £18.4 million for data protection failures after a delayed breach detection and reporting, illustrating how silos lead to regulatory and reputational damage.

Data Usage and Retention

Security teams often want to retain data (logs, backups) for analytics and threat detection, while privacy officers push for data minimization and timely deletion to comply with laws and reduce exposure.

Without alignment, inconsistent or absent data retention policies emerge.

This isn't just theoretical; many organizations lack clear data retention policies, leading to excessive data hoarding that violates privacy or premature deletion that undermines security evidence.

Monitoring and Workplace Privacy

The rise of remote work highlights internal friction over employee monitoring. Security teams might deploy aggressive monitoring tools, but DPOs may object if these tools collect personal data without a lawful basis, potentially eroding employee trust and leading to compliance complaints.

A well-intentioned security measure can become a privacy liability if CISOs and DPOs don't jointly evaluate them.

Data Inventory and Shadow IT

A common gap lies in data governance. CISOs can't secure what they don’t know exists, and DPOs can't ensure compliance for uninventoried data.

Business units often launch new data projects or use cloud services without informing security or privacy teams: a "shadow IT" problem.

Up to 80% of GDPR-relevant data might not be under direct CISO control.

If DPOs and CISOs don't share information, huge troves of personal data can remain unprotected, inviting breaches and fines.

High Costs of Misalignment

The costs of these misalignments are substantial, including security incidents, regulatory enforcement, lawsuits, and public backlash.

Regulations like GDPR and CCPA tie security and privacy together: failures in either can lead to severe penalties.

A siloed approach, where cybersecurity and privacy operate on parallel tracks, will inevitably fail under real-world threats and regulatory scrutiny.

Regulatory Pressure: Why CISOs and DPOs Can't Afford to Clash

The emergence of the DPO role, driven by landmark regulations like GDPR, formalizes privacy protection as a governance issue, not just an IT concern.

GDPR's Mandates

GDPR mandates explicitly demand CISO-DPO cooperation. Article 32 requires "appropriate technical and organizational measures" for data security, while Articles 37-39 mandate DPO appointments for certain organizations.

The DPO advises on compliance and reports directly to senior management, with Article 38 emphasizing DPO independence and freedom to critique security practices.

Regulators have penalized organizations that improperly merge or subordinate these roles, reinforcing that privacy oversight must carry equal weight to security operations.

CCPA/CPRA and Other Laws

While U.S. privacy laws like CCPA don't mandate a DPO by name, they reflect similar expectations. Companies must protect personal information and honor consumer rights.

CISOs implement technical protections, while privacy or compliance officers handle consumer requests.

This pushes organizations towards a DPO-equivalent function (often a Chief Privacy Officer) working alongside security. Sector-specific regulations (e.g., HIPAA) also require both security safeguards and privacy officers.

Globally, privacy and security are two indispensable pillars of regulation.

Corporate Governance Expectations

Boards now view cybersecurity and data privacy as critical issues. High-profile breaches and fines spook shareholders.

Governance frameworks (ISO 27001, ISO 27701, NIST's privacy framework) encourage integrated risk management. If CISO and DPO reports come from siloed channels, gaps can hide.

Many CISOs lack a direct line to the CEO or board, unlike DPOs. This mismatch can fragment oversight unless cross-functional bridges are deliberately built.

Regulators advocate for documented collaboration as part of good governance.

Forced Marriage

In essence, the legal and corporate environment is forcing a marriage between cybersecurity and data privacy.

Organizations that foster CISO-DPO collaboration are not just avoiding trouble; they are holistically protecting data.

The next step is making this partnership work.

From Conflict to Collaboration: A Model for CISO-DPO Synergy

To bridge the security/privacy gap, organizations should implement a collaborative operational model that aligns CISO and DPO efforts.

Clearly Defined Responsibilities

Start by clearly defining core responsibilities while acknowledging overlaps. The CISO owns data security, safeguarding confidentiality, integrity, and availability of information.

The DPO owns data privacy compliance, ensuring lawful collection and use of personal data, managing consent, and handling individual rights requests.

These accountabilities must be documented and communicated.

When a CISO introduces new security systems, the DPO should be consulted for privacy implications.

When a DPO develops new privacy policies, the CISO should provide security input. This clarity avoids redundancy and gaps, preventing finger-pointing when issues arise.

Privacy by Design, with Security in Mind

Embrace a privacy-by-design approach that embeds security into new products, systems, and processes from the start. Any project involving personal data should undergo joint privacy and security reviews.

The DPO ensures compliance and data-minimization, while the CISO ensures robust security controls.

This prevents security from being an afterthought or privacy being bolted on late. Joint sign-offs in project management for new systems, where both CISO and DPO approve before launch, can institutionalize this.

The payoff: stronger products and fewer costly retrofits or compliance surprises.

Regular Joint Risk and Policy Reviews

Risk management should be a team sport. Schedule regular joint risk assessments that evaluate both cyber threats and privacy risks. For example, during a Data Protection Impact Assessment (DPIA), both DPO and CISO should participate.

The DPO scrutinizes legality and individual impact, while the CISO assesses breach likelihood and impact. This ensures a comprehensive view.

Policy development such as incident response, data retention,and access control, should also be coordinated, leading to harmonized policies. Two sets of eyes on risks and policies are better than one, covering a broader range of scenarios.

Joint Strategic Reporting to the Board

As both cybersecurity and data protection are strategic, CISOs and DPOs should present a united front to executive leadership.

Deliver joint "Security and Privacy Reports" or dashboards tracking key metrics in both domains. Reporting together demonstrates alignment and reinforces that data protection is a shared responsibility, simplifying governance for the board.

Some companies establish a Privacy and Security Council, co-chaired by CISO and DPO, to review progress and challenges. Joint briefings can also help resolve conflicts, forcing constructive dialogue and clear decisions from the top.

Shared Training and Mutual Awareness

Close the cultural gap between legal and engineering mindsets through cross-training. CISO teams can offer cybersecurity fundamentals for privacy staff, while DPO teams brief security on privacy law basics.

This helps each side understand the other's language.

Company-wide training should also unify security and privacy awareness.

By collaborating on training, CISO and DPO send a unified message: "security and privacy are everyone's responsibility."

This builds a culture where security considers privacy, and privacy considers security.

Real-World Collaboration: Lessons from the Field

Concrete examples show how organizations foster CISO-DPO synergy:

TomTom's Integrated Approach

At TomTom, the DPO, while in the legal department, meets frequently with the security team to discuss strategy and ongoing matters.

They collaborate on new product launches, data management, and client projects, ensuring every initiative is vetted for both privacy and security. This approach breaks down silos, reinforcing that privacy and security are integral to product quality and corporate integrity.

Collaboration from Day One – Arsenal F.C.

Arsenal Football Club’s DPO, Katia Zavershinskaya, emphasizes involving security early in new system rollouts. For any new technology processing personal data, the DPO and CISO align on requirements at the planning stage.

This ensures "privacy by design" is implemented, with both privacy and security signing off before any new platform goes live. During incidents, they work together, deciding upfront who leads based on the incident's nature, e.g., DPO leads if personal data is at risk, CISO if it's a non-privacy cyberattack.

This flexible, coordinated response avoids turf wars during high-pressure situations.

Unified Leadership – Best Practice

Some organizations formalize this unity with a Privacy and Security Council co-chaired by CISO and DPO. Others establish dotted-line reporting relationships to facilitate information flow. While no single structure fits all, success stories share a common thread: frequent communication and shared goals.

Even in smaller organizations where one person wears multiple hats, consciously separating the "security hat" from the "privacy hat" is crucial. When the CISO backs the DPO, and vice versa, truths translate into action.

Conclusion: One Mission – Protect Data, Together

The CISO and DPO relationship should be complementary, not adversarial. Both work towards a common mission: protecting the organization and its stakeholders.

When they work in concert, cybersecurity and data privacy become reinforcing pillars of a resilient business strategy. A company with strong cyber defenses but poor privacy practices, or vice versa, risks breaches, lost trust, and legal penalties.

For executives, regulators, and professionals in these roles, the message is clear: break down the silos. Organizations should invest in unified governance and cultivate a culture of continuous dialogue between CISOs and DPOs.

This could involve joint workshops, aligning metrics and incentives, or even team member swaps to build empathy. Regulators can encourage this by issuing guidance on security and privacy program intersection.

If you are a CISO, DPO, or overseeing them, take the initiative. Schedule regular joint meetings to review projects and risks. Draft a combined charter outlining cooperation.

Educate your board on your unified approach to risk management. External consultation or unified frameworks can also jump-start collaboration.

Ultimately, aligning cybersecurity and data privacy is about more than avoiding penalties; it’s about maintaining trust in a data-driven world. When CISOs and DPOs present a united front, the message is powerful: "we are custodians of data, and we will protect it from all angles."

By transforming friction into partnership, companies achieve stronger security, seamless compliance, and true privacy-by-design. In a world of escalating threats and growing expectations, unified governance isn't just ideal—it's a business imperative. Let's close the gap, together.

Call for Action

If you’re a CISO, DPO, or business leader, assess the relationship between your security and privacy functions today. Are there clear communication channels and joint efforts, or a silo mentality?

Commit to taking one concrete step: a meeting, a policy review, or a training session, that brings these teams together.

By doing so, you’ll foster a culture of unified data protection that safeguards your organization on all fronts. In governance, unity is strength, and by uniting security and privacy, you ensure comprehensive and resilient defense.

The future of data protection depends on this alliance, and the time to forge it is now.