CISO and DPO – Is this a Dual Role of a Security Officer?

Reading Time: 4 minutes

In the previous hierarchy of an organization, the CISO is often held responsible for integrating privacy requirements into security program controls. With the EU’s General Data Privacy Regulation (GDPR), a new role was introduced – Data privacy officer (DPO). This role is closely associated with the General Counsel or legal department and is integral to its data privacy program oversight. At the end of the day, both CISO and DPO aim to ensure the safety of all data and other company assets and their customers/clients.

What Is Data Privacy?

Data privacy is a branch of data security that deals with the proper handling of data, including consent, notice, and regulatory obligations. Furthermore, practical data privacy deals with how data is legally collected or stored, how data is shared with third parties, and its regulatory restrictions.

Why Is Data Privacy Required?

The most valuable and risky asset of any business is the organization’s personally identifiable information and confidential data. Nowadays, an organization’s cybersecurity management needs to stay updated to data-protection laws and increasing security breaches.

This is why most information security officers, IT departments, cybersecurity management, boards of directors are more focused on securing data.

Who Is a CISO?

The Chief Information Security Officer is a high-ranking executive responsible for the optimum security of an organization’s business information and data. The CISO also helps oversee the incident response team, supervise security technologies, administrate the creation and application of policies and procedures, and launch the standards and controls.

This indicates that a CISO is at the peak of the IT profession.

What Is the Role of a CISO?

A good CISO needs to be able to make and implement risk-based business decisions. A CISO must also communicate the risk-based decisions to the board in an easy way that they can understand. Some of the responsibility of a CISO in an organization are as follows:

  • Information privacy
  • Cybersecurity
  • Information security and information assurance
  • eDiscovery, IT investigations, and digital forensics
  • Computer Emergency Response Team (CERT)
  • Information Security Operations Center (ISOC)
  • Computer Security Incident Response Team (CSIRT)
  • identity and access management
  • Governance risk and compliance (such as FISMA, PCI DSS, HIPAA, SOX, and GLBA), etc.

Who Is a DPO?

Data protection officer (DPO) is known as the enterprise security leadership role required by the General Data Protection Regulation (GDPR). The role of a DPO is to oversee a company’s data protection strategy and its implementation to make sure they comply with GDPR requirements.

The Role of a DPO

A DPO’s role varies based on the needs and specific circumstances of a business, industry, and environment. Some of the requirements of a data protection officer are stated below.

  • Background and expertise in data compliance, legal, audit, or IT security
  • Familiarity with computer security systems
  • Experience in cooperation with supervisory authorities of any kind
  • Experience in managing data breaches
  • Experience in operational application of privacy law
  • Must understand the GDPR requirements
  • Know the DPO requirements in a particular region.
  • Know about data protection legislation, especially the GDPR and national laws, etc.

Can a CISO be a DPO?

While the roles vastly overlap, it is not recommended that a CISO plays a dual role as a DPO. This is because such a move can create internal problems. It will empower the CISO to decide on the investments needed to tackle any digital security issues. Simultaneously, the money will be taken from the IT and Finance budgets without any hindrance.

Since the CISO role is defining the overall corporate Digital security policy and safeguarding the company, the DPO will audit such corporate guidelines to ensure it complies with GDPR and the ePrivacy Regulation to ensure data subjects’ data protection.

By joining the EC-Council CCISO course, Chief Information Security Officers will get certified and experience all the five CCISO information security management domains. The domains are Governance and Risk Management, Security Program Management & Operations, information security Controls, Compliance, and Audit Management, Strategic Planning Finance, Procurement, and Vendor Management, and information security Core Competencies.

Frequently Asked Question (FAQ)

Who Does the DPO Report To?
The DPO must report directly to the company’s Board of Management or COO/CEO.
What Is the Difference Between a CSO and a CISO?
The is a difference between the role of a chief security officer and a chief information security officer. The role of a CSO encompasses the whole security requirements and the challenges that an organization faces. However, the CISO’s role is to construct security plans and an organization’s objectives and security programs.

Due to the increase in cyberattacks and network security threats, both large and medium-sized organizations need a CISO. Before you can become a CISO, you need a security officer training or certification training.

CISO Forum Canada 2020 is just around the corner. Join us from Nov 9-13, 2020, for 5 days of engaging panel discussions and addresses from top industry leaders!

Register for free at

ATTENDEE BONUS – Get EC-Council’s CCISO training and certification at a special discount.


get certified from ec-council
Write for Us