PwC Luxembourg, CLUSIL (Club de la Sécurité de l’Information – Luxembourg) as well as the CNPD (Commission Nationale pour la Protection des Données) have collaborated to create the first edition of the only survey dedicated to CISOs, ISOs, DPOs and privacy experts in Luxembourg. Thanks to this collaboration, the tailored questionnaire enabled us to have a holistic view of these two roles. The answers are, as always, anonymous and details were not shared with the regulator.
Objectives of the survey
Home-based working, companies transitioning to digital workspaces or public cloud, an escalating number of cyberattacks and the growing complexity of information systems, evolving legislation and enforcement, better informed data subjects—these and many other factors have further increased the importance of the roles of Chief Information Security Officers (CISOs) and Data Protection Officers (DPOs) in the last few years.
With the growing importance of the CISO in mind (incl. Information Security Officer/ ISO) and DPO (incl. data privacy professionals), we have collected 90 responses from CISOs (41%) and DPOs (47%) within Luxembourg (the remaining 12% represent respondents with both roles), helping us to:
- Identify the typical profile for each role;
- Discover their individual positions within their companies, and;
- Gain a better understanding of their (potential) collaboration, as we believe, both roles have a lot of common interests when it comes to personal data protection and information security.
The companies we surveyed
Background of respondents
Profile of the 90 respondents' companies:
CISOs and DPOs roles
Company turnover
Company headcount
Over 50% of the respondents to this year’s survey are employed by entities with a turnover of more than €100 million, which raises the bar high for a potentially very hefty fine for non-compliance with the General Data Protection Regulation (GDPR - up to 4% of the annual global turnover). Even if the GDPR fines might not be on the minds of CISOs, the potential reputational and financial damage remains a real threat.
Additionally, although the majority of the respondents represent the financial sector (62% for CISOs, 36% for DPOs and 64% for respondents holding both roles), healthcare and public sectors (amongst others) have also been covered by those surveyed, allowing us to get a good insight into these sectors as well.
Key takeaways
Ensure that any potential conflicts of interests in your role(s) have been assessed, evaluated and documented.
Involve CISOs & DPOs at the earliest stages of any project, it can save you precious time and money if you do this to improve the security and privacy level of the precessed data.
Use information security and data protection to empower and facilitate your business-as-usual operations.
By defining information security and data protection guidelines, you remove the internal struggles of unclarity in the course of action, whilst also protecting your organisation and data subjects alike.
Use information security and data protection to further increase the trust and confidence of your staff, customers and other stakeholders by focussing not only on protecting your business, but also the data subjects (the latter may also be your customers).
Encourage the sharing of information and practices between DPOs and CISOs through formal and informal sessions.
Assess thoroughly the CISO’s position within the company.
CISOs are still closely linked to the IT department. Sitting in IT may not be appropriate for a control function that should be managing information security risks.
Take necessary measures to provide sufficient budget and training to CISOs and DPOs:
If you do not enable them to be at the top of their game, your organisation could struggle to successfully tackle the information security and data protection challenges and would not be able to forecast the necessary developments and improvements to maintain the trust of your stakeholders and keep up to date with recent developments in information security and data protection.
Ensure that CISOs’ and DPOs’ advice on the information security and data protection path is enforced by top management, and that the rest of the organisation carries it through consistently and makes it work.
