Navigating the Intersection of Roles: Can a CISO be a DPO?

Praveen Singh, Co-Founder & CSO at CyberPWN Technologies

 

The introduction of the Indian Data Protection and Privacy law, DPDP ACT 2023, mandates the appointment of a Data Protection Officer (DPO) under specific circumstances. This presents a challenge for both public and private sector organizations, as they must decide whether to create a new role or integrate it with the existing Chief Information Security Officer (CISO) function. The central question is: Can a CISO also be a DPO?

Firstly, let's delineate the responsibilities of the Data Protection Officer (DPO) according to the Data Protection and Privacy (DPP) Act 2023, and compare them with the existing role of the Chief Information Security Officer (CISO) within an organization.

The DPO's responsibilities, as stipulated by the Digital Personal Data Protection (DPDP) Act of 2023, include addressing concerns and inquiries from data principals and ensuring compliance with the DPDP Act. To meet these obligations, the DPO must fulfil specific criteria: be located in India, report to the company's Board of Directors, act independently and impartially, possess expertise in data protection, be adequately resourced, and report to the highest management level.

On the other hand, the Chief Information Security Officer (CISO) is tasked with various technical responsibilities to ensure the security of an organization's critical data. This involves developing, implementing, and enforcing security policies, investigating security incidents, conducting surveys of information assets, and developing strategic plans to align with the organization's risk tolerance levels.

Comparing the roles of DPOs and CISOs, it becomes evident that their responsibilities are well-defined and complementary. DPOs focus on data privacy and regulatory compliance, while CISOs concentrate on securing an organization's digital infrastructure against evolving cyber threats.

However, challenges arise when considering the dual role of a CISO as a DPO. The DPO requires independence to exercise judgment and report any security concerns that the CISO might have overlooked. If the same individual holds both positions, there's a risk of potential conflicts of interest, violating professional ethics. GDPR emphasizes the DPO's need for complete independence and direct reporting to the highest organizational levels.

In conclusion, maintaining independence is crucial for a DPO. It's not recommended for CISOs or similar positions to assume the DPO role to ensure objectivity and unbiased execution of responsibilities. Instead, collaboration and synergy between cybersecurity and data protection roles are recommended for a holistic approach to safeguard against data breaches. This collaboration involves aligning goals, sharing critical information, and providing a unified response to vulnerabilities, ensuring a comprehensive security strategy.

 

"Maintaining independence between the roles of a CISO and a DPO is crucial in fostering unbiased and objective oversight. Collaboration between cybersecurity and data protection is the linchpin for a robust defence against evolving threats, ensuring a unified and comprehensive security strategy." 

 

In his insightful reflections, Praveen Singh sheds light on the delicate balance between CISO and DPO roles. Now, let's glean further insights as we engage in a conversation with this cybersecurity luminary.

 

1. Congratulations on your recognition as one of the Global 40 under 40 in Cybersecurity for 2023. How has your journey shaped your perspective on cybersecurity?

 

My journey spans 15 years, primarily in cybersecurity consulting and vendor solutions. Recognizing the need to broaden my expertise, I embarked on a proactive path three years ago. This involved acquiring certifications, delving deeper into technological insights, and honing leadership skills. Networking with industry luminaries has not only expanded my understanding but also reaffirmed my commitment to staying at the forefront of this ever-evolving landscape. Recognition as a global expert underscores this dedication.

 

2. You've been ranked as a significant influencer for 'National Security' and 'Cybersecurity.' What strategies maintain your influence in these domains?

 

To establish prominence in cybersecurity, I've invested significant time in delving into the intricacies of the field. Actively participating in the global cybersecurity community by sharing insights, guiding aspiring enthusiasts, and assisting organizations in their cybersecurity endeavours has been pivotal in establishing and maintaining my presence in these domains.

 

3. Tell us about your role as a Cybercrime Intervention Officer (CCIO) and your voluntary work's impact with the National Security Database.

 

With cybercrime on the rise, my voluntary role as a Cybercrime First Responder at CopConnect—part of the National Security Database—focuses on providing immediate assistance to cybercrime victims. This involves connecting them with appropriate cyber cells and facilitating resources for law enforcement agencies, lawyers, and CISOs involved in cybercrime investigations.

 

4. How have pivotal moments or challenges shaped your leadership approach in cybersecurity?

 

My experience in cybersecurity consulting involves identifying vulnerabilities, assessing risks, and implementing preventive solutions. This hands-on involvement has greatly influenced my leadership style, emphasizing proactive measures, data protection strategies, and an emphasis on preventative cybersecurity measures.

 

5. How do you foster collaboration and innovation within your team and the cybersecurity community?

 

Promoting collaboration within my team involves clear communication, goal setting, recognizing individual strengths, and creating an environment that encourages open communication and innovation. Emphasizing the importance of teamwork, encouraging creativity, and celebrating successes are integral to fostering an environment conducive to innovation.

 

6. Your expertise lies in data and cloud security. What future trends should organizations prepare for in this fast-evolving landscape?

 

The future of data security involves a transition toward zero-trust policies, AI-driven tools, and the integration of blockchain technology. In cloud security, advancements in AI, advanced analytics, and hybrid architectures are paramount. Organizations need to develop comprehensive cybersecurity strategies that identify critical assets, invest in robust solutions, and emphasize regular training and awareness programs.

 

7. As a board member in cybersecurity communities, like CSA and GCLF, what's your role's impact?

 

At CSA, my role involves advocating top-tier Cloud Security practices, and at GCLF, I contribute to the advancement of CISO excellence, foreseeing substantial impacts within the industry by spearheading initiatives and collaborations.

 

8. What advice would you give to aspiring cybersecurity professionals?

 

Share your learnings openly, actively engage in technology communities, and encourage others' involvement to promote cybersecurity awareness. Social responsibility within the cybersecurity community is crucial in educating and safeguarding digital spaces. 

 

The Journey Into Industry

Mr. Praveen Singh, the Co-founder of, and CSO at CyberPWN Technologies Pvt Ltd, champions fortified application systems, GRC technology transformations, cloud security, data privacy, and identity access management. With over 15 years in cybersecurity consulting and strategic business management, he leads multiple CISO communities in India and inspires aspiring professionals. 

 

A globally recognised cybersecurity influencer and Cybercrime First Responder (CCIO), he embodies dedication and expertise in the realm of cybersecurity. Honoured as a Global 40 under 40 in Cybersecurity for 2023, his accolades include ranking #20 in Cybersecurity and securing the top position in "National Security" by Thinker 360. Notably recognized as a LinkedIn Top Cybersecurity Voice and Cloud Security Champion, Praveen's journey to excellence is marked by a PG Programme in Cybersecurity from IIT, a Cyberlaw Diploma, and a DPDP Law certification.

 

Mr. Praveen Singh's commitment extends to voluntary roles at the National Security Database, as a Technology Advisor, Advisory Board Member in various cybersecurity communities, and a CyberSecurity Strategic Advisor at Netpoleon India. His expertise in data and cloud security shapes global cybersecurity landscapes, fostering collaboration and inspiring innovation for a safer digital future.