New data privacy laws like the European Union’s General Data Protection Regulation (GDPR) require many companies to have a dedicated data privacy officer overseeing their data collection and processing program.
Separate but related, the global shift towards cloud computing has increased the need for elite cybersecurity teams to build a cybersecurity program capable of withstanding continual assaults from hackers.
Unless you’re a giant, multinational corporation, the chances are good that once your privacy program is up and running, the work required may not justify the expense of two full-time positions.
Enter the fractional executive.
Why hire a fractional executive? I hate fractions.
For most small and mid-sized businesses, there are a few people at the top-performing multiple executive functions. You may be the CEO and the CMO, and your number two may be the CFO may be the COO too. This setup can work, sometimes for a long time.
But what happens when your company goes through a period of rapid growth or faces new compliances challenges resulting from legislative changes? You need more support, but the cost of bringing on that expert backup is more than you can spend.
So, you toil on as the CEO/CMO/CFO/COO, dividing your attention into smaller and smaller fractions, struggling to give each critical business function the attention it needs.
Instead of having fractions make your life harder, you can put them to work for you by hiring a fractional executive.
What is a fractional executive?
A fractional executive is a seasoned, experienced leader you can hire a few hours a week (or more) to help you with your most pressing business and/or operational needs. Most fractional executives have an extensive background in full-time, high-level management roles and the knowledge needed to make your processes more efficient and effective.
But the biggest advantage to hiring a fractional executive is that you get access to that experience and knowledge for a fraction of what hiring a full-time executive with the same credentials would cost. Add in benefits, the assistant you’d have to hire, the office furniture, the computer, the phone…you get the idea.
Virtual executive vs. fractional executive
People often use the terms virtual and fractional interchangeably when talking about this type of role. Post-Covid, this will become more and more common. For the purposes of this article, we are going to use the following definitions:
- Virtual executive: An outsourced, off-site exec or team of execs who provide business and/or consulting services to a portfolio of clients
- Fractional executive: An exec, either remote or onsite, who delivers in-depth strategic development and operational support to a select group of clients
Privacy or security?
The balancing act between data privacy and data security is something privacy professionals like me spend a lot of time talking about (like I do in this article).
One place this debate plays out is in helping companies decide if they should hire a Chief Privacy Officer (CPO), a Chief Information Security Officer (CISO), or both.
What is a CPO?
A CPO’s primary responsibility is to set the parameters around a company’s data privacy program. Their job is privacy all day, every day.
This means they work with leaders from across the organization to determine what kinds of data can be collected, how it can be used, who it can be shared with, the length of time it can be stored, and how it should be destroyed. They are also in charge of:
- Developing training protocols and managing compliance with all applicable laws
- Creating privacy policies for social media pages and websites
- Setting data classification standards
One of a CPO’s biggest jobs is establishing the protocols for data subject access requests (DSARs), the process consumers use to exercise their right to know what types of data are being collected about them. The CPO is also responsible for overseeing privacy strategy, answering customer questions, ensuring compliance with the law, facilitating ongoing training, and making sure that all employees follow best practices in privacy compliance and security.
What is a CISO?
CISOs oversee a broader scope of responsibilities than their privacy counterparts. A CISO manages the cybersecurity operations, including cyber intelligence, building out the IT security architecture, controlling identity and access management, and investigating data breaches or other security incidences.
Although some companies lump their responsibilities together, a CISO is not the same thing as a Chief Information Officer (CIO) or Chief Technology Officer (CTO). A CISO, CIO, and CTO may have similar jobs but, when done right, they focus their efforts on separate but equally important ways to achieve the same end goal: secure and accessible data.
A CISO will, for example:
- Set standards for security, removable media, device use, and network access
- Determine and implement an acceptable use policy
- Install, update, and monitor data loss/breach prevention software
What separates a CPO and a CISO?
Andreas Klug, the chief privacy officer at QVC Ladbrokes Coral, told 2020 PrivSec conference attendees that these functions have always been very separate, adding, “they all look after data, but they always sit in various parts of the business and are subject to different budgets to different reporting lines.”
A CPO can be, but isn’t always, a tech person. A CISO is always a tech person and can be, but often isn’t, a privacy expert. CPOs and CISOs both:
- Are deeply invested in protecting consumer and company data from cyber attacks or a data breach
- Can’t do their job well without first completing an in-depth risk assessment
- Need to know everything about the data coming in and leaving the organization
- Play a key role in managing vendor performance and compliance
- Develop incident response procedures
The difference between the two roles is how they approach these similarities. Because they don’t have the same expertise but have the same goals, it’s incredibly important to have a CPO and a CISO partner on most privacy-related initiatives.
Take employee training, for example. A privacy executive would want to provide training on consumer privacy rights, what types of data are sensitive or protected, and how sensitive information can be used in marketing campaigns.
Training from a full-time CISO would have more information on avoiding phishing emails, the dangers of using a work device for personal business, and the risk posed by public WiFi networks.
Both types of training are critical to protecting consumer privacy.
Employee education is just one example of how a CPO and CISO need to work together. While the CPO may set the classifications for what types of data can be collected and how it should be stored, it's the CISO who’s responsible for purchasing and setting up the technology that does it all. But the CPO needs to make sure whatever technology the CISO picks meets regulatory requirements.
It’s kind of a chicken and egg situation. Can’t really have one without the other.
Which one do I need?
It depends on where you are in your privacy journey. If you’re starting from scratch, you’ll probably need substantial support. If you already have a program going and just need to finetune it, maybe you can get away with less.
The good news is that hiring a fractional CPO and a fractional CISO is a cost-effective way to get both.
At Red Clover Advisors, we can customize our fractional privacy officer program to give you as much (or as little) support as you need.
Get in touch with us today and let our gurus start your privacy program on the path to enlightenment.