Stefano Gazzella : 4 September 2025 07:40
Managing security is far from simple, it’s not something that can be standardized, and above all, it can’t be achieved through “solutions.” It requires planning, analysis, and the ability to have a holistic vision, and above all, pursuing the objectives of maintaining data and systems at an acceptable level of security. The most common causes of crises are the disconnect between what has been done and what one would like to do, or, even worse, what one believes one has done. In short: both the situation in which the desiderata are unattainable in practice and the situation in which we delude ourselves into thinking we’re safe are the source of many of the problems encountered in organizations of all sizes.
For this reason, there are roles – or rather, offices – that are responsible not only for a sort of security management control, but also and above all for ongoing management advisory work to counteract various types of hallucinations. Not least, so-called paper security. That is, written security that’s never implemented, where it’s believed that formalism can protect against the actions of any threat actor.
These roles are the CISO and the DPO. The former has a significantly broader scope, while the latter focuses on personal data management, including security. The correlation between data privacy and data security is recurrent in most regulations, management systems, and the practical experience of organizations.
What is needed, however, is for CISOs and DPOs to know how to operate as a tag team in security management, rather than as competitors. This is true even when the functions are external and hungry for upselling. But does management know how to employ them, and above all, how to verify the accuracy of their actions? This is the sore point. Often, a CISO is used because it’s fancy, or a DPO because it’s mandatory. But we rarely know the answer to the question of whether they are doing their job well, contenting ourselves with periodic reports and a few slides to justify their compensation.
Let’s overcome a misunderstanding: both the CISO and the DPO can be monitored, and this does not compromise their contribution. Whether internal or external. Like every organizational body—including the Supervisory Board—they must demonstrate that they have fulfilled their contractually defined obligations as well as the tasks required to perform their duties. Some might argue—indeed, they have argued—that this compromises the independence of the function, increasing the “Nobody can judge me” vibes. They are profoundly mistaken. Because what cannot be questioned is the discretionary scope assigned to the control functions and the outcome of their assessments, not the fact that they are not performing their duties correctly.
So, it’s good to involve them and get them to work; even better, to understand how to best get them to work. Leveraging strengths and mitigating weaknesses.
“Together we stand, divided we fall” , as Pink Floyd reminds us. This, in security, is a leitmotif common to many roles and recurring for CISOs and DPOs. But how can we act in cooperation? Certainly, sitting at the working tables is important, but knowing what mutual contribution can be made to projects, or the scope of intervention, is also crucial.
Good practice dictates sharing projects even where the final say naturally rests with the CISO or the DPO, such as, respectively, in deciding on a security measure or otherwise providing an opinion on its adequacy in relation to the risks to data subjects. In short: sharing objectives and projects, and respecting roles.
Management must therefore prepare information flows but also involve the relevant figures within the security working groups, knowing what to ask of whom, thus being able to better manage the roadmap for implementing and monitoring data and system security.
Clarifying the terms and methods of cooperation is useful not only to avoid unnecessary repetition, but above all to prevent conflicts that can arise when there are common areas of intervention.
The overlapping of the CISO and DPO’s responsibilities is inevitable, but it must be managed correctly. Otherwise, it becomes competition. And now the fairy tale of coopetition is decidedly over, since it increases the level of internal conflict within the company and leads to inevitable derailments from the security objectives.
Management must not only refrain from promoting conflict, but also prevent it by adequately presenting the roles and clarifying the expected results. This could mean establishing KPIs, requesting joint or synergistic opinions, or otherwise assigning risk assessments with a view to integration or comparison, for example.
In short: CISOs and DPOs can improve security management.
But you need to have carefully read the instructions for use.
Stefano Gazzella