Team working together showing CCPA and the CISO role

The Introduction of the California Consumer Privacy Act (CCPA) And the Change of the CISO Role in 2023

Today, the U.S. is the only country that lacks established federal data protection. There has been much discussion over the last five years to implement a new national privacy law to ensure enhanced data protection for Americans, similar to the European Union’s General Data Protection Regulation (GDPR). The U.S. has historically depended on state-level and local laws, much like the California Consumer Privacy Act (CCPA) that will be put into motion on January 1st, 2023, versus the government issuing initiatives for the whole nation. The CCPA will help protect U.S. citizens and their data, but without strict enforcement and accountability, we likely will not see the data protection we are hoping for. Strict enforcement will be crucial to its success. In addition to the execution of the CCPA in the new year, we can also expect significant changes to the Chief Information Security Officer (CISO) role with a shift in focus on hiring business-driven security professionals. Professionals with predominately technical backgrounds have traditionally filled the position, which has proven troublesome across various industries within firms of different sizes.

The rollout and implementation of CCPA

In the new year, The California Privacy Rights Act (CPRA) will be amending the CCPA under one threshold to bring forth new regulations in addition to existing rules under the CCPA. The CCPA currently provides employees with insights and control over the personal information that businesses gather and store. However, on January 1, 2023, new regulations will be added under this umbrella, such as the authority to dispute incorrect personal information businesses have collected and the ability to restrict the use of personal information gathered. At the start of 2023, employers and companies must be compliant in updating their CCPA privacy notice distributed to employees and provide an adequate explanation of what this new law implies regarding privacy rights and how to submit a request. Businesses can begin preparing for this by conducting audits of their data inventory, enabling data processing agreements with service providers, understanding the new employee and B2B rights and expectations, and reviewing current monitoring programs to ensure they adhere to the new privacy regulations.

As the CCPA comes into effect in the new year, we should prepare to see stricter regulations unfold both in the US and at a national level. Business leaders should prepare themselves regardless of what state they reside in and assume compliance is necessary as every business will likely touch California in one way or another. The same should be considered when it comes to being GDPR compliant regardless of relations with Europe, as it will be comparable, if not the same, to what is being implemented at the state and national level in the U.S. A key element business leaders should begin to think seriously about is that the rollout of these new regulations will be rapid, leaving unprepared businesses at risk of being caught in the crossfire. This is incredibly concerning as many organizations are unfamiliar with regulatory compliance and GDPR, which could greatly work against them if they aren’t prepared ahead of time. This expedited process comes down to the US delaying the enforcement of these regulations that should have been put in place years ago, but regardless, businesses need to be prepared. If not done already, businesses of every size within every industry should be rolling out internal plans to ensure they are compliant with CCPA. It will be vital to understand the types of data businesses store, how it is stored, and how to access it should a customer ask to know more about it or delete it.

The shift in the CISO role

Come the new year, we expect a significant shift in the CISO role. Per the Federal Communications Commission (FCC), every publicly traded company must have a CISO on the company’s board. Thus, companies started filling their CISO roles at warp speed, but they were under the assumption that the position was suited for a technical professional. As a result, many tech individuals were hired for the CISO role and ultimately brought on for the wrong reasons as their expertise wasn’t suited for the role required. Instead of the position being focused on critical business understanding with security expertise, in some cases, it became a predominately technical role. The issue many companies began to encounter with this strategy was that in some scenarios, their technical CISO didn’t fully understand the business components that were required within the role and were unable to communicate to the board effectively.

Companies hiring for the CISO role must ensure candidates are informed of the legal expectations and are up to speed with protocols for security incidents, as stated in Form 8-K (6-K) Disclosure About Material Cybersecurity Incidents. The lack of business-centric knowledge and execution has ultimately created delays in productivity in addition to legal issues, causing widespread frustration and chaos. Due to this, many CISOs have had to alter their focus to crisis management to remediate the damage done instead of focusing on more business-critical tasks such as strategic initiatives. In 2023, we can expect a shift in the CISO role, with current technical CISOs, moved to a different, more tailored role within the organization. Organizations will be refining their search to focus on hiring business-driven security folks to fill their CISO role.

Although the rollout of the CCPA is quickly approaching, there are steps businesses can take to make the necessary changes and safeguard themselves for January’s rollout. Historically, the US hasn’t been a strict enforcer of these policies, which caused leaders to take a relaxed approach in terms of expecting consequences for their reluctance. However, regulators adhering to more rigorous enforcement of the CCPA starting in the new year will produce better odds of conformity among business leaders in the U.S. Of the changes we expect to see in the coming months, the shift in individuals filling the CISO role will be seen and felt across the board. Amid unfortunate circumstances for many, the election of more business-driven security individuals will help uphold many companies’ business goals and objectives for the new year- creating ease and efficiency for many.