While cybersecurity and data privacy leaders have distinct expertise, our fundamental goals are aligned. By understanding each other’s perspectives and priorities, we can support each other to strengthen the organization’s cybersecurity and privacy programs. This was the focus of the presentation that Edy Glozman and I delivered at the RSA Conference. Edy and I collaborate at Axonius, where he is the VP of Legal and I am the CISO.
The overlap in cybersecurity and data privacy is significant, creating the potential for collaboration. However, since each role focuses on a different aspect of the organization, there’s also the potential for disagreements and conflict:
- Cybersecurity focuses on safeguarding the company’s systems and data, looking at the world through the lenses of confidentiality, integrity, and availability. Our language is often of threats, vulnerabilities, and the attack surface. We care about topics such as secure software development practices and incident investigations.Data privacy focuses on safeguarding people’s personal data, aiming to offer data subjects choice and control over their Personally Identifiable Information (PII) and keeping up with privacy laws and regulations. Its core principles include lawfulness, fairness, transparency, and purpose limitations.
Both functions clearly involve protecting data, though they’re driven by different priorities and expertise. In our presentation, we shared several scenarios where the interests of cybersecurity and privacy professionals diverge or align:
- Security Monitoring: Security teams generally want broad visibility and long data retention for investigations. Privacy teams, on the other hand, are concerned about limiting access to PII and minimizing retention. The teams need to negotiate and focus on aligned business interests. Through these discussions, we agreed on the monitoring approaches and established checks and balances to mitigate the risk of data abuse.Data Collection and Retention: Here, both security and privacy want to minimize data, since less data means less risk. But business needs (like retaining employee data for operational continuity) can complicate things. We developed tiered retention policies and automated enforcement, presenting a united front to the business when needed.Incident Response: During a potential breach, security leads the investigation, while the privacy team determines notification and other legal obligations. Clear delineation of responsibilities, regular tabletop exercises, and a collaborative approach help us respond effectively and reduce friction.AI Procurement: Both teams have overlapping concerns about data leakage and privacy when evaluating AI tools. Privacy also brings in considerations like AI governance and training data provenance. Working together, we included AI reviews in the procurement process, published internal guidelines for AI usage, and catalogued AI tooling across the company.
We shared a practical framework to help cybersecurity and data privacy leaders, whether we’re pursuing similar objectives or whether our interests are misaligned. We also shared advice on making the most of either of these scenarios.
Effective security and privacy leaders recognize the value in each other’s expertise. We work to build trust when interests align, and we negotiate when they don’t. When necessary, we lean into healthy disagreements—that’s often where the best solutions emerge. To explore this topic further, watch our presentation and download our slides.
