Security, compliance and privacy are hugely topical, especially as organisations look to expand their data and analytics capability. While there is increasing scrutiny from regulators and consumers to contend with, CIOs and CISOs must also factor in challenges arising from a hybrid working environment that has come about because of the pandemic.\nAt a CIO roundtable with DDS-IT and Commvault, New Zealand IT leaders shared their approach to navigating through this complex environment. Many saw the convergence of security and compliance as inevitable, with privacy becoming even more to the fore following the new Privacy Act in December 2020.\nSecurity, compliance and privacy converging\nJarden head of IT risk and security David Higgins notes that in his organisation they use similar tools to achieve both security and compliance outcomes. While his role is more aligned to security, the executives he works most closely with are the Chief Digital Officer and Chief Risk Officer.\nEROAD head of security engineering Jeremy Peaks, whose company is a telematics provider offering SaaS products in the transport sector, notes that cybersecurity threats are on the increase. \u201cI would say there is absolutely an element of security with compliance, we certainly see it with regulations that we need to adhere to for being a certified product that is able to measure distance calculations and be used for tax purposes.\u201d\nAnother CIO in the transport sector \u2014 albeit on the operations side \u2014 notes that security, compliance and privacy are beginning to overlap when it comes to data and \u201cunderstanding all the data we obtain, the data we store, and the data we transmit.\u201d\nPrivacy is also a crucial part of the mix, with many organisations now employing a Chief Privacy Officer. It isn\u2019t only New Zealand law that they need to be across, but privacy legislation in other jurisdictions, in particular the GDPR (General Data Protection Regulation) regulations in the European Union, which many see as the gold standard for privacy legislation globally. As Peaks from EROAD explains:\n\u201cI have personal experience in the past with adapting to GDPR, so I\u2019m all too aware of the challenges. As most companies have realised since GDPR, it\u2019s best to adhere to the most stringent regulations globally and not try to adapt differently to each market. We are committed to privacy by design though and make strong efforts to achieve this with our new development,\u201d he says.\n\u201cPen testing and software monitoring are very important, but we also do threat modelling as early as possible \u2014 often at concept stage and certainly by technical design stage. It\u2019s important to us to identify issues early in the cycle when they are not only cheaper to address, but also form part of the design.\u201d\nEveryone\u2019s responsible for cybersecurity and data privacy\nBDO New Zealand chief technology officer Chynel James says that while there might be dedicated roles that oversee these areas, cybersecurity, compliance and privacy are the responsibility of everyone in the organisation. \u201cEducation and communication are really key, and a bit of a change programme can help with promoting awareness and the desire among all staff to be vigilant. You need to show people what\u2019s in it for them, make them understand why everyone has a part to play,\u201d she says.\nDDS-IT general manager for sales and marketing Craig Sutton agrees that there needs to be a cultural change in organisations to security mindfulness, and \u201cfinding the right balance between imperatives and doing it the right way,\u201d he says.\n\u201cThe key is lots of user training and telling the story in a way that makes people understand why cybersecurity and protecting privacy is something everyone has to do.\u201d\nJames from BDO New Zealand has also seen the issues become more elevated in the organisation, it\u2019s no longer just the IT suite that deals with these issues, with CEOs and boards taking a more active interest in the organisation\u2019s risk profile.\nBeca chief digital officer Thomas Hyde says cybersecurity is a regular topic for board meetings, where mega trends, threats and possible risks are discussed. As part of these sessions, senior executives from organisations that have suffered major cybersecurity incidents have attended to share their experiences, and this has greatly improved the understanding of the issues.\nTips and advice for dealing with cybersecurity\nDavid Higgins from Jarden says being able to figure out the per seat cost of your IT spend can be useful in communicating the importance and reasoning behind cybersecurity and privacy protection expenditure. \u201cIf I know that for every person that walks through the door that the cost of their digital identity is X, it becomes a lot easier to quantify how we scale our protection,\u201d he says.\nJames from BDO New Zealand noted that it\u2019s important to have a security vendor that is \u201cplugged into those government processes and can provide you with outside input. IT is very complex, and no one can know everything, partnering with the right people can be hugely advantageous.\u201d\nAnother important tip was to keep in contact with government agencies, such as CERT, who are often willing to attend board meetings and provide first-hand information to senior leaders in the organisations. Keeping up with trends and understanding how and why high-profile attacks have occurred is also a useful way of ensuring you are aware of possible threats to the organisation.\n\u201cWhere I would start is understanding your adversary attack scenarios, during the past couple years, we\u2019ve seen a prolific increase in a lot of ransomware and data thefts \u2014 in Australia and New Zealand, as well as globally. A lot of these attacks are occurring where business emails are compromised, and the attacker is quietly and persistently trying to gain access,\u201d says Higgins from Jarden.\nMany CIOs present at the roundtable also noted that being aware of the security, privacy and compliance measures taken by those in your ecosystem \u2013 from partners to clients, is also critical. As Peaks from EROAD put it: \u201cThe days of building everything yourself are gone... it is important, therefore, to ensure a high level of cyber security comfort in those companies as well as your own.