ELI5: What are Roles and Responsibilities?
On a soccer team, the goalie, defenders, and forwards all have different jobs. In security, people like the data owner, data custodian, and security chief each have clear duties so nothing falls through the cracks.
Definition
Clearly defined roles and responsibilities are a governance prerequisite for effective security and privacy management. Key roles include: the CISO (executive accountable for the security program), data owner (business leader accountable for a data set’s protection), data custodian (IT staff responsible for day-to-day data protection), data steward (responsible for data quality and policy compliance), data processor (entity processing data on behalf of another), and data controller (entity determining the purpose and means of processing).
Key Details
- Data owner: typically a business unit VP or department head; accountable for classification and access decisions
- Data custodian: typically IT operations; responsible for backups, encryption, access controls, and security configurations
- Data steward: ensures data quality, metadata, and policy compliance; bridges business and IT
- Data controller / data processor: GDPR terms — controller determines purpose; processor acts on the controller’s instructions
- The CISO is accountable for the security program overall but may not be directly responsible for every control
Connections
- Parent: governance — role clarity is foundational to an accountable governance structure
- See also: board-and-executive-involvement
- See also: data-ownership-and-processing-agreements