[BreachExchange] Why the C-suite should take a closer look at privacy controls

[Audrey McNeil]

http://www.ciodive.com/news/why-the-c-suite-should-take-a-closer-look-at-privacy-controls/420416/

A robust and successful privacy program requires proactivity, resources,
business-integration and employee fluency. Yet organizational privacy
leaders face many obstacles, including budget constraints, cultural inertia
and ineffective communication.

Many organizations have a clear view about what the most significant
privacy risk factors are likely to be, and what controls are needed to
manage them, according to new research  from Bloomberg Law and the
International Association of Privacy Professionals (IAPP).

However, there is a startling lack of readiness to implement those
controls. In particular, it is essential that the C-suite should be better
informed and more actively involved in privacy risk management decisions.
Therefore, organizations are more vulnerable than they might initially
appear to be.

Recently, Bloomberg Law, along with IAPP, set out to benchmark corporate
privacy risk assessment and mitigation practices in a global study. The
focus was to provide insight and clarity to an industry in the midst of
growing pains attributable to shifting regulatory landscapes, evolving
technology and emerging issues.

Bloomberg and IAPP worked with 350 executive-level privacy professionals
from across the globe, including the United States, Canada and Europe.

There were a few instances in which U.S. and non-U.S. respondents’ answers
differed significantly, especially in the varying philosophical approaches
to privacy and data security displayed between respondents in the U.S. and
EU.

For example, non-U.S. respondents were less concerned about the risk of
breaches, and placed less emphasis on vendor management and cyber insurance
as risk mitigation measures than their U.S. peers. In general, the EU data
protection culture is less focused on breach preparedness and response,
research found.

Respondents outside the U.S. also placed less emphasis on budget and
interdepartmental communication.

Organizations inside and outside of the U.S. differently prioritized actual
risks. Brand impact and data breaches were unsurprisingly identified as top
risks by both U.S. and non-U.S. companies. But, non-U.S. respondents placed
significantly greater emphasis than U.S. companies on the risk of
regulatory enforcement.

It is possible to address the gaps—but it all comes down to leadership

Leveraging the corporate board as a championing force is the most effective
way to drive the change necessary.

While there was relative uniformity around what are considered the most
important risk mitigation controls—such as board buy-in, training and
education, vendor management, employee monitoring, interdepartmental
communication and program maturity—there was a startling level of
disharmony between those controls and the stated readiness in implementing
those controls, the research found.

Most companies are still maturing their privacy programs. At the highest
level, the gaps indicate that corporations need to invest more in proactive
approaches to keep up with the dynamically changing landscape and their own
evolving business needs.

Reacting to privacy concerns

A purely reactive stance no longer works, research found. Incidents have
increased by 38% over the past year, including some of the largest breaches
to date, and key industries are still lagging in terms of security.

For instance, the study shows that there is tremendous focus, yet low
readiness, to manage privacy risk with crucial business dependencies, such
as third-party vendors. A significant portion of breaches stem from current
and former vendors, such as the Target breach.

There was also a low confidence expressed with respect to managing privacy
risk around human capital, namely with respect to monitoring employees.
This is particularly troublesome for numerous reasons, considering that a
significant portion of breaches can be attributed to current and former
employees.

Organizations can close privacy gaps by taking proactive approaches, such
as developing procedures to carry out regular privacy impact assessments
and designing privacy into new product and service development. That
requires making privacy risk management a natural and integrated part of
organizational behavior and decision-making, just as with financial
discipline, human resources and intellectual property protection.

Such actions require a cultural shift, which must come from the top.
Leadership buy-in is an essential risk control, according to the study. In
fact, respondents also indicated that multiple members of the C-suite
should be involved in risk assessment.

Another proactive approach lies in ongoing training and education within an
organization. Some of the greatest gaps identified in the study relate to
training and education, interdepartmental communication, budget and program
maturity. Those are also controls most directly impacted by leadership
buy-in as they relate to both organizational culture and fiscal concerns.

Top-down approach to privacy

While corporations can attempt to address those privacy gaps piecemeal, the
research found that attempts to shore up a privacy program have significant
top-down dependency.

Privacy controls are only as strong as board support. It is not just an
issue of resources to put in place a central privacy program, but also one
of facilitation and adoption across numerous parts of complex multinational
organizations.

Leadership may need to enable cultural shifts to ensure interdepartmental
communication and the necessary human capital and programs for improved
employee privacy education.

Leveraging the board as an asset to champion privacy is a necessary
component of business operations, and even as a market-facing value
proposition, will help resolve many such gaps stemming from the need to
grow.

There is still much more to be done in bringing risk controls into accord
with stated best practices. It is clear, however, from the study data and
incident trends that as companies develop their privacy programs, taking a
proactive stance in line with the realities of their business models is
essential, with respect to regular risk assessment and other privacy
controls.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160608/fa76b52a/attachment.html>