As cybersecurity attacks and data breaches continue to go up inside our increasingly digital world, many of today’s CEOs and their boards are scrambling to keep before security and privacy (S+P) risks, let alone see the chance for business benefits. S+P are each designed to mitigate regulatory exposure and prevent injury to the brand and business. A good view of S+P can increase efficiency and effectiveness, enhance differentiation in solution and brand, and provide leadership and the board with an individual dashboard for these essential functions.
Roles
Most companies break down their information management functions to tight security and compliance. A chief information security officer typically manages data security (CISO) centred on protecting data and systems; CISOs can report to CEOs, CTOs, CIOs or COOs. Data compliance emphasizes protecting the personal information of individuals. The General Counsel for larger firms has historically overseen data compliance, but the brand new position of chief privacy officer (CPO) has taken charge in certain companies. While there are exceptions, these roles usually operate independently.
The chief information officer role has existed for many years but has offered less ownership of data and more of an individual point of control for a company’s information technology hardware, software and services. The chief data officer role has emerged as a possible solution designed to address an individual view of data, particularly in regulated industries. This role looks to control data as a corporate asset that is “owned” by the leader in this role and substantively speaks to the fee and risk side of the equation. As described in this Forbes Technology Council article, the chief trust officer reflects the comprehensive array of data-centric, risk-centric and business-centric opportunities presented in the piece.
The security-privacy split might have made sense when data was limited in scale and scope. However, expansive digitization and the proliferation of endpoint devices have driven—and continue steadily to drive—data growth, making the job of every function far more complex. Moreover, split roles cost more, reduce efficiency and effectiveness, and risk missing potential business opportunities. To realize why we have to stop considering how these roles differ and focus instead on the ways they are similar.
Risks
A protection leader’s job is always to anticipate, understand and act on the external threat environment—and then translate this into some technologies, protocols, programs and practices that protect data and systems. Success is measured by demonstrating successful defence against attacks and accelerating the speed of remediation and recovery. For privacy leadership, weak or limited privacy protection risks potentially hefty penalties and business consequences. Europe’s privacy regulation (GDPR) can affix a penalty of 4% of total revenue for violations, while running afoul of national mandates for data locality may stop companies from conducting business for that country.
Common Elements
- S+P risks related to disclosure, regulatory noncompliance, tampering, aggregation and misuse are common. Failure in either security or privacy is costly both in the short term (preventing as opposed to remediating) and in the long run (loss of confidence by customers and shareholders).
- In all cases, the organization’s data and data-containing systems and devices should be inventoried, catalogued and analyzed as a basis for just about any risk-mitigation and business enhancement goals. Confidentiality, integrity and accessibility to data—and the systems they flow through—are common elements.
- Both require some degree of executive and board oversight.
- Each is susceptible to a sophisticated technical and regulatory environment.
Opportunities
A good view of security and privacy can create a competitive advantage for organizations.
- Efficiency and effectiveness. One data and systems map defined for all layers of security, privacy risk management and data monetization opportunities could optimize a company’s ability to manoeuvre, store, use and protect data by:
- Building “business-ready” datasets that consider privacy, security and business strategy.
- Enhancing team synergies in common workstreams—making a one-stop-shop to respond nimbly to business and regulatory changes, manage crises and consolidate communication with the CEO and board.
- Aligning KPIs and associated metrics.
- Better allocating resources.
- Cost reduction. Combining privacy and security workstreams (data mapping, regulatory) can reduce internal resource needs.
- Joint governance. Whether with process or people (or both), companies that unify S+P can help CXOs and boards make smarter decisions, both for risk reduction and opportunity potential.
- Data monetization. Whether employee, customer, partner or supplier, correctly understood and managed data can deliver measurable economic value to the top and bottom line.
Furthermore, security and privacy may (depending on the solution) have aspects that translate to critical features, messaging and positioning.
What You Can Do Now
Consider these steps when beginning the S+P unification process:
- Clearly define data flows, repositories and lifecycles in a typical S+P data map.
- Create connections between data, privacy, security and business leaders to find opportunities for synergies, innovation, shared expense and shared data/system governance.
- Identify how and where to use standard technology tools and services.
- Review and refine audits and oversight.
- Explore ways to architect and integrate security and privacy into products and services.
- Establish policies and processes for consistency.
- Benchmark against peers’ and proxies’ best practices for knowing and protecting data and revealing and realizing business value.
- Engage the CEO and board to explore shared and unique risks, strategic opportunities and consistent visibility.
In some sort rife with cybersecurity attacks and data breaches, companies can earn consumer trust and loyalty with leadership that purposefully protects private data and systems. In the face of growing risks and complex technologies, there are opportunities to aid customers’ information needs, establish efficient data management processes, and showcase valuable competitive differentiation.