To secure budgets for data privacy and security initiatives, governance, security, and privacy leaders must be able to prove the software’s use to the business as well as ROI
In the past, some organizations treated privacy and cybersecurity as siloed risk areas. Other organizations experienced a ‘turf war’ between CISOs and CPOs over who should own the responsibility for data privacy.
However, the rapid escalation and increasing sophistication of cyberthreats, the evolving regulatory landscape, and the acceleration of digital transformation are highlighting the need for CISOs and CPOs to focus on common objectives.
“CISOs and CPOs need to align their information risk and privacy risk programs to create an integrated approach that supports business risk management, establishes realistic controls that support business processes and enables better investment decisions,” says Lydia Payne-Johnson, Director, Information Security, Identity and Risk Management at The George Washington University. “Thinking of privacy as a component of your overall security stack is what sometimes gets missed,” Payne- Johnson concludes.
Framing Risk in Business Language
CISOs and CPOs need to work together when justifying investments into the access and security of confidential, personally identifiable, or regulated data to senior leadership or the board.
Our research points to significant variation between businesses about who is responsible for authorizing the budget to ensure that sensitive data is properly accessed and secured.
When it’s time to justify that spend, however, the responsible person should communicate the risk of inaction in a context the board can understand – the language of business risk.
“One of the key things is that you’ve got to be able to explain to your executive team what the risks are,” says SecurRisks Consulting President and Cybersecurity Consultant Marian Reed.
“For too many years, we’ve [taken the approach of] scaring our executives by warning that we could get fined. But no one has really talked to them about the impact at the business operational level.”
Our research shows that the top three drivers of investments into the secure access of confidential, personally identifiable, and regulated data are better regulatory compliance (54%), improved business efficiency (50%), and managing costs (44%).
“I think the CPO and CISO need to be in almost constant communication about how they are determining and measuring how adequately risk is being assessed within the organization,” adds Equifax BISO Michael Owens. “It should be a very collaborative relationship and when possible, a combined risk assessment should be seamlessly presented to the board.”
Measuring the Success of Tech Investments
Another key component of justifying investments into data privacy and security technology is how the success of those investments is measured.
Our research highlights the leading metrics that organizations are using, including utilization, like the number of permitted users and consumption patterns (62%), ROI (53%), and time to market or delivery on business objectives (40%).
While ROI is often promoted as the most important measurement of success, the leading metric selected by our respondents was a much more basic metric: utilization. Users can and do reject technology that does not provide business benefits.
The survey results suggest that simple usage and consumption metrics can proxy achievement for goals that are much harder to measure, such as building a data culture or technical maturity.
Secondly, data, privacy, and security leaders are measuring the ability of technologies to drive ROI and their impact on overall business goals. And while ROI may be challenging to prove, particularly about security and privacy risk avoidance, many organizations do have means to quantify indirect ROI.
“We are held accountable [for our investment decisions] and we have to show the return on investment, either direct or indirect. And most of us have a calculator for that,” says Voya Financial SVP and CISO Raj Badhwar.
“You’re going to have some returns from the betterment of data security by the reduced number of exfiltrations or unauthorized access. You must also quantify the reduced reputational risks.”
CISOs and CPOs must foster a strong working relationship to champion the cause of privacy and security risk throughout businesses. In addition, by presenting a clear and unified message to the board they can more effectively justify investments designed to ensure secure access to confidential, personally identifiable, and regulated data.