A new data privacy report from Cisco finds that the roles of security professionals around the world are evolving in response to regulatory changes and the specific pressures created by the COVID-19 pandemic. Security operations are increasingly including data privacy as a core responsibility and competency. This is due in no small part to regulations and the new security requirements created by moving to work-from-home models, but also a growing awareness of the link between privacy practices and the ability to mitigate data breaches.
Cisco privacy report: Over 1/3 of organizations have made privacy skills a core component of security
According to the privacy report, 34% of respondents (a pool of 4,700 security professionals from 25 countries) say that data privacy is now a core competency for security personnel and is one of the department’s leading responsibilities.
The privacy report sees the pandemic as one of the primary drivers of this shift. It finds that privacy resources and budgets are up, and investments in privacy are exceeding what is required to meet legal obligations.
Privacy teams appear to have been a critical resource in navigating the unfamiliar pandemic conditions: 93% of respondents said that they relied on these teams to navigate and guide their pandemic response. As a result, privacy budgets doubled last year to an average of $2.4 million. While return on privacy investments was slightly down overall from 2019, the trend remained fairly strong as 35% of respondents said that they at least doubled their investment in terms of overall benefits. There does appear to be a correlation with privacy program maturity and the sum of benefits reaped from these investments. Regardless of their investment amounts or outcome, 79% of organizations say that the world’s developing privacy laws are having a positive impact; only 5% feel there is a negative impact.
While regulations were the kindling, the accelerant was the very sudden shift to remote work models. The number of organizations in which the majority of employees were working remotely jumped from 40% in 2019 to 67% in 2020, and 91% of organizations reported that at least 25% of their workforce was now working remotely. The shift seemed to catch most organizations unprepared; 59% said that they were not fully ready for it in terms of privacy and security outcomes, and 87% expressed concerns about the privacy protections in the tools that were adopted to facilitate the change.
Though pandemic necessity forced the increase in resources devoted to privacy matters and security professionals, budgets likely would have been trending upwards anyway due to perceived return on investment. 2/3 of the organizations said that they saw significant benefits in all six areas associated with privacy investments: reducing sales delays, mitigating security losses, enabling innovation, achieving operational efficiency, building trust, and making the company more attractive. The overall value of these benefits rose 10% from 2019 and stayed consistent across all types of organizations except for the very largest.
The overall return on investment per dollar spent did go down somewhat according to the privacy report, from 2.7 in 2019 to 1.9 in 2020. However, only 15% saw a negative return while 16% saw their benefits increase by at least three times.
The increase in global privacy legislation is far from a top-down imposition by governments, instead spurred by very strong sentiments in favor of data privacy laws among regular people. Organizations seem to recognize this, with 90% acknowledging that they will lose sales if they are not clear about their data privacy and protection policies. About a third of consumers are now viewed as “privacy actives,” or those that will stop doing business with a company if they have a problem with these policies.
Security professionals incorporated in privacy programs
34% of security professionals responding to the privacy report said that data privacy and governance was now one of their top three primary responsibilities, making it the surprising most common pick among all duties. It slightly outpaced more standard job descriptions: 31% chose assessing and managing risk, 29% chose analysis of and response to threats and 21% chose the development of software and applications.
Much of this change for security professionals likely has to do with a major increase in boards getting involved with privacy issues. 93% of the privacy report respondents now report at least one metric to the board, while 14% report five or more. The most commonly reported metrics are privacy program audit findings, privacy impact assessments and data breach reports.
The privacy report ends with several suggestions to both ease the burdens of security professionals and see optimal return on investment: improving transparency about personal information processing activities, streamline vendor due diligence processes by obtaining external privacy certifications (such as ISO and Shield), and building a strong culture of governance and accountability that allows for the maturity of the program to easily be communicated to stakeholders.