Privacy pros with the necessary technical skills are in-demand and hard to find even for well-funded enterprises, according to a new report from IT governance association ISACA. Enterprises are having a harder time staffing technical privacy teams than they are filling out their legal & compliance teams, with long delays in filling job openings and shorthanded departments being common. With the demand for these specialized professionals only expected to increase in the near term, hiring managers are looking to cross-train current employees to become experts on specific regional regulations such as the EU’s General Data Protection Regulation (GDPR).
The report surveyed over 1,800 ISACA constituents across the world, with the majority of respondents holding a Certified Information Security Manager (CISM) or Certified Information Systems Auditor (CISA) certification.
Privacy programs now seen as a priority
ISACA finds that the support for privacy initiatives from (and the tone set) by the board of executives are key to successful privacy programs. That said, it appears that most boards now recognize this and are making data privacy a priority item. The majority of boards surveyed see privacy as a combination of a regulatory requirement and an ethical issue. A strong majority of respondents (69%) noted that the enterprise privacy strategy is also now aligned with general organizational objectives. And only 4% of organizations reported not yet having a single person responsible for privacy decisions.
The survey also indicates that privacy teams are also frequently interfacing with other related departments: privacy teams most commonly work with information security teams (79% of organizations), legal and compliance teams (70%) and internal audit / risk management staff (57%). Privacy teams are most commonly headed by a chief information security officer (CISO) or chief privacy officer (CPO); they are about half as likely to be headed by a chief executive officer or an information officer. In more infrequent cases the programs are run by a chief compliance officer, board member or other staff member.
What are privacy teams spending their time on? Most of it is going to assessments. Privacy pros are also spending substantial time responding to internal requests, establishing or modifying governance, reviewing guidance and regulatory requirements, responding to issues or threats, following up on data subject requests, and training. While only 11% of respondents said that training was a major component of their regular duties, only 14% of organizations are conducting no privacy training whatsoever. Privacy training is most commonly done on an annual basis, but a little over half of organizations are now doing it as part of new hire training.
And how are privacy programs being assessed internally? Organizations most frequently use employee privacy program completion rates (66%) as a key metric. Other common metrics are the number of privacy incidents experienced and the number of privacy complaints received. 46% are performing privacy risk assessments, 42% perform privacy impact assessments, 38% perform privacy self-assessments, and 37% have a privacy audit.
In a hot market for privacy pros, enterprises look inward
The workload for privacy pros is growing, but the demand exceeds the supply. Even with enterprises lowering hiring requirements (such as no longer strictly requiring that applicants have a legal or compliance background), a total of 43% of respondents said they had a related position that is sitting unfilled. 14% of respondents said that it takes over six months to fill a technical privacy position, and 12% said it takes that long to fill a legal/compliance position. About 1/5 of the respondents said that the expected time to fill these positions increased in 2020. Only 2% of organizations regularly fill these positions within two weeks, and the majority of respondents require at least three months to find suitable privacy pros.
Finding qualified applicants is a major challenge. 96% of respondents said that some compliance or legal experience was very important, 94% wanted to see applicants have a prior privacy role, 93% were looking for specific credentials or technical experience, and 80% wanted to see completion of relevant training courses. 13% of the respondents said that over 60% of their applicants did not meet their requirements for positions requiring legal or compliance experience. Surprisingly, only 36% of respondents said that legal and compliance teams were understaffed as compared to 46% of technical privacy teams.
How many positions are these organizations looking to fill? There is a great deal of variance between different enterprises and industries in workforce trends, but the average among respondents works out to about 22 full-time positions for privacy pros per company and a median staff size of seven. 59% see legal and compliance roles in privacy increasing in the near future, and 70% see an increased need for technical privacy staff. Only 2% felt that downsizing in either of these areas might be possible.
To combat these shortfalls and close skills gaps, organizations are frequently turning to cross-training. 22% of respondents said that none of their current privacy staff began their career in privacy or compliance. 24% said that fewer than 20% of their staff began as privacy pros. Privacy teams are being drawn from legal and compliance practitioners, technical IT staff, risk professionals and security professionals.