How IT and Infosec Value Privacy Privacy and information security policy overlap and are also separate, as in a Venn diagram or like links in a chain.
?
What about in operations, though? How do privacy and info security teams inside organizations actually work together? How do their priorities and efforts align?
These are the questions the IAPP and TRUSTe set out to explore in a recent survey of 550 privacy, IT, and information security professionals.
One thing they agree on? Communication between the privacy and security departments, alongside a strong data breach response team, is most important for mitigating the risk of a data breach:
Highest overall perceived importance (as ranked by those selecting 4 or 5): 25
30
40
50
60
70
80
90
Communications between privacy and security depts
87
Data breach response teams
100
92
85 84
Corporate training and education on privacy
78
Role of privacy pro on the incident response team
Maturity of privacy program
89
75
88
72
84
Relationships with regulators 53 53 Privacy working group
50
64
Budget of privacy team 46
61
Privacy certification, individuals 46 50 Privacy certification, organizational 35 30 Outside privacy counsel 35 37
IT / INFOSECURITY
Size of privacy team 34 46
PRIVACY
As they seek to get a better handle on their data and the extent of corporate risk, they value core privacy functions such as data minimization and data mapping:
Highest overall perceived importance (as ranked by those selecting 4 or 5): 30 40 50 Data minimization
60
70
80 75
Data inventory/mapping
90
100
80
74 75
Privacy policies
70
Privacy impact assessments
69
Vendor management programs
77 72
65
77 Spend on information security-related technology 64 77 DATA retention policies 64 69
Employee monitoring
52
56 Spend on privacy-related technology 48 61
IT / INFOSECURITY
Website tracker scanning 33 48
PRIVACY
In fact, more than half of infosecurity teams now have privacy representation, and nearly half of privacy teams have infosecurity professionals involved. And you can see privacy beginning to make its way deep into the organization, just as IT and infosecurity have done in the past. Department
Discipline’s representation
PRIVACY INFOSEC
NO
IT
Information Technology
42%
76%
-
Information Security
52%
-
71%
Legal
95%
43%
26%
-
46%
33%
Reg Compliance / Ethics
92%
51%
57%
Human Resources
82%
40%
34%
Physical Security
42%
73%
53%
Records Management
71%
49%
41%
Finance / Accounting
52%
54%
50%
Procurement
44%
55%
57%
Marketing/ PR
67%
37%
47%
Government Affairs
78%
29%
31%
Privacy
Further, while high-profile breaches clearly have companies increasing their infosecurity budgets, so too are they increasing privacy spend, and focusing that spend as much on privacy technology as personnel.
Those who reported increases: Spend on infosecurity-related technology:
% 66
Overall infosecurity budget:
61
Employee privacy training:
53
Privacy employees on the infosecurity team:
50
Number of employees with privacy duties:
49
Spend on privacy-related technology:
42
Use of data inventory and classification:
42
Use of privacy impact assessments:
41
Use of data retention policies:
40
Overall privacy budget:
39
Spend on external privacy counsel:
34
Spend on external privacy audit:
26
However, when we look at what motivates behavior directly, it isn’t so much security incidents as contact from regulators that grabs the attention of companies:
Have you experienced a significant security incident in the past two years?
Yes: 39%
No: 53%
Don’t Know: 8%
Have you been notified of a regulator’s investigation in the past two years?
Yes: 14.5%
No: 75.5%
Don’t Know: 10%
75%
67%
Privacy working group
60%
68%
Budget of privacy team
58%
70%
Spend on privacy-related technology
57%
49%
Relationships with regulators
53%
64%
Privacy certification, individuals
49%
52%
Size of privacy team
43%
55%
Privacy certification, organization
31%
30%
>
Data inventory/mapping
-6% -8%
>
62%
+8% +12% -8%
>
68%
+11%
>
Data retention policies
-9%
+3%
>
70%
+12%
>
79%
>
Data minimization
+7%
>
88%
>
81%
>
Maturity of privacy program
>
How attitudes in importance for mitigating breach risk change following interaction with a regulator (percent of
-1%
Simply experiencing a security incident changed behavior almost not at all. Clearly, when the regulators are watching, companies prioritize their privacy operations. Which can only serve to help the infosecurity department. As long as they communicate.