How IT and Info Sec value privacy? Infographic from TRUSTe & IAPP

1. How IT and Infosec Value Privacy Privacy and information security policy overlap and are also separate, as in a Venn diagram or like links in a chain. ? What about in operations, though? How do privacy and info security teams inside organizations actually work together? How do their priorities and efforts align? These are the questions the IAPP and TRUSTe set out to explore in a recent survey of 550 privacy, IT, and information security professionals. One thing they agree on? Communication between the privacy and security departments, alongside a strong data breach response team, is most important for mitigating the risk of a data breach: Highest overall perceived importance (as ranked by those selecting 4 or 5): 25 30 40 50 60 70 80 90 100 Communications between privacy and security depts 87 92 85 84 78 89 75 88 72 84 53 53 50 64 46 61 46 50 35 30 35 37 34 46 Data breach response teams Corporate training and education on privacy Role of privacy pro on the incident response team Maturity of privacy program Relationships with regulators Privacy working group Budget of privacy team Privacy certification, individuals Privacy certification, organizational Outside privacy counsel IT / INFOSECURITY Size of privacy team PRIVACY As they seek to get a better handle on their data and the extent of corporate risk, they value core privacy functions such as data minimization and data mapping: Highest overall perceived importance (as ranked by those selecting 4 or 5): 30 40 50 60 70 80 90 100 Data minimization 75 80 Data inventory/mapping 74 75 Privacy policies 70 77 Privacy impact assessments 69 72 Vendor management programs 65 77 Spend on information security-related technology 64 77 DATA retention policies 64 69 Employee monitoring 52 56 Spend on privacy-related technology 48 61 IT / INFOSECURITY Website tracker scanning 33 48 PRIVACY In fact, more than half of infosecurity teams now have privacy representation, and nearly half of privacy teams have infosecurity professionals involved. And you can see privacy beginning to make its way deep into the organization, just as IT and infosecurity have done in the past. Department Discipline’s representation NO PRIVACY INFOSEC IT 76% 42% - Information Technology - 52% 71% Information Security 43% 95% 26% Legal 46% - 33% Privacy 51% 92% 57% Reg Compliance / Ethics 40% 82% 34% Human Resources 73% 42% 53% Physical Security 49% 71% 41% Records Management 54% 52% 50% Finance / Accounting 55% 44% 57% Procurement 37% 67% 47% Marketing/ PR 29% 78% 31% Government Affairs Further, while high-profile breaches clearly have companies increasing their infosecurity budgets, so too are they increasing privacy spend, and focusing that spend as much on privacy technology as personnel. Those who reported increases: % Spend on infosecurity-related technology: 66 Overall infosecurity budget: 61 Employee privacy training: 53 Privacy employees on the infosecurity team: 50 Number of employees with privacy duties: 49 Spend on privacy-related technology: 42 Use of data inventory and classification: 42 Use of privacy impact assessments: 41 Use of data retention policies: 40 Overall privacy budget: 39 Spend on external privacy counsel: 34 Spend on external privacy audit: 26 However, when we look at what motivates behavior directly, it isn’t so much security incidents as contact from regulators that grabs the attention of companies: Have you experienced a significant security incident in the past two years? Yes: 39% No: 53% Don’t Know: 8% Have you been notified of a regulator’s investigation in the past two years? Yes: 14.5% No: 75.5% Don’t Know: 10% How attitudes in importance for mitigating breach risk change following interaction with a regulator (percent of 88% 81% +7% > Maturity of privacy program 70% 79% -9% Data minimization > 62% 68% -6% Data retention policies > 67% 75% -8% Data inventory/mapping > 68% 60% +8% Privacy working group > 70% 58% +12% Budget of privacy team > 49% 57% -8% Spend on privacy-related technology > 64% 53% +11% Relationships with regulators > 52% 49% +3% Privacy certification, individuals > 55% 43% +12% Size of privacy team > 30% 31% -1% Privacy certification, organization > Simply experiencing a security incident changed behavior almost not at all. Clearly, when the regulators are watching, companies prioritize their privacy operations. Which can only serve to help the infosecurity department. As long as they communicate.