AI may have picked up steam recently, but so have cyber risks and data privacy concerns. That, however, doesn’t mean that all organizations took these challenges seriously, with some saying the lack of qualified people for the job is one of the reasons why they haven’t beefed-up their cyber defenses.
According to a recent report from the professional IT governance association ISACA, both technical privacy and legal/compliance teams are understaffed, enterprise privacy budgets are underfunded, and there are skill gaps. The findings are based on a global survey of 1,890 data privacy professionals holding positions in IT, audit, compliance, and risk management, among other roles.
Non-compliance with privacy laws and regulations, such as EU’s GDPR and California’s CCPA, is costly, says Safia Kazi, principal of ISACA’s privacy professional practices. So this is an issue that may fall under CFO’s purview.
“CFOs’ risk expertise is invaluable,” Kazi says. “This is especially true with regard to procurement.” Not only can third parties be the source of a significant privacy breach, but selecting unqualified third parties can result in a “devastating privacy violation and fine.”
In fact, about a quarter of the survey respondents said they always or frequently work with their organization’s finance department — and that percentage may need to increase.
Meanwhile, the global cybersecurity market is expected to reach $403 billion by 2027 — hinting to us there is serious money to be made in this area.
Alas, it’s not all about security, as there is also a need to have a designated data privacy program, with ISACA’s survey finding out that 42% of respondents said their privacy budget is underfunded, and just 34% indicated their privacy budgets would increase in 2023. At the same time, 40% said there wasn’t clarity on the mandate, roles, and responsibilities, and 39% cited a lack of executive or business support.
“Ransomware was a big concern last year, and many organizations took steps to be prepared for a ransomware attack,” Kazi added. “But it’s possible that they view security incidents and privacy incidents as one and the same, which they are not. Heavily investing in security without also thinking about privacy is a serious misstep-something as seemingly small as an improper privacy notification to customers (which would not be addressed through any security investments) may cost an enterprise millions of dollars and reputational harm.”
She continues, “Some organizations’ board members may not fully understand the difference between security and privacy and consequently not prioritize privacy appropriately.”
Both cybersecurity and privacy are essential, but it is “impossible to have privacy without security,” Kazi said, adding that it is “possible to have security without privacy.”
The conclusion is that digital trust is increasingly becoming a board and C-suite priority, and privacy is a key component of digital trust. We can only hope that tech companies that are in the market for our data will also read this report. 😉