Financial and reputational rewards far outweigh initial outlay, Cisco says
UPDATED Security teams who implement strengthened data handling practices are reaping rewards that stretch far beyond compliance, as a new report indicates that organizations are recouping an average of 2.7 times their financial investment in data privacy.
Polled for a study published to coincide with Data Privacy Day 2020, 70% of security professionals from around the world said their privacy investments have resulted in myriad reputational and operational benefits, as well as fewer, less costly data breaches.
Now on its third edition, Cisco’s 2020 Data Privacy Benchmark Study (PDF) also identified a strong link between an organization’s privacy accountability – whether it clearly communicates its data handling policies to customers – and the financial and reputational fallout of data breaches.
Wheel of fortune
Comparing organizations using the Centre for Information Policy Leadership’s Accountability Wheel (PDF), researchers found that ‘high accountability’ companies were more than twice as likely as their ‘low accountability’ counterparts to have suffered no breaches in the previous 12 months (28% versus 13%).
And when organizations were successfully compromised, high accountability firms experienced 19% less downtime, had 28% fewer records affected, and incurred 10% lower data breach costs.
More than four in five respondents (82%), meanwhile, agreed that privacy certifications – such as ISO 27701, EU/Swiss-US Privacy Shield, and APEC Cross Border Privacy Rules System – were an influential procurement factor for choosing third-party vendors.
“With this study, we now have empirical evidence of privacy investments paying off for companies – particularly with improved customer relationships, revenue impact, and real bottom-line results,” said Harvey Jang, vice president and chief privacy officer at Cisco.
From privacy to profit
Robert Waitman, the networking giant’s chief director in data privacy and privacy economics, welcomed the news that security professionals are reaping the commercial dividends of proactive privacy investment.
"The results of this study highlight that privacy is good for business, beyond any compliance requirements," he said in a blog post that accompanies the 2020 Data Privacy Benchmark Study.
Looking ahead, Waitman recommended that organizations invest in privacy “beyond the legal minimum” and work to obtain external privacy certifications, which he said have become “an important factor in the buying process”.
Dublin-based infosec consultant Brian Honan, a former special advisor on cybersecurity to Europol, told The Daily Swig: “I would agree with the findings and at BH Consulting we are seeing our clients see privacy as a market differentiator.”
Also speaking to The Daily Swig, Kelvin Coleman, executive director of US non-profit The National Cyber Security Alliance, said: “Cisco’s study confirms what we at the National Cyber Security Alliance have always believed: Privacy is good for business.
“Respecting your customers’ privacy and being transparent about the way you use customer data really puts you at a competitive advantage and can enhance your company’s reputation. And not only is privacy good for business, it’s good for customers.”
Experienced CISO turned infosec consultant Thom Langford commented on Twitter: “Customers are demanding better privacy (and security) from vendors, so investment is now 'justified'.”
“Privacy (and security) programmes are getting better at being run without stopping the business, but rather aiming to support it,” he added.
Privacy lad and data protection officer Carl Gottlieb disagreed, in part, with Langford.
“I want to get behind this report, but I'm sceptical,” Gottlieb said in response to Langford through his personal Twitter account. “A report by privacy people interviewing privacy people asking if privacy stuff helps make things better.”
“How about doing anti-privacy stuff - what's the ROI of that? Some companies are worth billions by using that as a model,” he concluded.
The Cisco study was based on a survey of 2,800 security professionals in organizations of various sizes in Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, the UK, and the US.
In related news, it may now be even easier for organizations (at least those in the EU) to better secure their customers’ personal data.
To mark Data Protection Day 2020, the EU Agency for Cybersecurity (ENISA) has launched an online platform to strengthen the security of data processing.
Designed for data controllers, the tool implements a risk-based approach to personal data security as a means to underpin trust.
“It is the role of the EU Agency for Cybersecurity to support the cybersecurity ecosystem with practical advice and tools to support risk mitigation," said ENISA executive director Juhan Lepassaar.
“The platform is a key tool providing guidance to organizations on their risk profile when processing personal data; furthermore, this platform provides organizations with recommendations based on their individual profile.”
A year and a half since the EU’s landmark General Data Protection Regulation (GDPR) came into force, growing numbers of jurisdictions are planning to follow suit and overhaul legal frameworks designed in a dramatically different world.
The California Consumer Privacy Act (CCPA), which came into force on January 1, 2020, could herald “a coming tsunami” of state-level US privacy laws, while Brazil, India, and Hong Kong are at different stages of the process of updating ageing data privacy laws.
This article has been updated to include comment from Thom Langford and Carl Gottlieb