Privacy is not a one-time, check the box activity
New research from ISACA reveals critical skills gaps and insufficient training. The survey report also explores past and future trends in privacy, offering insights into privacy workforce and skills, the use of privacy by design, and the organizational structure and composition of privacy teams.
Privacy by design
Survey findings—gathered in Q3 2020 from 1,873 professionals who work in data privacy or have knowledge of their organizations’ data privacy functions—show some positive trends for those enterprises who report they always use privacy by design.
Seventy-seven percent of those respondents believe that their boards of directors prioritize privacy (compared with 52 percent of all respondents). They are also less likely to view privacy programs as driven solely by compliance (22 percent vs. 34 percent total) and more likely to be driven by a combination of compliance and ethics (62 percent vs. 52 percent total). In addition, they are more likely to report that their enterprise privacy strategy aligns with organizational objectives (90 percent vs. 69 percent total).
However, though enterprises consistently using privacy by design are nearly two-and-a-half times more likely to be completely confident in the ability of their privacy team to ensure data privacy and achieve compliance with new privacy laws and regulations (24 percent vs. 10 percent total), there was not a meaningful difference in the number of privacy breaches experiences in the last 12 months—approximately 10 percent of both groups reported breaches.
“Privacy is not a one-time, check the box activity,” says Matt Stamper, CISO and Executive Advisor, EVOTEK.
“The findings around data breaches illustrate that while privacy by design can bring great value to enterprises, it does not make them any less susceptible to privacy breaches, and privacy practitioners need to keep up their guard.”
In addition to breaches, respondents identified other areas as common privacy failures, including:
- Lack of training or poor training (64 percent)
- Failure to perform a risk analysis (53 percent)
- Bad or nonexistent detection of personal information (50 percent)
Survey respondents noted that the most helpful methods in overcoming these obstacles are using a privacy principles framework, experience-based credentials and privacy training. Additionally, they report using privacy controls including encryption (77 percent), identity and access management (76 percent), and data security (71 percent).
In privacy workforce trends, respondents indicated that they foresee more of an increased demand for technical privacy roles compared to legal/compliance roles (70 percent increase vs. 59 percent increase).
However, they see more challenges in staffing technical privacy teams compared to legal/compliance teams; technical privacy roles were more likely to be considered understaffed (46 percent compared to 33 percent).
Nevertheless, hiring managers have been finding ways to fill these roles by training other employees—47 percent noted that they have been training non-privacy staff who are interested in moving into privacy roles. 92 percent of respondents indicated that they have privacy staff who started their career in IT or security and moved into privacy and compliance.
“It is clear that organizations will continue needing a strong privacy workforce in the years ahead to leverage data responsibly and ensure regulatory compliance,” says Nader Qaimari, Chief Product Officer, ISACA.
“As non-privacy professionals increasingly get opportunities to train for this career path and gain technical skills, it not only eases the privacy skills gap but enriches this workforce.”