Information and Security Survey: Privacy and Information Security in the Eyes of Global C-Suite Executives

By Rena Wamsley, CIPP, and Irene Pao, CIPP

Ernst & Young (E&Y) recently released its 10th annual Global Information Security Survey (GISS). The 2007 survey had participation from approximately 1,300 organizations from clients in over 50 countries around the world and focused on the drivers of information security and information security's role in business risk management. E&Y used two integrated components to conduct the research: an executive questionnaire directed at investigating the business drivers for information security and actions the executives took in response to information security drivers, and an ISO 17799-based benchmarking questionnaire based on the 11 domains of information security practices and controls.
While there were notable differences country-to-country, the results of the survey indicate that privacy is regarded primarily as a tactical issue of high importance to the information security functions, but not a strategic initiative. We continue to see regulatory compliance, management of third parties, and privacy and data protection as the three top ranked drivers for information security practices.

The Growing Impact of Privacy on Information Security
Privacy is an increasingly important issue for global C-suite executives. Seventy-three percent of CEOs and 64 percent of CIOs place a greater importance on protecting personal information. Meanwhile, 58 percent of survey participants felt that privacy and data protection are among the three top drivers for information security (an important distinction from how these executives view privacy as a stand-alone area of risk, as noted later in the article). In 2006, only 41 percent ranked privacy and data protection as a top driver.

This recent rise in privacy's importance as a driver of information security is more than likely connected to a number of factors, including greater regulator scrutiny, an increasingly privacy-aware public, and the fallout from high profile privacy breaches. Whatever the cause, it is clear that companies are paying more attention to data privacy.

As privacy and data protection escalate in importance among an organization's information concerns, other privacy-related factors ranked as top drivers as well. Over half of the drivers ranked by respondents have a privacy element: regulatory compliance; negative publicity and reputation damage; phishing, spyware and other technical threats; risk related to customers; and vendor risk management.

Importantly, executive recognition of privacy's growing importance is translating to more organizations developing formal programs to address privacy concerns. Over 63 percent of C-level executives responded that their organizations have created formalized policies and procedures around privacy, personal information protection and incident response management, while only a fraction responded by saying they have informal procedures or have not thought about creating procedures at this time.

The Growing Impact of Privacy Regulation

Companies are concerned with compliance with specific industry and general business regulations, but we note that they are faced with an increasing number of laws that give attention to privacy. In the 2007 survey, 34 percent of respondents said that privacy regulatory requirements have affected their organization in the past 12 months, second only to regulations pertaining to internal governance, such as Sarbanes-Oxley. Behind internal governance and privacy, industry-specific regulations, such as HIPAA and the FTC Safeguard Rule, ranked third.

While executives plan for the next 12 months of compliance with these regulations, privacy and industry-specific regulations are still on the top of their agendas. When asked what information security projects are on the way for regulation compliance, industry specific regulations and privacy are again consistently ranked second and third in importance.

Vendor Risk Management
As organizations are challenged by the market to provide customers with more innovative products to gain a competitive advantage, they acquire third-party vendors for technical services and outsourcing opportunities. Because the onus for protecting information remains with the company that "owns" the data, organizations that rely on third-party relationships for data management are demanding more from their vendors and business partners. Of C-level executives, 78 percent said that they require third parties to be able to support the policies, procedures and standards of their organization — a 12 percent increase from the previous year. Meanwhile, 48 percent of the respondents also require that third-party organizations have their own information security and privacy policies and procedures.

It therefore makes sense that more companies are crafting formal policies and procedures to manage the risk associated with third parties as organizations. There is, however, much more to be done, as indicated by the fact that 20 percent of the respondents said that vendor risk management has not yet been addressed at their organization. This statistic ranks vendor risk management as the lowest priority for C-level executives in its category.

A Disconnect Between Perceived Importance and Actual Practice

Earlier, we discussed how privacy has emerged as a key driver of an organization's information security. However, when it comes to the question of privacy as a stand-alone risk factor, privacy is actually ranked fairly low. Privacy, outside the efforts of the organizations' information security professionals, is ranked 9 of 14 in terms of importance to the organization, and 13 out of 14 in terms of the amount of time consumed to address the issue. Only 17 percent of executives view privacy as ranking among the five top activities.

Even more discouraging is that, although privacy and data protection is ranked as one of the three top information security drivers, 46 percent of individuals accountable for delivering information security services never meet with the privacy organization to discuss or understand their business objective and information security needs. While privacy is widely recognized as a top priority for information security, there is no priority in collaborating with privacy professionals on an operational level. In general, it seems that there are few to no expectations at the C-level to ensure coordination with the privacy office.

Based on our research, and in spite of the recognition of privacy as a key security driver, the focus of privacy in an organization seems to be more tactical than strategic. The good news is that personal information is drawing a greater level of attention within organizations and, as we enter a new year, we anticipate that this increased attention will translate in privacy's gradual ascendancy as a strategic element.

Within all data-centric organizations it is critical that information management experience greater "convergence of compliance," including security, privacy, records management and more interdepartmental cooperation in order to become more effective stewards of sensitive information.

The complete survey can be downloaded at www.ey.com/giss.

The authors are a part of Ernst & Young's Privacy Risk Advisory Services with professional experience in information security. Rena Wamsley, CIPP, CISA, is a Manager and can be reached at rena.wamsley@ey.com. Irene Pao, CIPP, is a Senior and can be reached at irene.pao@ey.com.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»