Information and Security Survey: Privacy and Information Security in the Eyes of Global C-Suite Executives
By Rena Wamsley, CIPP, and Irene Pao, CIPP
Ernst & Young (E&Y) recently released its 10th annual Global Information Security Survey (GISS). The 2007 survey had participation from approximately 1,300 organizations from clients in over 50 countries around the world and focused on the drivers of information security and information security's role in business risk management. E&Y used two integrated components to conduct the research: an executive questionnaire directed at investigating the business drivers for information security and actions the executives took in response to information security drivers, and an ISO 17799-based benchmarking questionnaire based on the 11 domains of information security practices and controls.
While there were notable differences country-to-country, the results of the survey indicate that privacy is regarded primarily as a tactical issue of high importance to the information security functions, but not a strategic initiative. We continue to see regulatory compliance, management of third parties, and privacy and data protection as the three top ranked drivers for information security practices.
The Growing Impact of Privacy on Information Security
Privacy is an increasingly important issue for global C-suite executives. Seventy-three percent of CEOs and 64 percent of CIOs place a greater importance on protecting personal information. Meanwhile, 58 percent of survey participants felt that privacy and data protection are among the three top drivers for information security (an important distinction from how these executives view privacy as a stand-alone area of risk, as noted later in the article). In 2006, only 41 percent ranked privacy and data protection as a top driver.
This recent rise in privacy's importance as a driver of information security is more than likely connected to a number of factors, including greater regulator scrutiny, an increasingly privacy-aware public, and the fallout from high profile privacy breaches. Whatever the cause, it is clear that companies are paying more attention to data privacy.
As privacy and data protection escalate in importance among an organization's information concerns, other privacy-related factors ranked as top drivers as well. Over half of the drivers ranked by respondents have a privacy element: regulatory compliance; negative publicity and reputation damage; phishing, spyware and other technical threats; risk related to customers; and vendor risk management.
Importantly, executive recognition of privacy's growing importance is translating to more organizations developing formal programs to address privacy concerns. Over 63 percent of C-level executives responded that their organizations have created formalized policies and procedures around privacy, personal information protection and incident response management, while only a fraction responded by saying they have informal procedures or have not thought about creating procedures at this time.
The Growing Impact of Privacy Regulation
Companies are concerned with compliance with specific industry and general business regulations, but we note that they are faced with an increasing number of laws that give attention to privacy. In the 2007 survey, 34 percent of respondents said that privacy regulatory requirements have affected their organization in the past 12 months, second only to regulations pertaining to internal governance, such as Sarbanes-Oxley. Behind internal governance and privacy, industry-specific regulations, such as HIPAA and the FTC Safeguard Rule, ranked third.
While executives plan for the next 12 months of compliance with these regulations, privacy and industry-specific regulations are still on the top of their agendas. When asked what information security projects are on the way for regulation compliance, industry specific regulations and privacy are again consistently ranked second and third in importance.
Vendor Risk Management
As organizations are challenged by the market to provide customers with more innovative products to gain a competitive advantage, they acquire third-party vendors for technical services and outsourcing opportunities. Because the onus for protecting information remains with the company that "owns" the data, organizations that rely on third-party relationships for data management are demanding more from their vendors and business partners. Of C-level executives, 78 percent said that they require third parties to be able to support the policies, procedures and standards of their organization — a 12 percent increase from the previous year. Meanwhile, 48 percent of the respondents also require that third-party organizations have their own information security and privacy policies and procedures.
It therefore makes sense that more companies are crafting formal policies and procedures to manage the risk associated with third parties as organizations. There is, however, much more to be done, as indicated by the fact that 20 percent of the respondents said that vendor risk management has not yet been addressed at their organization. This statistic ranks vendor risk management as the lowest priority for C-level executives in its category.
A Disconnect Between Perceived Importance and Actual Practice
Earlier, we discussed how privacy has emerged as a key driver of an organization's information security. However, when it comes to the question of privacy as a stand-alone risk factor, privacy is actually ranked fairly low. Privacy, outside the efforts of the organizations' information security professionals, is ranked 9 of 14 in terms of importance to the organization, and 13 out of 14 in terms of the amount of time consumed to address the issue. Only 17 percent of executives view privacy as ranking among the five top activities.
Even more discouraging is that, although privacy and data protection is ranked as one of the three top information security drivers, 46 percent of individuals accountable for delivering information security services never meet with the privacy organization to discuss or understand their business objective and information security needs. While privacy is widely recognized as a top priority for information security, there is no priority in collaborating with privacy professionals on an operational level. In general, it seems that there are few to no expectations at the C-level to ensure coordination with the privacy office.
Based on our research, and in spite of the recognition of privacy as a key security driver, the focus of privacy in an organization seems to be more tactical than strategic. The good news is that personal information is drawing a greater level of attention within organizations and, as we enter a new year, we anticipate that this increased attention will translate in privacy's gradual ascendancy as a strategic element.
Within all data-centric organizations it is critical that information management experience greater "convergence of compliance," including security, privacy, records management and more interdepartmental cooperation in order to become more effective stewards of sensitive information.
The complete survey can be downloaded at www.ey.com/giss.
The authors are a part of Ernst & Young's Privacy Risk Advisory Services with professional experience in information security. Rena Wamsley, CIPP, CISA, is a Manager and can be reached at firstname.lastname@example.org. Irene Pao, CIPP, is a Senior and can be reached at email@example.com.