Companies who take data privacy seriously all have five things in common. If you are advocating for better data privacy in your organisation, you want to start with a security programme that supports these efforts. Such a programme has a few common characteristics:
Prioritising the protection of data and systems starts at the top. The entire executive team, including the CEO and the Board, must know that security is a key priority for your organisation. Otherwise, when it comes to allocating finances and resources, security will take a back seat. This can seem daunting, but it’s actually becoming less difficult to receive this sort of leadership buy-in. For those who ever need a good selling point, just look at the volume and tone of press coverage after some of the most recent data breaches.
Explicitly identify and designate one individual who is responsible for overall security and privacy at the company. This means building out a C-level position to own all aspects of security and privacy, as well as legal and compliance risks. Not only will this ensure that there is a holistic, comprehensive approach to the security and privacy strategy, but it will also help further leadership buy-in by giving security a seat at the executive table and decision-making process. By having security and privacy at the company leadership level, the group can better work with the business by planning for organizational initiatives rather than being surprised by them.
It’s no surprise that a lot of security and privacy incidents within an enterprise are related to human errors. With tight deadlines and busy schedules, it can be attractive for ambitious, well-intentioned employees to cut corners, and security is usually one of the first areas to take a hit. Reusing passwords, using easily-guessed passwords, sharing credentials, leaving work devices unattended or unlocked, and mistakenly clicking on malicious links are just a few common employee practices that result in breaches.
Employees have a job to do, and if security hinders them rather than helps them, they will work around controls they don’t understand. Companies that take security and privacy seriously run programmes that are designed to ensure every employee knows, understands, and follows company security and privacy protocols. These programmes also have clear expectations and consequences for failure to abide by the policies. To be clear, this doesn’t—and shouldn’t—mean leading with fear. It means taking the time to educate different groups of people about the negative impact a data breach could have on revenue, safety, and overall company health and reputation. The best security and privacy teams focus on enabling employees to do their best work by enabling them to do security right.
Having a good governance framework won’t matter if users aren’t familiar with the processes and policies involved. After all, it’s important to ensure that the plan can actually be implemented. It’s also critical to know how to measure the success of the programme. The ability to demonstrate the return on investment (ROI) for security products and services is invaluable to CEOs and the Board. Return on mitigation (ROM) is another valuable metric. This shifts the conversation from the potential losses of risk as business gains by calculating how much would not be lost through effective mitigation.
While no company wants to deal with a data breach, companies that prepare for doing so before it happens weather the storm better. After you get compromised is a terrible time to draft the notification to the board and your customers, and is just as bad for figuring out how to determine what happened and stop it. A clear, and tested, response plan helps all parties involved know what to do, what their role is, and how to communicate internally and externally.