Better Privacy Means Better Security, Report Shows
Cisco’s 2020 Data Privacy Benchmark Study attempts to quantify an often-repeated claim from cybersecurity experts: investment in privacy improves overall cybersecurity. For example, last year’s Cisco privacy study seemed to indicate that improved privacy improves vendors’ sales cycle.
This year, Cisco wanted to examine what other benefits investment in privacy might bring; and more specifically, whether a dollar figure could be applied as an ROI. It queried 2,800 companies from 13 countries in a double-blind survey; and found that an investment of $100 dollars brings $270 in cybersecurity benefits. This is an average figure that does not differentiate between B2B and B2C companies, nor the size of the company concerned.
“That’s a very strong statement,” said Waitman, “that the investments that companies must make in privacy in order to comply with the growing number of privacy and data protection regulations are returning value way beyond the simple avoidance of GDPR and other regulatory fines.” It argues that companies should not treat privacy compliance as a tick box requirement, but an opportunity to improve their cybersecurity posture.
The survey found that 70% of organizations say they receive significant privacy benefits in areas such as operational efficiency, agility and innovation. Furthermore, states the survey report, “Using the ‘Accountability Wheel’ created by the Centre for Information Policy Leadership (CIPL), we found strong correlations between organizations’ privacy accountability and lower breach costs, shorter sales delays, and higher financial returns.”
“There are a few things we can speculate on for why better privacy means better security,” said Waitman. “Privacy regulations generally force companies to get their data in order. This is necessary for personal data holders to be able to tell customers what data they have, and to be able to delete it if required.”
This should have been done from the beginning, but without the forcing nature of regulations, things have just drifted. Companies are now required to have a legal reason for processing personal data, which means old and stale, unuseful data gets removed rather than hidden away or lost and forgotten in obscure locations. “One of the reasons we saw for security benefits coming from privacy was that the data environment has been to some extent rationalized,” continued Waitman.
It’s a bit like tidying your house and putting important items in a secure place, and valuable documents and money in the safe in case of burglars, he suggested. If you do get a burglary, you are likely to lose less, understand what is lost and take the right steps to minimize the effect of any loss. Same for a company breech. “Privacy is like that,” he said. “Companies that invest in privacy are seeing fewer data breaches, fewer records impacted, less downtime, and less overall cost of a breach. These are all highly correlated with the privacy investment that we were focusing on.”
Even some of the less obvious improvements can be explained by the better internal data controls required by privacy investments — such as improved agility and innovation. The result, said Waitman, is that “respondents indicated a correlation between privacy investment and a better turnaround in app development.” The reason, he suggested, is that without the investment in privacy and the corresponding greater knowledge of what personal data can be used in app development and what cannot, developers fail to make best use of their resources. Privacy provides knowledge of what data can be used and how it can be used in development, replacing the fear of using personal data in case it is illegal.
Privacy is considered so important that 82% of the responding organizations now view privacy certifications such as ISO 27701 and Privacy Shield as a buying factor when selecting a product or vendor in their supply chain. Certifications are a vexed problem. Security professionals often feel they need to spend time and money to gain personal certifications, but also believe that the certification companies exist simply to make money from selling certificates. This is also a potential problem for any company certifications — but Waitman points out that there is a big difference between personal certifications and corporate privacy certifications.
Personal certifications are generally awarded against a ‘syllabus’ designed and required by the selling organization. Privacy certifications are effectively underwritten by the requirements of government mandated specifications as the syllabus, lessening the scope for the certifying company to treat the exercise as a simple money-making exercise. Waitman believes that the certification of privacy is an area that needs to be developed.
His conclusions from the Cisco Data Privacy Benchmark Study 2020 (PDF) are clear. “Firstly,” he told SecurityWeek, “companies should be honest and transparent about what they do with personal data. Secondly, privacy is a good corporate investment. There’s now a lot of evidence suggesting that companies should go beyond the minimum possible to comply with the law, and seriously invest in privacy. Finally, the issue of privacy certifications is important.”