Privacy Program Maturity: KPIs to Improve Incident Response
- Why measure privacy incident response?
- Identify organizational maturity and what KPIs to measure
- Actionable tips for reporting success
Read more below.
On April 8, 2021 IAPP hosted a discussion titled Privacy Industry Benchmarking and KPIs, featuring panelists: Mahmood Sher-Jan CHPC, CEO and Founder RadarFirst. Jay Cline Principal PwC, and Michelle Wraight CISM, CRISC Director, Global Head of Privacy Automation BNY Mellon.
Continue reading for a summary of the webinar and insights into how to measure and conduct privacy program maturity with actionable KPIs to improve incident response.
As areas of the world begin to see the light at the end of the pandemic tunnel, privacy regulatory activity and enforcement are coming back online in full force. This regulatory momentum along with new vulnerabilities discovered in the mass shift to remote working bringing privacy teams into the limelight to reduce risk and operationalize incident response.
Wraight: “When you compare [Privacy enforcement] to the cybersecurity industry over the years, there are a lot of parallels. You start seeing more enforcement actions […] the Privacy industry is really starting to catch up. Unfortunately, when you do see things like enforcement actions […] that raises the bar with senior executives and that’s when they start asking for things like metrics, KPIs, and KRIs. Because they realize it’s a risk that’s very real now.”
Wraight is right. The drive to mitigate increasing risks and reduce the cost and impact of incidents has brought privacy front and center in organizations. This year:
- 90% of organizations now report privacy metrics to C-Suite and Boards
- 93% of organizations turned to their privacy teams to help navigate pandemic challenges
- 2.4 million is the average data privacy budget for large and small organizations (which doubled from 2019).
So how do you collect that data and what’s the efficacy of your data? Hopefully the KPIs below play an important role to help tell the story of your data to your board.
The Impact of a Changing Privacy Landscape
Within privacy incident response there are about 300 regulations that have an incident response-related requirement. While adhering to these regulations seems straightforward, there’s a high degree of variability among those regulations that adds complexity to manage this expanding exposure, such as:
Cline: “At least a quarter of the world’s population is covered by data breach notification regulation. If all the laws in line to pass this year do so, ¾ of the world will be covered by regulation – this will reinforce the need for global privacy notification.”
- What qualifies as a breach
- What you have to notify
- To whom you have to notify
- The period of time you’re required to notify
With each new jurisdiction, complexity grows. So, how do organizations spanning multiple regions assess jurisdictional nuances to oblige unique obligations?
Cline’s capability-maturity model provides a great metric for improvement year after year to measure improvement. Using this table, you can address the root causes of those breaches in a measurable way as a means to reduce future risk.
Cline: “This maturity model shows the higher the maturity, the lower your average cost of a breach because you’re detecting it sooner, meaning it’s theoretically fewer impacted people for a shorter period of time.”
Your goal is to identify and escalate incidents quickly to reach resolution quicker.
Wraight: “Using capability-maturity models to not only evaluate the current state of your program, or elements of your program, like incident response but also developing your strategy over three to five years and beyond.[…] I strongly encourage people in the privacy arena to use this to not only demonstrate maturity today but where you want to be in the future.”
Knowing where your organization stacks up is the first step to improvement. Next, quantify maturity with key performance indicators that demonstrate audience impact, incident response metrics, and improvement over time:
Not every organization will be ready for “walking” or “running” KPIs, but each is important to forecast as you gain speed. This information is a great way to demonstrate where there’s an opportunity for improvement and where you may need funding or resources to kick off new training or testing.
To best quantify privacy metrics, it’s important to understand what audience you’re delivering them to. Wraight told us about the importance of accountability at the business division and department level to help drive home awareness, remarking that successful awareness training requires thoughtfulness and imagination, “You need to get your team to be motivated, thoughtful, and creative.”
Newer programs may focus on high-level data such as the number of incidents that occur, sources of those incidents, or how frequently they become breaches. But according to Wraight, these introductory metrics only tell half the story.
Wraight: “The number of incidents is a so-what metric. It has no meaning without context.[…] What does it mean to someone in management and why would they support your program? […] If you can demonstrate for example that you had 100 incidents last month and that when you implemented a control over email recipients […] you saw a 10% drop in privacy incidents, that’s a story you want to be able to tell management.”
Ultimately, privacy incident response maturity is about reducing your time from incident detection to response. Here, the shorter the timeline the better, often predictive of organization maturity.
Tips for getting started:
- Think about format & consider the audience
- Think about the story the data tells
- Pull out insights and conclusions that can be drawn based on the data
- Consider determining “normal run ranges” to identify when process anomalies may have occurred
- Maintain real-time metrics and dashboards (this will make it easier when needing to report to board and executive level)
- Per month, per quarter, per year – look for seasonal trends & triggers
- Start small. Focus on a few metrics, get feedback, then expand
- Document actions taken as a result of the metrics to demonstrate business value/reduced risk over time
Cline: “As the training goes out, the number of incidents goes up. That’s why measuring your ability to respond to incidents is the way to show progress.”
As Cline pointed out, it’s entirely common for new training programs to result in an immediate increase in the number of incidents reported. This doesn’t mean you’re experiencing more incidents than before, it’s simply an indicator that your training is effective.
For a full look at privacy incident response metrics by industry, including metrics ranked by organizational maturity, read the 2023 Privacy Incident Management Benchmarking Report.