To Manage Enterprise Privacy Risks, CISOs Have to Measure It
Chinese philosopher Sun Tzu once said, “Know thy enemy.” When it comes to managing risk, CISOs must know what threatens the privacy and security of their organization’s sensitive data. That means having the ability to identify and measure all the risks lurking throughout the enterprise—no easy feat.
Today’s news feeds are ablaze with stories of cyberattacks and large-scale breaches. While these items make for exciting (or more likely terrifying) reading, they disguise the true nature of most privacy and security incidents. An analysis of metadata from the RADAR privacy incident response platform reveals that over a third of all incidents in the last 12 months involved paper (anonymized aggregated incident metadata available for analysis from within the RADAR platform). In addition, more threats exist within the walls of an organization than without. Although it is popularly believed that the dominant cause of breaches are perpetrated by outsiders, the reality is that insiders cause the majority of incidents (by either malicious or accidental actions) when you include sources other than just electronic incidents.
Capturing incident data
CISOs who are tasked with enterprise risk management must be able to capture incident data from all sources, not just those the security team deals with. In fact, effective risk managers look beyond security; they collaborate with privacy, legal, product, and other teams. Otherwise, they fail to accurately identify and mitigate a majority of their company’s risks.
To address this issue, CISOs need a reliable method for identifying and quantifying organizational risk regardless of its source, type, size, or other variables. With this information, CISOs can examine and analyze the nature of incidents over time to understand where the true risks lie. They can be more strategic in their approach to managing risk for the whole enterprise.
A warning about terminology
Circumstances which result in the potential exposure of sensitive data go by many terms—such as “event,” “violation,” “breach,” and “incident.” These terms are often used interchangeably, an error that can put an organization at risk. The term incident, to a security professional, is often conflated with a breach but to a privacy analyst it is understood that an incident may not met the criteria of the legal definition of breach based on the context and the jurisdictional regulations that are in scope for the affected individuals (data subjects). How an occurrence is labeled, and therefore perceived internally, could affect what departments get involved and what actions should be taken. Not performing incident response in a consistent predictable fashion, relying instead on subjective processes, introduces a whole other set of risks. Therefore it is imperative that security and privacy teams are on the same page so they can respond efficiently in order to minimize an organization’s monetary, regulatory, and reputational risks. OWASP has identified the failure to do timely incident notifications as the number 3 risk on their OWASP Top Ten Privacy Risks project.
The magic of a multi-factor risk scored assessment
A reliable method for identifying and quantifying organizational risk is what we call an “operational” process for managing privacy incident response. This process includes a multi-factor risk assessment, which gives CISOs a consistent, objective way to capture and categorize (label) incidents. This assessment uses multiple risk factors (sensitivity of the data and severity of the incident) when assessing a privacy or security incident to determine if it is a reportable data breach.
Using this approach, CISOs can now view all incidents, breach or not, in a consistent way. They can uncover patterns and trends with key metrics that can be monitored in real-time. For example, they can measure:
- Incident volume per month/quarter/year to identify seasonal trends
- Percentage of incidents that are notifiable breaches
- Number of individuals impacted per incident & breach
- Distribution of incidents per category (paper, electronic, verbal/visual, biometric)
- The root cause (e.g., department or line of business where an incident started)
- Response timelines
The ability to analyze trends and identify root causes enables CISOs to focus on efforts and investments in high-risk areas or causes. They can accurately communicate these risks and recommendations to the board and other top management in a dollar-and-sense kind of way. It provides immutable, understandable evidence for where to best allocate risk management dollars.
Measuring what matters
Management guru Peter Drucker once wrote, “Work implies not only that somebody is supposed to do the job, but also accountability, a deadline and, finally, the measurement of results—that is, feedback from results on the work and on the planning process itself.”
To do the job of risk management, CISOs must be able to properly identify risk and measure the effectiveness of their mitigation efforts. An operational process for privacy incident response is essential to accomplishing both tasks.
Learn more by downloading the whitepaper, The CISO’s Secret Tool for Reducing Enterprise Risk: Automating Privacy Incident Response Management.
Read the first in our CISO blog series: To Be Great Enterprise Risk Managers, CISOs Have to Be Great Collaborators
In our next article, we’ll discuss why CISOs should care about privacy compliance, including GDPR, PIPEDA, CCPA, and privacy by design.