To Manage Enterprise Privacy Risks, CISOs Have to Measure It
When it comes to managing risk, CISOs must know what threatens the privacy and security of their organization’s sensitive data. That means having the ability to identify and measure all the risks lurking throughout the enterprise—no easy feat.
Today’s headlines are ablaze with stories of cyberattacks and large-scale data breaches. While these items make for exciting (or more likely terrifying) reading, they disguise the true nature of most privacy and security incidents.
An analysis of metadata from the Radar Privacy incident management platform reveals that 44% of all incidents in the last 12 months involved paper. In addition, more threats exist within the walls of an organization than without.
Although it is popularly believed that the primary cause of breaches is perpetrated by outsiders, the reality is that insiders cause the majority of incidents by either malicious or unintentional actions.
Capturing Incident Data
CISOs who are tasked with enterprise risk management must be able to capture incident data from all sources, not just those the security team deals with. In fact, effective risk managers look beyond security; they collaborate with privacy, legal, product, and other teams. Otherwise, they fail to accurately identify and mitigate a majority of their company’s risks.
To address this issue, CISOs need a reliable method for identifying and quantifying organizational risk regardless of its source, type, size, or other variables. With this information, CISOs can examine and analyze the nature of incidents over time to understand where the true risks lie and be more strategic in their approach to managing risk for the whole enterprise.
A Warning About Terminology
Circumstances which result in the potential exposure of sensitive data go by many terms—such as “event,” “violation,” “breach,” and “incident.” These terms are often used interchangeably, an error that can put an organization at risk.
The term incident, to a security professional, is often conflated with a breach but to a privacy analyst, it is understood that an incident may not meet the criteria of the legal definition of breach based on the context and the jurisdictional regulations that are in scope for the affected individuals (data subjects).
How an occurrence is labeled, and therefore perceived internally, could affect what departments get involved and what actions should be taken. Not performing incident response in a consistent repeatable fashion, relying instead on subjective processes, introduces a whole other set of risks.
It is imperative that security and privacy teams are on the same page so they can respond efficiently in order to minimize an organization’s monetary, regulatory, and reputational risks. OWASP has identified insufficient data breach response as the number 3 risk on their OWASP Top Ten Privacy Risks project.
The Magic of a Multi-Factor Risk Scored Assessment
A reliable method for identifying and quantifying organizational risk is what we call an “operational” process for managing privacy incident response. This process includes a multi-factor risk assessment, which gives CISOs a consistent, objective way to capture and categorize (label) incidents.
This assessment uses multiple risk factors (sensitivity of the data and severity of the incident) when assessing a privacy or security incident to determine if it is a reportable data breach.
Using this approach, CISOs can now view all incidents, breach or not, in a consistent way. They can uncover patterns and trends with key metrics that can be monitored in real-time. For example, they can measure:
- Incident volume per month/quarter/year to identify seasonal trends
- Percentage of incidents that are notifiable breaches
- Number of individuals impacted per incident & breach
- Distribution of incidents per category (paper, electronic, verbal/visual, biometric)
- The root cause (e.g., department or line of business where an incident started)
- Response timelines
The ability to analyze trends and identify root causes enables CISOs to focus on efforts and investments in high-risk areas or causes. They can accurately communicate these risks and recommendations to the board and other top management in a dollar-and-sense kind of way. It provides immutable, understandable evidence for where to best allocate risk management dollars.
Measuring What Matters
Management guru Peter Drucker once wrote, “Work implies not only that somebody is supposed to do the job, but also accountability, a deadline and, finally, the measurement of results—that is, feedback from results on the work and on the planning process itself.”
To do the job of risk management, CISOs must be able to properly identify risk and measure the effectiveness of their mitigation efforts. An operational process for privacy incident response is essential to accomplishing both tasks.