This is the newest installment of a recurring monthly guest column by Envision's COO, Jason Albuquerque, featured on Providence Business News. In this article, Jason shares his thoughts on whether the C-suite is prepared for data protection and privacy challenges.
As we stare into the face of a digital revolution, with companies embracing some of the most transformative technologies of our times, the rewards for businesses are substantial.
However, these advances come with extraordinary risks to cybersecurity and data privacy. The question is whether boards of directors and executive leaders are adequately prepared to protect their organizations and clients.
A recent report from the Information Systems Audit and Control Association, a prominent technology governance association, concerns me. The report suggests that merely a quarter of respondents consistently collaborate with their organization’s finance leaders on data protection and privacy matters. For us to be resilient against cyber risk and threat actors, these numbers need to change, especially in this complex world where security incidents and privacy incidents, while related, are not the same. We must recognize that investing only in security without consideration for privacy is a critical misstep. Even what you would think are “minor missteps” with data privacy, such as improper notifications to customers, can result in substantial financial losses, erosion of trust, and damage to the brand.
Noncompliance with data privacy regulations, such as Europe’s General Data Protection Regulation and the California Consumer Privacy Act, can prove exceptionally expensive. The California Consumer Privacy Act, for instance, recently introduced compliance updates related to privacy practice notifications, making it a matter that falls under the purview of finance leaders. A chief financial officer’s risk expertise is invaluable, especially in their ability to help quantify, manage, and mitigate risk. The most effective risk management programs are those embedded in every department and part of the company’s standard management process, in collaboration with the chief financial officer.
"The belief that some companies are unaffected by cyber threats due to their size, industry or location is a dangerous fallacy."
- ENVISION'S COO JASON ALBUQUERQUE
But there is a severe gap in our collaboration with human resources teams.
First, let’s discuss the need to hire personnel to address internal risks and ensure compliance with data privacy laws. Both the technical privacy and legal/compliance teams are woefully understaffed, while enterprise privacy budgets remain insufficient, and skills gaps persist. Another personnel management concern is insider threats, which surged by 44% between 2020 and 2022. HR teams can help mitigate these risks by assessing threat indicators, monitoring user behavior, and helping design strategies around limiting access to sensitive information.
This brings us to the heart of the matter: How can executive leaders become more involved in data protection and cybersecurity strategies? In a world where organizations and their executives are legally obligated to protect customer and user data, it’s vital that boards and executives engage in safeguarding that data.
ISACA’s survey shows that 42% of respondents consider their budgets underfunded, and only 34% expected an increase in their budgets for 2023. Also, 40% stressed the lack of clarity surrounding privacy mandates and responsibilities, and 39% mentioned a lack of executive or business support. These statistics highlight the need for leadership involvement in addressing data privacy challenges. Despite the economic challenges of 2023 and beyond, organizations must continue to prioritize strategic investments in cybersecurity and data privacy. The belief that some companies are unaffected by cyber threats due to their size, industry or location is a dangerous fallacy. As global cyberattacks continue to surge, every leader in every organization must understand the critical role of cybersecurity.
The growing complexity of cybersecurity and data privacy risk requires a proactive stance from boards and the C-suite. Business leaders must recognize the magnitude of the risk and allocate sufficient time and resources to data privacy programs and actively engage with cybersecurity strategies. The stakes are higher than ever, and leadership involvement is not just a choice but an imperative. Cybersecurity is a journey that should be made a strategic priority, and the involvement of executive management is crucial in defining the risk tolerance, shaping risk management strategies and ensuring that the appropriate resources are allotted to effectively safeguard the organization.