Even if a regulator doesn't press you, it's in your best interest to have an experienced technology mind as part of your regular conversations.
Technology is complex, changes rapidly and is subject to numerous external forces--not unlike financial markets. Having a true expert involved in regular board conversations can help a business capture opportunities it would otherwise miss and avoid expensive mistakes.
Boards that hire third-party experts to periodically assess or to help interpret management's report are in a better position than those relying on management to self-report. But, an annual consult is still too episodic to be sufficient for a business where technology is a potential differentiator, carries significant risk or consumes a large portion of resources.
Sending a board member to a conference or expecting all board members to "read up" on technology is a misguided approach. That would never be accepted as "expertise" for financial oversight purposes, and it doesn't pass for adequate oversight in technology. A board member with only cursory, second-hand information cannot be expected to "read between the lines." Sound advice can only come from someone who has spent years building instinct. Someone who has lived the ups and downs. Someone who can tell you how a trend will play out and keep you from investing too early, avoiding expensive mistakes or missing an opportunity.
It is encouraging to see the trend of boards taking a proactive approach to cyber security and technology governance. But, many are still leaving cyber to manage itself or placing it in the hands of those without requisite knowledge. One common excuse for the current state is "We don't want the tail wagging the dog." True. But, leaving an important (and expensive) element of the business without oversight IS letting the tail wag the dog. It just happens out of sight. How many more times do we have to read about a data breach causing financial pain, legal headaches, customer "churn" or employee terminations before we understand that the cyber tail can wag the dog if allowed.
But, more importantly, engaging technical expertise in strategic conversations can put ideas on the table that otherwise remain unrealized.
Is cyber security just an unnecessary "tax" on the business?
Data breach presents real risks ranging from lost revenue to lawsuits to executive-level terminations. Yet, many of the executives I speak with still hold onto the, “It can’t happen to me” position. By and large, it is seen as “tomorrow’s problem.” I hear everything from "this is all just hype" or "we have heard so much about data breach that no one is paying attention anymore." But, that's not actually true and it is getting less so as laws evolve and state's Attorneys General become more alert to this issue. And, where it does apply, it does so for some industries more than others.
Will Customers Really Leave?
The first risk you face as chief executive is to your company’s revenue. Skeptical CEOs have asked me, “In the aftermath of a data breach, do customers really leave? Or do they quickly forget what happened once the media cycle is over?” My response is, “It depends on switching costs, the amount of trust your customer has in your company before the breach and how much damage the breach does to that trust.” But, even if your customers ultimately forgive and forget, what happens to short term revenues? And, what if you are wrong? What if your event is unfortunately timed so you get more than your share of media coverage? Or it hits during a liquidity event and impacts valuation? It's an unnecessary gamble, in my opinion.
The polls aren’t helpful. Some polls show that 60% of your customers say they will leave and other polls show only 40% stating that they will change their buying behavior. Regardless of what people say in a poll, our concern is what your customers actually do. And, as we know, those two things can be very different. Some industries are more susceptible to this impact. After a breach event, for example, people are more likely to change grocery stores than doctors because switching costs are higher with the latter, and the buying decision is more likely to occur when the news is "top of mind."
There is little in the way of comparative data available on the financial impact of a data breach because of the confidential nature of a breach event and because no two events are identical. A true “apples to apples” comparison is almost impossible. Similarly, because there are so many other factors involved with running a business, isolating the impact of one event is difficult if not impossible. That said, Target’s SEC filings showed both traffic and transaction volume decreased year over year for Target post-breach. Because this was not the case for Target’s competitors, it strengthens the argument that Target’s customer confidence indeed took a hit in the wake of the breach, and that it impacted buying behavior.
Even if your customers eventually come back, an initial drop in revenue and presumably a less than rapid return to normal is likely to cause a strain on cash flow and potentially hard decisions on staff retention. Smaller organizations have less of a cushion, especially in low margin businesses. If you are a publicly traded company, you have to worry about how the news of a breach impacts the opinions of analysts and investors, because there can be a very real correlation between your market cap and your ability to borrow.
Insult to Injury
The tremendous cost of cleaning up after a data breach is the second blow in the “one-two punch.” The largest expenses are those associated with the investigation, system recovery, legal expenses, litigation, fines and penalties. If the breach is for payment card data, there may also be card replacement costs and more financial penalties. The lesser, but still notable costs for PR, notification and resolution and additional advertising and incentives to entice customers back must also be factored into the total equation.
Increasingly circumstances, employees (even counsel), managers (especially CISOs) and even executives face the risk of termination following a high-profile breach event.
Good cyber hygiene doesn’t have to be disruptive to the business or prohibitively expensive. And, it provides important support should you find yourself in a position to have to apologize to your customers or employees after a breach event.
I do see companies “rolling the dice.” I tell them, it’s like a speeding ticket. You may get away with speeding; you may not. But, if you’re caught, the ticket you get for a little speeding is much different from what you face for “reckless endangerment.”
Just like any other outsourcing decision, the "right" answer will be different for every organization. This post outlines the decision factors so you can decide what fits your environment.
The regulatory trend seems pretty clear to me. New York State Department of Financial Services issued their requirements for a cyber security program and mandated that a qualified individual had to be appointed to hold responsibility for cyber security. The European General Data Protection Regulation (“GDPR”) also made a point of specifying that the data privacy officer had to have "expert level knowledge." Given what I have seen over the years, I suspect this is in response to companies underestimating the complexity of the role and just tucking the responsibility into the job description of an existing employee without relevant experience or training. Regulators have seen the impact that has had on the efficacy of programs and the damage it creates, and they responded by tightening up the wording on the requirements.
At the same time, the shortage of available, experienced cyber security and data privacy professionals is widely documented and not expected to resolve any time in the near future. These are deeply technical and specialized disciplines that are not learned in a few months or even just a few years. The decisions these individuals make can have a tremendous impact on the organization, and assigning either of these functions to a current staff member as an "add on" to their existing role is precarious for both the organization and that individual being asked to perform without sufficient experience and training.
Even if the labor supply were more favorable, many companies are not in a position to bear the financial burden of a full staff of information security and data privacy professionals ranging from analyst to specialist to executive. Companies that do not have the luxury of full-time employees to adequately cover the varieties of specialties may consider outsourcing some or all of their staffing needs. This is similar to the model where companies that need an employment lawyer, a contract lawyer, litigation counsel and tax counsel don’t have to hire all of those individuals as full-time employees. Where specialty expertise is required, outsourcing can serve a company well.
Like other outsourcing decisions, a variety of factors will influence the final direction. Decision criteria should take into consideration the volume of work that is required. Hiring a full-time employee for an occasional issue is not only costly, but it will leave that specially trained employee bored and restless, resulting in cultural or team dynamic struggles or in turnover costs.
Another decision driver is whether an external consultant can have adequate visibility into the technology and process. An organization without defined policies, procedures, and a clear strategic roadmap will need to invest more time both initially and periodically in providing technical and operational changes to the consultant providing guidance. If processes are ad hoc to the point where the only way to stay abreast of changes is to be present, consider a secondment or a full-time hire. I would suggest, however, that scenario likely comes with other issues driven by a lack of organization and structure.
In organizations where cyber security and data privacy are critical success factors for the business, a full-time hire may be used to send or underscore a message to customers and regulators that data protection is a priority issue for you. In this case, an experienced hire to guide strategy and procure and manage the right specialty services can be the best path. I have also seen the reverse model where the company utilizes an analyst level employee for managing day to day work. She or he interfaces with a highly experienced consultant who provides periodic strategic work, ad hoc support for complex issues and access to specialty technical resources when needed.
Further support can be provided by a board committee or a designated board seat for data privacy and information security risk management oversight. This model is best served with a board that interacts regularly with the employees.
It is important to remember that culture may be a strong driver. Some organizations work well with outside advisors. Others do not. If your organization falls into the second category, leveraging a consultant may look less expensive on the surface, but non-quantifiable forces will reverse the equation. Culture is one of the strongest business forces available to (or working against) us, and it doesn’t factor well into spreadsheet modeling.
Every organization is different. But, hopefully these considerations help you make the decision that is best for your organization.
Privacy officers and information security officers are becoming increasingly important, particularly in regulated industries. But these are relatively new roles, and I see companies struggling with how to define the role, what skills and characteristics to look for in a candidate and where to place the role within the organization. I see some companies assume that a lawyer should fill the role, which I find curious. Please don't misunderstand. I think experienced privacy counsel is extremely important. But, I see companies assuming that any lawyer is equivalent to a privacy lawyer. And, I don't think a J.D necessarily prepares a person for navigating complex technology, supply chain management, strategy, operations, brand management and marketing.
True, privacy requires an understanding of the applicable laws. But, isn't this true of accounting, marketing, HR, and other functions that we staff with experienced professionals who can be guided by legal counsel when needed?
How to Define the Role
If the objective of your privacy program is purely regulatory compliance, then it could make sense to construct the role to focus on audit and compliance. But, for most businesses, privacy and protecting the confidentiality of sensitive information may have revenue and valuation elements. It may be used in some situations to support sales. A technology firm I have worked with in the past strategically evaluated what measures would mean the most to their customers and prioritized those data protection investments. More than one company has realized that retention programs pay for themselves in removing the cost of storage and maintenance for the "dead" data.
If the objective of your privacy program is brand support and public trust, a trained privacy professional with deep experience in marketing technologies and who remains tuned to customer sentiment, product development, technology changes and legal developments may be best suited.
Overall, this is a risk management issue that has legal, brand, operational, financial and technology requirements. Someone who knows risk management, is fluent in those "languages" and can work across disciplines to balance risk and reward is well equipped for the CPO role.
Skills and Characteristics
Certainly, knowledge of data privacy requirements (legal, contractual or industry norms), standards and practices, resources and technologies would be foundational for a CPO.
Beyond that, an appetite and aptitude for learning technology -- really learning technology -- is critical. Data privacy may appear to have only light technical requirements, depending on the business context. But, for many organizations, it is highly technical. Consider the many invisible Website beacons, cookies, etc. that would be missed by a privacy professional that lacks an understanding of Web technologies and third party interactions. (This is often the case when privacy is viewed as a legal function and the technology and operational components are underestimated.) Turn, Inc. recently settled with the FTC on this misstep. Their privacy statement was entirely inconsistent with the activity occurring on their Website.
Privacy requires a detailed understanding of what information you are collecting, how it is being collected, stored, protected, used, shared and retained, and what public-facing statements you are making about those activities. I can't imagine providing oversight on all of those functions without a working knowledge of technology and process. I worked with one client to help them recover from a mass mailing which displayed PII because a database field had been used by front-line staff to store sensitive information in what they thought was an unused, open area. Technology and process were the tools that could have been used to prevent that mishap.
With technology, the "devil is in the details," as they say. Many developers are unaware that the nuance of what they are saying is lost on the non-technical audience. She or he may use a term, "java" for example, and presume you know that means clear, uncompiled code, and also presume that you know that means it is not secured.
Privacy and information security risk management require a range of disciplines to work together, with one of those contributors being experienced privacy counsel. Data protection is closer to baseball than it is to golf--it takes a full team with varying skills to cover the full field. And, the CPO as the coach, should know the game from the players perspective.
Where to Place the Role
Certainly the CISO and CPO roles must work well together. And, both must work well with the legal department, marketing, product development and all levels of IT. These will need regular interaction--in person if possible. This may be a challenge for an organization with operations spread across a country, continent or globe. Geography is less of a hurdle than interpersonal dynamics, and can be overcome by individuals who are accustomed to working in remote teams, proactive in communication, and who encourage communication rather than relying on top-down authority to issue directives.
At times, the objectives of the departments will need to be balanced. This will happen quite often, most likely. In these instances, having "problem solvers" in the role will help tremendously. But, sometimes even the best problem solvers will need corporate structure to be the ultimate referee. The CPO and CISO may have to balance the mission of IT to cut costs or time to deployment, to make technology "seamless" or to use a favored vendor. When this happens, if the CISO or CPO report to IT, the security and/or privacy voice is silenced and no balancing mechanism exists. Reporting to a governance committee or directly to the CEO can counterbalance this common pitfall.
The conflict from reporting structures is so common and critical, that the European General Data Protection Regulation specifies that a company's data privacy officer ("DPO") must report directly to the highest level of management.
In the end, security and privacy are "team sports" and no one is able to accomplish the task alone. An individual who knows when to "pass the ball" is more valuable to you than a "ball hog." Collaboration, the ability to engage across all departments and intellectual curiosity are traits I have found to be immensely helpful.
Copyright © 2019 The Palisade Group - All Rights Reserved.