Virtru Security Insights

Business Privacy Q&A with Heidi Shey, Senior Analyst Security and Risk at Forrester Research – Part 2

Part 2: Can Investing in Data Security Offer Both Risk Mitigation AND ROI?

Leading up to our webinar with guest speaker Forrester Research Senior Analyst Security and Risk, Heidi Shey, we had a chance to ask her to address some of the questions around the challenges organizations face today in terms of ensuring business privacy and data security. We’ll be sharing Heidi’s key insights (and some of our own) in a five part series over the coming weeks.

Q2: Investments in business privacy and data security could potentially offer both ROI and risk mitigation benefits. How should IT leaders develop the business case for these investments? How do you quantify the benefits?

Heidi: You cannot ignore rising regulatory penalties and fines; EU GDPR has penalties of up to 4% of annual revenue or €20 Million (whichever is greater), a settlement with the US FTC could involve 20 years’ worth of audits. HIPAA and PCI also have monetary penalties for violations. Yet solely focusing on costs of a breach or privacy violations presents a narrow perspective for developing a business case.

Look to build a business case that highlights the value of data to the organization’s mission, as well as to customer and business partner trust. How does data contribute to revenue and growth in dollar terms?  Recognize that it’s not just about protecting the data you currently have and use, but maintaining a good reputation and trust in your organization to enable customers and partners to continue sharing their data and doing business with you. This is important for building trust with your investors and board members too. Also recognize the importance of protecting your employee data, and what that means for your organization’s future hiring efforts and ability to attract talent.


Virtru’s Take

Regulatory compliance is table stakes for almost every business.   Many of our customers come to us initially to help meet their HIPAA, PCI, CJIS, GDPR or other regulatory requirements.  For these customers, often their priority is ensuring that they don’t run afoul of the regs as the move to the cloud.

But the conversation quickly turns from regulatory compliance to protection of intellectual property, financial information, and other corporate sensitive information.   In these cases, it’s less about encryption and more about insight and control.  The CISO and other key IT leaders want to be able to audit access to sensitive content and to employ persistent controls that allow them to change privileges at any time.    This is especially true when sensitive content is stored in the cloud and shared with parties outside the enterprise like suppliers, partners, or customers.

We usually start these conversations by discussing the types of data the organization creates, stores, and shares.   We break this down into five categories:  highly regulated (ex: ITAR or CJIS), regulated (ex: HIPAA), corporate confidential information shared externally, corporate information shared internally, and default or public information.  From there we work through the data protection mechanism that the are most appropriate for each content type.  In turn, this then informs the development of policies and DLP enforcement.

DLP Enforcement Chart for Business Privacy

For us, business privacy means having the confidence to share information with the parties that need it — without fear of loss.   This starts with assessing the data you’re sharing, and then putting reasonable measures in place to ensure protections.

Interested in learning more?