Part 2: Can Investing in Data Security Offer Both Risk Mitigation AND ROI?
Leading up to our webinar with guest speaker Forrester Research Senior Analyst Security and Risk, Heidi Shey, we had a chance to ask her to address some of the questions around the challenges organizations face today in terms of ensuring business privacy and data security. We’ll be sharing Heidi’s key insights (and some of our own) in a five part series over the coming weeks.
Q2: Investments in business privacy and data security could potentially offer both ROI and risk mitigation benefits. How should IT leaders develop the business case for these investments? How do you quantify the benefits?
Heidi: You cannot ignore rising regulatory penalties and fines; EU GDPR has penalties of up to 4% of annual revenue or €20 Million (whichever is greater), a settlement with the US FTC could involve 20 years’ worth of audits. HIPAA and PCI also have monetary penalties for violations. Yet solely focusing on costs of a breach or privacy violations presents a narrow perspective for developing a business case.
Look to build a business case that highlights the value of data to the organization’s mission, as well as to customer and business partner trust. How does data contribute to revenue and growth in dollar terms? Recognize that it’s not just about protecting the data you currently have and use, but maintaining a good reputation and trust in your organization to enable customers and partners to continue sharing their data and doing business with you. This is important for building trust with your investors and board members too. Also recognize the importance of protecting your employee data, and what that means for your organization’s future hiring efforts and ability to attract talent.
Regulatory compliance is table stakes for almost every business. Many of our customers come to us initially to help meet their HIPAA, PCI, CJIS, GDPR or other regulatory requirements. For these customers, often their priority is ensuring that they don’t run afoul of the regs as the move to the cloud.
But the conversation quickly turns from regulatory compliance to protection of intellectual property, financial information, and other corporate sensitive information. In these cases, it’s less about encryption and more about insight and control. The CISO and other key IT leaders want to be able to audit access to sensitive content and to employ persistent controls that allow them to change privileges at any time. This is especially true when sensitive content is stored in the cloud and shared with parties outside the enterprise like suppliers, partners, or customers.
We usually start these conversations by discussing the types of data the organization creates, stores, and shares. We break this down into five categories: highly regulated (ex: ITAR or CJIS), regulated (ex: HIPAA), corporate confidential information shared externally, corporate information shared internally, and default or public information. From there we work through the data protection mechanism that the are most appropriate for each content type. In turn, this then informs the development of policies and DLP enforcement.
For us, business privacy means having the confidence to share information with the parties that need it — without fear of loss. This starts with assessing the data you’re sharing, and then putting reasonable measures in place to ensure protections.
Interested in learning more?
- Watch the full webinar presentation with Heidi Shey as she discusses key insights and trends in business privacy and data security.
- Read Part 1 of this Series: The Most Critical Data Security Challenge IT Leaders Face
- Read Part 3 of this Series: Underlying Trends Driving the Need for Business Privacy Technologies
- Read Part 4 of this Series: What Business Privacy Risks and Opportunities Should Be Reviewed As Businesses Move to Cloud-Based Systems
- Read Part 5 of this Series: What are the most important factors to consider when evaluating business privacy and data protection technologies and initiatives?
- Download the complete Q&A session with Heidi here.