The Ponemon-Sullivan Privacy Report includes original columns and a roundup of worldwide privacy news. It’s the best way to keep up with Ponemon Institute Research and Bob Sullivan’s opinions. Keep informed, sign up here.
Privacy pro: Do you ever feel like you are working overtime to meet overly ambitious expectations? Are you frustrated by your attempts to outline a plan for protecting sensitive personal information only to get the sense that you are talking to a brick wall?
CEO: Are you puzzled as to why the people your company has hired to address security and privacy concerns never seem to meet the objectives you have for them? Are you flummoxed by the fact that the investments you’ve made in data security aren’t helping to stem the tide of data loss?
For a long time we’ve known that there’s been something of a disconnect between the C-suite and the front lines of security and privacy. Call it an educated gut sense, gained from reading between the lines of our many privacy and security studies – and reading between the lines on the faces of our friends and colleagues.
We recently completed a study meant to identify that very situation and, to no one’s surprise, found that there is a significant gap between the perceptions and expectations of the folks occupying the corner office and those who are tasked with conceiving of and carrying out privacy and data security orders.
Some of the findings include some stunning gaps between what CEOs believe to be among the most important security and privacy priorities, and what C-level security and privacy executives believe to be those priorities. For example:
100 percent of CEOs said reducing security flaws within business-critical applications was important or very important, but only 65 percent of C-level privacy and security executives agreed.
93 percent of CEOs said identifying and responding to a data breach was important or very important, but only 58 percent of C-level privacy and security executives agreed.
87 percent of CEOs said protecting confidential information shared with vendors, business partners, and other third parties was important or very important, but only 48 percent of C-level privacy and security executives agreed.
The famous line from Cool Hand Luke seems to apply: “What we have here is, failure to communicate.”
Let us know your thoughts on this troubling finding, and what strategies might security and privacy pros use to overcome this gap and bring their departments into harmony with the corner office.
(If you are interested in downloading a copy of the study, you can do so by visiting Ounce Labs, whose generous underwriting made this research possible.)
A warm thank you to everyone who made this past weekend's RIM Renaissance a success. The discussions were lively and productive, and I think we all came away just a little bit smarter as a result of the candor. We do appreciate the enthusiasm that seems to pervade these events, and the willingness to put aside your valuable time to join with us on these annual occasions, as well as the ongoing conversations that take place throughout the year.
I’m still processing a lot of the information gathered, shared, and created during our 8th RIM Renaissance this past weekend in Minneapolis. One of our sessions focused on the creation of an information governance “treaty” that holds various organizational members to a high standard (consistent with our RIM principles). Please review the following draft document and let me know what you think.