Privacy & Data Breach Management

Privacy & Data Breach Management
Benchmarks, Informal Survey, Solutions

Presentation by Dr. Larry Ponemon
Webinar sponsored by Co3 Systems
September 13, 2012

Agenda

• Benchmark Analysis
• Cost Benchmarks
• Informal Influencer Survey
• Market Need For Breach Management Solutions

9/13/2012 Ponemon Institute: Private & Confidential Information 2

About Ponemon Institute

• Ponemon Institute conducts independent research on cyber security, data protection
and privacy issues.
• Since our founding 11+ years ago our mission has remained constant, which is to
enable organizations in both the private and public sectors to have a clearer
understanding of the practices, enabling technologies and potential threats that will
affect the security, reliability and integrity of information assets and IT systems.
• Ponemon Institute research informs organizations on how to improve upon their data
protection initiatives and enhance their brand and reputation as a trusted enterprise.
• In addition to research, Ponemon Institute offers independent assessment and
strategic advisory services on privacy and data protection issues. The Institute also
conducts workshops and training programs.
• The Institute is frequently engaged by leading companies to assess their privacy and
data protection activities in accordance with generally accepted standards and
practices on a global basis.
• The Institute also performs customized benchmark studies to help organizations
identify inherent risk areas and gaps that might otherwise trigger regulatory action.


Benchmark Analysis
Analysis is based on Ponemon Institute’s 2012 benchmark on corporate privacy management (n=89 companies)

Background

• Ponemon Institute has conduct detailed benchmark surveys of corporate privacy
program activities for the past 10 years (starting in January 2003).
• Ponemon Institute has conducted more than 500+ separate benchmark studies.
• A total of 89 large, US-based organizations in various industries participated in
this 2012 study (fieldwork concluding in August).
• The primary contact in these organizations was the chief security officer, the chief
information security officer, the chief privacy officer or another individual who has
overall responsibility for privacy & data protection.
• All results were gathered by the researcher. All individual and company-
identifiable information was removed to protect the confidentiality of responding
organizations.
• Caveats – Benchmarks provide descriptive information that may not be
representative of all corporate privacy initiatives.


Industries
A total of 89 companies participated in this 2012 research
Minimum headcount of participating companies is > 1,000

Financial services
2% 4%
3% Health & pharma
21%
6% Retail
Public sector
6%
Industrial
Services
6%
Consumer products
12%
6% Technology & software
Transportation

7% Energy & utilities
12%
Communications
7%
8% Education & research
Other


Overall Benchmark Score

The benchmark scores for the 2012 sample of 89 companies are presented in a percentage form.
These scores are compiled from a proprietary instrument containing 130 items presented in seven
(7) sections. Each section is weighted equally for purposes of comparison.

70%
61%
60%
53%
50% 47%
42%
40%

30%

20%

10%

0%
> 25,000 FTE 5,000 to 25,000 FTE < 5,000 FTE Overall


Overall Benchmark Score

The benchmark scores for the 2012 sample of 89 companies are presented in a percentage
form. These scores are compiled from a proprietary instrument containing 130 items presented
in seven (7) sections. Each section is weighted equally for purposes of comparison.

90%
79%
80%
70%
70%
61%
60% 56%

50%
42%
40%
33%
29%
30%

20%

10%

0%
Policy% Com% Mgmt% Security% Compliance% Choice% Redress%


Benchmarks on Privacy Policies

Centralized version control procedures 49%

Harmonized approach to global policies 43%

Acceptable use policies for social media 41%

Acceptable use policies for mobile devices (BYOD) 38%

0% 10% 20% 30% 40% 50% 60%

90%
79%
80% 76%
71%
68%
70% 63% 65%
60% 62%
59%
60% 56%
50%
40%
30%
20%
10%
0%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012


Benchmarks on Training & Communications

Mandatory training for all employees 41%

Specialized training for high risk employees 37%

Metrics for assessing training effectiveness 30%

Incident response training for readiness 29%

Privacy awareness for business partners 15%

Privacy awareness for customers 12%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

60% 56%
50% 52% 50% 52%
50% 46% 47% 48% 46%
45%

40%

30%

20%

10%

0%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012


Benchmarks on Privacy Program Management

Centralized authority 35%

Adequacy of program resources 33%

Formal privacy or data governance strategy 29%

Data inventory for sensitive PI 21%

Independent audit or assessment 17%

0% 5% 10% 15% 20% 25% 30% 35% 40%

60%
52%
50%
50% 48%
46%
44%
41% 42%
40% 39% 40%
40%

30%

20%

10%

0%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012


Benchmarks on Data Security

Alignment of privacy and cyber security strategy 33%

Extensive use of encryption for data at rest 31%

Controls over PI data in cloud environments 29%

Extensive use of data loss prevention tools 27%

Privileged user visibility 24%

0% 5% 10% 15% 20% 25% 30% 35%

80%
68% 68% 70%
70% 64% 66% 65% 66%
59%
60% 53%
50%
50%
40%
30%
20%
10%
0%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012


Benchmarks on Privacy Compliance & Monitoring

Compliance monitoring over contract and temporary
29%
employees

Mock regulatory audits or assessments 25%

Advanced assessments of marketing compaigns 22%

Board level reporting 21%

Evaluation of information theft upon employee termination 21%

0% 5% 10% 15% 20% 25% 30% 35%

70%
59% 61%
60% 54%
50% 46% 48%
43% 45%
39% 41% 40%
40%

30%

20%

10%

0%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012


Benchmarks on Consent & Choice

Exclusive use of permission-based lists for
26%
customer/consumer contact

Testing that customer preferences are honored 23%

Rigorous monitoring of secondary uses of sensitive PI 22%

Global harmonization of consumer preferences 18%

Readiness for do not track 18%

0% 5% 10% 15% 20% 25% 30%

40%
35% 34% 35%
35% 33% 33% 32% 33% 33%
30%
30% 28%
25%
20%
15%
10%
5%
0%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012

Benchmarks on Redress & Enforcement

Whistle blowing protection 27%

Redress process involves the privacy leader 26%

Escalation procedures 24%

Specific timeline to investigate incidents 21%

Enforcement actions reported to executive management 20%

0% 5% 10% 15% 20% 25% 30%

40%
35% 36%
33% 34% 33%
35% 32% 31%
28% 29%
30% 27%
25%
20%
15%
10%
5%
0%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012


Net change over 10 years

The benchmark scores for the 2012 sample consists of 89 companies. The benchmark scores
for the 2003 sample consist of 68 companies. Please note that both samples were matched
by organizational headcount (size), industry sector and geographic footprint. Certain items in
the proprietary benchmark instrument were edited or updated over this 10-year period.

90%
79%
80%
70%
70%
61%
60% 56% 56%
50%
50% 46%
42% 40%
39%
40%
33% 35%
29% 27%
30%

20%

10%

0%
Policy% Com% Mgmt% Security% Compliance% Choice% Redress%
FY 2012 FY 2003


Cost Benchmarks

Extrapolated cost of privacy programs
$US millions (000,000 omitted)

This graph reports the average direct and indirect program spending for FY 2012 based on SES quartiles
from 1 = highest to 4 = lowest. The SES is a metric ranging from -2 (lowest) to +2 (highest) that attempts to
measure the effectiveness of an organization’s information security posture. The SES was developed by
Ponemon Institute and his been validated in more than 50 studies conducted over nearly eight (8) years. As
can be seen, organizations with a higher SES spend more direct and indirect costs on privacy programs.
While not shown in this graph, the average privacy program cost for our benchmark sample of companies
totals $5.98 million.
10.00
9.00 8.75

8.00
7.00 6.39
6.00
4.84 4.61
5.00
3.92 4.18
4.00
3.12 3.27 2.92
3.00 2.53
2.00 1.70 1.65

1.00
-
Quartile 1 (SES 1.1) Quartile 2 (SES .71) Quartile 3 (SES .35) Quartile 4 (SES -.11)
Direct cost Indirect cost Total


Extrapolated cost of privacy programs
$US millions (000,000 omitted)

This graph reports the average direct and indirect program spending for FY 2012 based on six expenditure
or spending categories totaling $5.98 million. As can be seen, the two highest spending categories are data
security ($1.55 million) and program management ($1.50 million). In contrast, the two lowest spending
categories are redress and enforcement ($.30 million) and policies and procedures ($.60 million). While not
shown separately, our benchmark sample of companies spend approximately 25% of budget on program
management activities, which includes all costs associated with data breach incident management.
$1.80
$1.55
$1.60 $1.50
$1.40
$1.20 $1.14

$1.00 $0.90
$0.80
$0.60
$0.60
$0.40 $0.30
$0.20
$-
Policies & Training & Program Data security Compliance Redress &
procedures communication management monitoring enforcement


Benchmark study of 107 privacy influencers

• Results in this report are based on Ponemon Institute’s proprietary
database of privacy practices in US organizations.
• Examined perceptions about data breach incident response management.
• Purpose of analysis is to determine the value privacy leaders place on an
automated tool or system to deal with the data breach incident management
process.
• The results indicate that privacy leaders believe automated management
tools are important to deal with the data breach incident management
process due to the numerous separate incidents that require ongoing
tracking.


Is there a need to have an automated tool or system
to deal with the data breach incident management
process?
Benchmark question posed to 107 privacy leaders in U.S. based corporations

4%

15%

Yes
No
Unsure

81%


Do you have an automated data breach management
tool or system today?

2%

36% No

Yes, homemade

62% Yes, commercial


What is your company’s primary focus for data
breach management issues?

2%
6%

10%
US

Global

North America
50%
Europe/EU

Latin America

Asia-Pacific
31%


Approximately, how many separate incidents
require tracking over a 12-month period?

< 40 9%

21 to 40 15%

11 to 20 24%

5 to 10 36%

2 to 4 10%

>2 5%

0% 5% 10% 15% 20% 25% 30% 35% 40%


Need for a Data Breach Management Tool

• Ponemon Institute’s tracking study of the cost of privacy programs reveals the
potential market demand data breach incident management tool for the following
reasons:
– Cost effective – TCO of the tool versus labor costs and professional fees
– A comprehensive and accurate repository of summarized privacy and data
breach laws reduces research costs and legal services.
– Benefits SMBs that cannot afford a fully-dedicated privacy staff.
– Secures (lock-down) sensitive and confidential information concerning data
breach incidents and events.
– Avoid redundant or inconsistent operating practices and reduce operational
complexity.
• Ponemon Institute’s proprietary benchmarks on corporate privacy spending for larger-
sized organizations (headcount > 1,000) reveal a substantial spending level for
program management (which includes incident response) and data security
measures.


Questions?

Ponemon Institute
www.ponemon.org
Tel: 231.938.9900
Toll Free: 800.887.3118
Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA
research@ponemon.org

Privacy & Data Breach Management

More Related Content

What's hot

Viewers also liked

Similar to Privacy & Data Breach Management

More from Resilient Systems

Recently uploaded

Privacy & Data Breach Management