How chief data officers could remove the tussle at the table

Convergence of privacy, security and data governance is a huge opportunity for companies today. But who will own this ambitious agenda?

Any digital transformation agenda requires the foundations of privacy, security and data governance to be aligned. But consider the overlap of privacy, cybersecurity and data governance. This convergence throws up many challenges for organizations to consider. Is our data safe from hackers? Am I complying with the different privacy laws? And am I using the data I capture ethically?

These three questions are often answered in different quarters. Cybersecurity is the responsibility of the chief information security officer (CISO), the legal issues of privacy are addressed by the general counsel and data governance is usually the preserve of the chief data officer (CDO), with the help of marketing teams.

This is why convergence can be so challenging. All these competing priorities and programs are in collision, despite trying to do the same thing with the same set of controls.

There’s a real tussle at the table, as senior executives from those responsible for security, privacy, data and technology all line up.

So how do you meet three different objectives with just one transformation agenda? A lot of organizations are dealing with this conundrum, and if you haven’t cracked it yet, you’re not alone.

And the stakes are sky high. The costs of cybercrime continue to grow exponentially – with US$2.9 million lost to cybercrime each minute, according to one estimate.

Worryingly, respondents to EY's latest Global Information Security Survey reported a 59% increase in destructive attacks in the last 12 months. Despite this, only a quarter of CISOs could quantify how effective their organization’s cybersecurity spend was in managing their organization’s risks.

Meanwhile, the cost of data breaches is estimated to hit US$5 trillion by 2024, according to The Review (pdf). What was once a theoretical risk has become very real. Fall foul of the European Union’s General Data Protection Regulation and face a stiff penalty: 4% of turnover or €20 million. Breach China’s Cyber Security Law and risk your right to operate in Chinese market altogether.

Then there’s the Personal Data Protection Act in Singapore, the Notifiable Data Breach Scheme in Australia, and similar acts in Japan, Korea, Malaysia, Thailand and the Philippines – each with subtle differences and each demanding protection of personal data in that jurisdiction. Many large organizations across Asia-Pacific are having to restructure their technology footprints to comply.

Public perceptions of privacy, data and security are also changing rapidly. People are now acutely aware that personal data is not always private. Forrester research has found almost one quarter (23%) of adults in the United States are concerned about their data and are sceptical that companies – especially social networks and media firms – will keep their information secure¹.

There’s also a less obvious operational cost: failing to tackle this issue as a company risks creating multiple systems and layers of duplication.