《ISACA:2023年度隐私实践研究报告(英文版)(22页).pdf》由会员分享,可在线阅读,更多相关《ISACA:2023年度隐私实践研究报告(英文版)(22页).pdf(22页珍藏版)》请在三个皮匠报告上搜索。
1、1PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.PrivacyPrivacy in Practice 2023 2023 ISACA.All Rights Reserved.2PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.C O N T E N T S3 Abstract4 Executive Summary 4/Key Findings4 Survey Methodology6PrivacyStaffing9/Skill Gaps10 Privacy Budge
2、ts10PrivacyProgramTrends 12/Privacy Team Interaction With Other Areas13/Boards of Directors Privacy Involvement13/Monitoring Privacy Programs14PrivacyAwarenessTraining16PrivacyFrameworks,LawsandRegulations16PrivacyBreachesandFailures18PrivacybyDesign19 The Future of Privacy20Conclusion21Acknowledgme
3、nts3PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.Privacy in Practice 2023 reports the results of the ISACA global State of Privacy Survey,conducted in the fourth quarter of 2022.This report focuses on privacy staffing,budgets,program trends,awareness training and breaches,and privacy by d
4、esign.Some survey findings are consistent with last years survey results,while others indicate relief from some of the privacy challenges identified last year.A B S T R A C T4PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.Executive SummaryPrivacy in Practice 2023 explores trends in privacy
5、staffing,budgets,programs,awareness training and privacy by design,based on the results of the ISACA global State of Privacy Survey,conducted in the fourth quarter of 2022.Strong enterprise privacy practices are critical in a rapidly evolving privacy regulatory landscape.Privacy violations erode cus
6、tomer trust and increasingly result in enterprise reputation damage and significant fines.Enterprise privacy programs that aim to protect data subjects and gain their trust set their enterprises apart from competitors.This white paper explores the state of organizational privacy.Key FindingsThe foll
7、owing are key survey findings:Technical privacy roles are slightly more likely to besomewhat or significantly understaffed than legal/compliance privacy roles,although both types of rolesare impacted by staff shortages.Technical privacy roles are significantly more likelythan legal/compliance privac
8、y roles to have increaseddemand in the next year.Experience is considered the most important factor indetermining if a privacy-position candidate is qualified.The demand for privacy professionals is expectedto increase over the next year for technical privacyprofessionals and legal/compliance privac
9、yprofessionals.Privacy teams interact most frequently withinformation security,legal/compliance and riskmanagement teams.Enterprises that practice privacy by design are morelikely to:Have adequately staffed privacy teams Believe that their board of directors appropriatelyprioritizes enterprise priva
10、cy Require documented privacy policies,proceduresand standards Use more privacy controls overall than are legallyrequired Feel their privacy budget is appropriately fundedSurvey MethodologyIn the fourth quarter of 2022,ISACA sent survey invitations globally to approximately 46,000 ISACA constituents
11、 who hold the ISACA CSX Cybersecurity Practitioner Certification(CSX-P),Certified Information Security Manager(CISM)or Certified Data Privacy Solutions Engineer(CDPSE)designation,or have“privacy”in their job title.Survey data were collected anonymously via Survey Monkey.A total of 1,890 respondents
12、completed the survey;their responses are included in the results.The most commonly held certification is the CISM certification:Seventy-five percent of respondents hold the CISM certification,42 percent hold the Certified Information Systems Auditor(CISA)certification and 35 percent hold the CDPSE c
13、ertification.Forty-three percent of respondents are in a management role,26 percent are in senior leadership positions,21 percent are individual contributors and 10 percent are in executive leadership positions.Figure 1 shows additional information about survey respondents.5PRIVACY IN PRACTICE 2023
14、2023 ISACA.All Rights Reserved.Technology services/consulting24%21%24%19%14%14%8%Total revenueRegionNumber of employees at organizationTop industriesYears of experienceGovernment/militarynational/state/local15 610 1115 1620 2125 25+24%Less than$50M13%$50M$99M16%$100M$499M12%$500M$999M34%Greaterthan$
15、1B47%20%North AmericaEurope4%Africa4%Latin America4%Middle East3%Oceania19%Asia1249 employees19%1,0004,999 employees23%250999 employees16%5,00024,999 employees18%25,000 or more employees25%13%Financial/banking23%FIGURE 1:Respondent Demographics6PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved
16、.Privacy StaffingAccording to the survey findings,the mean number of full-time-equivalent employees who have privacy-related responsibilities within an enterprise is 26,which is slightly higher than last years average(25).Privacy staff roles include legal/compliance practitioner,technical IT staff,r
17、isk professional or security professional.Figure 2 shows the percentage of staff in each of these roles.Privacy practitioners can usually be classified into one of two groupslegal/compliance or technical.Legal/compliance privacy professionals have knowledge of the privacy laws and regulations that a
18、pply to an enterprise but may not have extensive technical expertise;technical privacy professionals have the technical expertise to apply controls that help preserve privacy and achieve compliance.FIGURE 2:Staff Privacy RolesWhat percentage of your staff are in the following roles?What percentage o
19、f your staff are in the following roles?10%Legal/compliance practitioners53%13%7%6%6%6%8%Technical IT staff(excluding security professionals)37%21%14%10%6%4%8%Risk professionals51%18%8%5%5%4%4%Security professionals45%19%11%7%10%None1%20%21%40%41%60%61%80%81%100%Dont know4%7PRIVACY IN PRACTICE 2023
20、2023 ISACA.All Rights Reserved.Both legal/compliance and technical privacy teams are understaffed,according to the ISACA survey results.Forty-four percent of respondents indicate that legal/compliance privacy teams are somewhat or significantly understaffed,and 53 percent of respondents report that
21、technical privacy teams are somewhat or significantly understaffed.Larger understaffing in technical privacy teams than in legal/compliance teams is consistent with previous years findings.Although understaffing remains concerning,it has improved from last year(figure 3).This may be due to enterpris
22、es prioritizing privacy more compared to last year and/or increasing privacy budgets35 percent of last years survey respondents reported that their privacy budget would increase in the next 12 months.Some enterprises are taking steps to address understaffing.Twenty-seven percent of respondents say t
23、hat their enterprises have open legal/compliance privacy positions,and 34 percent indicate they have open technical privacy roles.Often,filling privacy positions can be time consuming(figures 4 and 5).FIGURE 3:Privacy Understaffing Compared With Last YearUnderstaffing of Privacy Roles46%44%55%53%Leg
24、al/complianceTechnical privacyUnderstaffing of Privacy Roles20222023FIGURE 4:Time to Fill Open Legal/Compliance Privacy PositionsOn average,how long does it take to fill legal/compliance privacy positions with a qualified candidate?On average,how long does it take to fill legal/compliance privacy po
25、sitions with a qualified candidate?Not applicable6 monthsCannot fill open positionsDont know22%2%2%26%15%24%10%FIGURE 5:Time to Fill Open Technical Privacy PositionsOn average,how long does it take to fill technical privacy positions with a qualified candidate?On average,how long does it take to fil
26、l technical privacy positions with a qualified candidate?Not applicable6 monthsCannot fill open positionsDont know23%2%2%25%18%20%9%8PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.FIGURE 6:Importance of Factors Determining an Applicants QualificationsHow important are each of the following
27、factors in determining if a privacy candidate is qualified?1%How important are each of the following factors in determining if a privacy candidate is qualified?62%Compliance/legal experience34%3%58%Prior hands-on experiencein privacy role38%4%0%51%Technical experience42%6%0%40%Credentials held52%7%2
28、8%Completion of hands-on trainingcourses in privacy53%17%Very importantSomewhat importantNot very importantNot at all important26%University degree46%24%5%22%Recommendation fromprevious employer46%27%5%1%1%Although some survey respondents report that the time to fill open privacy positions decreased
29、 in the past year,most report that the amount of time to fill roles increased or stayed the same.For legal/compliance roles,14 percent of respondents say that the time to fill positions somewhat or significantly decreased,19 percent report that it significantly or somewhat increased and 31 percent s
30、ay that it stayed the same.Time to fill technical privacy positions is similar,with 16 percent saying that it somewhat or significantly decreased,23 percent saying that it significantly or somewhat increased and 30 percent indicating it stayed the same.One challenge to quickly filling roles is a lac
31、k of qualified applicants.For approximately one-fifth of respondent enterprises,less than one-quarter of privacy-position applicants were well qualified for the positions to which they applied(for both legal/compliance and technical privacy positions).Experience is the primary factor in determining
32、an applicants qualifications.Figure 6 shows the importance of factors that are used to evaluate if a privacy candidate is qualified.9PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.According to 76 percent of ISACA survey respondents,expert-level privacy roles are the most difficult level to
33、hire,followed by the practitioner knowledge level(51 percent)and entry-level/foundational knowledge level(12 percent).Skill GapsSurvey respondents identify a lack of experience with different types of technologies and/or applications as the biggest skill gap in current privacy professionals(indicate
34、d by 63 percent of respondents);this aligns with the finding that experience is the most important factor when evaluating privacy-position candidates(figure 6).Fifty-four percent of respondents report that experience with frameworks and/or controls is a large skill gap.The next most-commonly identif
35、ied skill gap is understanding the laws and regulations to which an enterprise is subject(46 percent),followed closely by a lack of technical expertise(45 percent).Other skill gaps include:Business insight(39 percent)IT operations knowledge and skills(38 percent)Soft skills,such as communication,fle
36、xibility and leadership(34 percent)Networking and/or other infrastructure knowledge and skills(33 percent)Business ethics(18 percent)Enterprises are working to reduce these skill gaps.Figure 7 shows the solutions that enterprises are applying.FIGURE 7:Methods of Addressing the Privacy Skills GapWhic
37、h,if any,of the following has your organization undertaken to help decrease this privacy skills gap?Select all that apply.49%38%Training to allow nonprivacystaff who are interestedto move into privacy rolesIncreased use of contractemployees or outside consultantsIncreased use ofperformance-based tra
38、iningto attest to actual skill mastery25%Increased reliance oncredentials to attest to actualsubject matter expertiseIncreased reliance on artificialintelligence or automationNothing has been done25%13%12%20%Dont knowOrganization has noprivacy skills gapWhich,if any,of the following has your organiz
39、ation undertaken to help decrease this privacy skills gap?Select all that apply.4%Other1%A challenge to quickly filling privacy roles is a lack of qualified applicants.Experience is the primary factor in determining an applicants qualifications.10PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserv
40、ed.Privacy BudgetsIn addition to privacy skill deficiencies,insufficient budgets contribute to the staffing challenges that privacy teams face.Forty-two percent of ISACA survey respondents report that their enterprise privacy budget is somewhat or significantly underfunded,36 percent say it is appro
41、priately funded,seven percent say it is significantly or somewhat overfunded and 14 percent do not know.This is a slight improvement from last year,when 45 percent of respondents felt their privacy budget was underfunded,and a larger improvement from 2021,when 49 percent of survey respondents believ
42、ed their privacy budget was underfunded.Those respondents who feel that their privacy budget is appropriately funded increased from 33 percent last year to 36 percent this year.These improvements may indicate that enterprises are beginning to recognize the importance of privacy and are taking steps
43、to improve funding.Although the percentage of respondents that believe that their enterprise privacy budget will significantly or somewhat increase in the next 12 months decreased slightly to 34 percentfrom 35 percent last yearthat decrease may be due to the increased percentage of respondents who b
44、elieve that their privacy budget is appropriately funded and therefore may not see a need to increase funding.Twelve percent of respondents believe that their privacy budget will somewhat or significantly decrease in the next 12 monthsan increase from eight percent last yearso some enterprises will
45、likely need to scale back and make do with the limited resources they have.Privacy Program TrendsDepending on an enterprises structure and the skills and competencies of executives,the role accountable for enterprise privacy varies.Figure 8 shows the role primarily accountable for privacy in survey-
46、respondent enterprises.Twenty-one percent of respondents say the chief privacy officer is accountable for privacy.Sixteen percent of respondents say the chief information officer is accountable for privacy,and 14 percent say the executive-level security officer e.g.,chief information security office
47、r(CISO)or chief security officer(CSO)is accountable.Ensuring the appropriate person is accountable for privacy is essential because this individual can help guide efforts in the event of a breach and advocate for the privacy team,including advocating for funding and other resources.This accountabili
48、ty also improves the alignment of privacy with other organizational objectives.Thirty-nine percent of respondents say that a lack of executive or business support is an obstacle to forming a privacy program,and 38 percent of respondents say that a lack of visibility and influence in the organization
49、 is an obstaclethese challenges can be mitigated by having a strong C-level privacy advocate.Figure 9 shows additional challenges enterprises face when forming a privacy program.Forty-two percent of respondents report that their enterprise privacy budget is somewhat or significantly underfunded.11PR
50、IVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.FIGURE 8:Accountability for PrivacyWho is primarily accountable for privacy in your organization?21%16%Chief privacy officerChief information officerExecutive-level security officer(e.g.,CISO,CSO)14%Chief executive officerGeneral counsel/chief le
51、gal officerChief compliance officer13%9%10%5%Board of directorsOtherDont knowWho is primarily accountable for privacy in your organization?4%The organization does not have aperson accountable for privacy2%4%FIGURE 9:Obstacles to Forming a Privacy ProgramWhich,if any,of the following are obstacles fa
52、ced by an organization in its ability to form a privacy program?Select all that apply.42%40%Lack of competent resourcesLack of clarity on the mandate,roles and responsibilitiesLack of executive or business support39%Lack of visibility and influence withinthe organizationComplex international legal a
53、ndregulatory landscapeManagement of risk associatedwith new technologies38%32%38%31%Lack of a privacy strategy andimplementation roadmapDont knowNo obstacles existWhich,if any,of the following are obstacles faced by an organization in its ability to form a privacy program?Select all that apply.9%Oth
54、er1%7%12PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.FIGURE 10:Frequency of Meetings Between Technical and Legal/Compliance Privacy ProfessionalsHow often do technical privacy professionals meet with legal/compliance professionals to understand legaland regulatory requirements?How often d
55、o technical privacy professionals meet with legal/compliance professionals to understand legal and regulatory requirements?6%25%28%17%7%17%Never12 times per yearQuarterlyMonthlyWeeklyAs new privacy laws/regulations go into effectPrivacy Team Interaction With Other AreasGiven the challenges of unders
56、tanding the legal and regulatory landscape of privacy,it is imperative that technical privacy professionals work closely with legal/compliance privacy professionals.These teams should meet regularly to understand their legal and regulatory obligations and ensure that technical controls are in place
57、to achieve compliance.Figure 10 shows how frequently technical privacy professionals meet with legal/compliance privacy professionals in survey-respondent enterprises.Twenty-eight percent of respondents say that their technical privacy professionals and legal/compliance privacy professionals meet qu
58、arterly,25 percent say that these professionals meet once or twice a year and 17 percent report that they meet monthly.Another 17 percent of respondents report that their technical and legal/compliance privacy professionals meet when new privacy laws and regulations go into effect.It is concerning t
59、hat nearly one-third of respondents meet less than quarterly.The regulatory landscape is rapidly changing,and the evolution of business operations may necessitate more frequent meetings between technical and legal/compliance privacy professionals.Equally concerning is that nearly one-fifth of respon
60、dents only meet when new privacy laws and regulations go into effect;privacy efforts may be reactionary and delayed if meetings are prompted only when the compliance landscape changes.Privacy teams must work cross-functionally to ensure privacy considerations exist throughout the enterprise.Survey r
61、espondents report that their privacy teams continually interact with information security(32 percent of respondents),legal and compliance(29 percent of respondents)and risk management(22 percent of respondents).Privacy teams also interact regularly with IT operations and development,procurement,inte
62、rnal audit,human resources,sales/marketing/customer relations,finance,product/business development and public and media relations.13PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.Boards of Directors Privacy InvolvementA board of directors approach to privacy can greatly impact the day-to-da
63、y operations of a privacy team.Most survey respondents believe that their board of directors adequately prioritizes privacy.Fifty-five percent of respondents believe that their board adequately prioritizes privacy,22 percent do not believe that their board prioritizes privacy and 20 percent do not k
64、now.(Three percent responded that it is not applicable.)The seemingly large percentage of respondents who do not know if their board prioritizes privacy may be due to a lack of communication from the board.This result may also signal a disconnect between a boards expression of support for privacy an
65、d its lack of actions that show that support.Boards may view privacy from a few different perspectives.Figure 11 shows how boards of directors may view privacy programs.There are many concerns associated with having a purely compliance-driven privacy approach.The global privacy landscape is evolving
66、 rapidly.Organizations whose primary focus is achieving compliance may find themselves struggling to catch up.A purely compliance-driven view of a privacy program may signal that privacy initiatives are reactive rather than proactiveprivacy teams may always feel a step behind compliance and unable t
67、o work best to protect data subjects privacy.Monitoring Privacy ProgramsIt is crucial that enterprises monitor their privacy programs.Regular monitoring helps enterprises identify and evaluate what they are doing well and areas for improvement.As enterprises increase privacy-program monitoring,they
68、can see how their privacy programs evolve.Figure 12 shows the common ways of monitoring the effectiveness of privacy programs.Thirty percent of respondent enterprises evaluate the number of privacy incidents as a metric to indicate the effectiveness of their privacy programs.This metric should be co
69、mbined with another monitoring mechanism;an organization that looks solely at the number of privacy incidents will not know about its privacy program weaknesses until an incident happens,at which point the reputational damage and loss of trust may be irreversible.Significant fines can also result fr
70、om privacy incidents,so it is best to use forward-looking metrics to evaluate the effectiveness of a privacy program to avoid these high penalties.FIGURE 11:How Boards of Directors View Privacy ProgramsDo you think your board of directors views your enterprises privacy program as:33%53%14%Compliance
71、 driven:The privacy program serves to achieve compliance with applicable laws and regulationsEthically driven:The need to protect privacy is important to the enterprises mission regardless of existing laws and regulationsA combination of bothA board of directors approach to privacy can greatly impac
72、t the day-to-day operations of a privacy team.14PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.FIGURE 13:Frequency of Privacy Awareness TrainingWhen does your organization provide privacy training?Select all that apply.65%52%AnnuallyAs part of new hire trainingQuarterly17%After the occurren
73、ce of asignificant eventNo privacy training is conductedDont know15%6%Other2%7%When does your organization provide privacy training?Select all that apply.Privacy Awareness TrainingPrivacy teams may be small and understaffed,but everyone in an enterprise plays a role in preserving privacy,which is wh
74、y privacy awareness training is so crucial.Eighty-five percent of respondent enterprises provide privacy training for employees.Figure 13 shows the frequency with which privacy awareness training is provided.Privacy awareness training should be provided with some regularity,andbecause of the rapidly
75、 changing privacy regulatory landscape and technologytraining should be reviewed and revised periodically.Fifty-nine percent of respondents say that their enterprise reviews and revises privacy awareness training annually,24 percent review 45%45%Perform a privacyimpact assessment(PIA)Perform a priva
76、cy risk assessmentPerform a privacy self-assessment36%Undergo a privacy audit/assessmentEvaluate the number ofprivacy incidentsNo monitoring is performed35%9%30%11%Dont knowHow does your organization monitor the effectiveness of its privacy program?Select all that apply.Other1%FIGURE 12:How Enterpri
77、ses Monitor Privacy-Program EffectivenessHow does your organization monitor the effectiveness of its privacy program?Select all that apply.15PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.FIGURE 14:Metrics to Evaluate Privacy Awareness Training EffectivenessWhat metrics does your organizati
78、on track to evaluate the privacy training programs effectiveness?Select all that apply.65%54%Number of employees who havecompleted privacy trainingNumber of privacy incidentsNumber of privacy complaintsreceived from customers36%Comparison of pre-andpost-training assessmentsOther23%6%and revise train
79、ing as new laws and regulations go into effect,nine percent review it every two-to-five years and four percent do not revise their privacy training.To evaluate if employees are benefitting from privacy awareness training,enterprises should monitor their training programs.Figure 14 shows the metrics
80、that respondent enterprises use to evaluate privacy training program effectiveness.Relying solely on the number of privacy incidents and/or the number of privacy complaints received from customers is problematic because it is reactive;enterprises will not know training is ineffective until a privacy
81、 incident occurs or a privacy complaint is received.Although tracking the number of people who complete privacy training may be valuable,it does not reveal the efficacy of the privacy training;it treats training as a check-the-box exercise without evaluating if employees are learning anything from i
82、t.Pre-and post-training assessments are a stronger metric,as they demonstrate if staff have learned from the training programs.If there is no difference or a minimal difference between pre-and post-training assessments,that may be an indicator that the privacy awareness training needs to be revised.
83、Most respondents believe that privacy training programs benefit their enterprise.Twenty-six percent of respondents say that privacy training and awareness programs have a strong positive impact,and 47 percent say they have some positive impact.In 57 percent of respondent enterprises,privacy awarenes
84、s training is separate from security awareness training,while 31 percent of respondent enterprises do not separate privacy awareness training from security awareness training.Although privacy and security training can be combined in a way that teaches both topics,a concern is that privacy-specific t
85、opics are not covered thoroughly in combined training.It is impossible to have privacy without security,but security does not necessarily guarantee privacy.It is impossible to have privacy without security,but security does not necessarily guarantee privacy.16PRIVACY IN PRACTICE 2023 2023 ISACA.All
86、Rights Reserved.Privacy Frameworks,Laws and RegulationsEighty-two percent of respondents use a framework or law/regulation to manage privacy in their enterprises.For 73 percent of respondents,it is mandatory to address privacy with documented privacy policies,standards and procedures.The top-three f
87、rameworks and regulations most commonly used to manage privacy are:General Data Protection Regulation(GDPR):50 percent US National Institute of Standards and Technology(NIST)Privacy Framework:46 percent ISO/IEC 27002:2013 Information technologySecuritytechniquesCode of practice for information secur
88、itycontrols:36 percentUnsurprisingly,regional variations exist for the frameworks and regulations used to manage privacy.Seventy-nine percent of European respondents use GDPR.It may be surprising that only 79 percent of respondents in Europe use GDPR,but this may be partially attributable to Brexit.
89、Sixty-one percent of respondents in the United States use the NIST Privacy Framework.Given the myriad privacy laws and regulations in effect,some enterprises struggle to identify and understand their privacy obligations.Twenty-three percent of ISACA survey respondents say that it is difficult or ver
90、y difficult to identify and understand their privacy obligations.This finding emphasizes how important it is for technical privacy professionals to meet with legal/compliance privacy professionals on a regular basis,as many technical privacy experts do not have the legal background to understand the
91、 specific provisions of laws and regulations.A previous section in this report revealed that privacy budgets appear to be more adequately funded this year than last year,and understaffing seems to be improving.Part of the reason for this may be that enterprises felt the strain on their privacy teams
92、 and increased privacy budgets and staff sizes accordingly.This strain may be caused partially by an increase in data-subject requests.Thirty-four percent of respondents say that the number of data-subject requests has somewhat or significantly increased.Privacy Breaches and FailuresProtecting data
93、and achieving compliance with privacy laws and regulations can be challenging,but 45 percent of respondents are completely or very confident in their privacy teams ability to ensure data privacy and achieve compliance with new privacy laws and regulations.Some of this confidence may come from an und
94、erstanding of common privacy failures.Figure 15 shows these privacy failures.Almost a quarter of the survey respondents find it difficult or very difficult to identify and understand their privacy obligations.17PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.FIGURE 15:Most Common Privacy Fai
95、luresIn your opinion,which of the following are the most common privacy failures in an organization?Select all that apply.49%42%Lack of training or poor trainingNot practicing privacy by designData breach/leakage42%Not performing a risk analysisSocial engineeringBad or nonexistent detectionof person
96、al information41%37%34%39%Noncompliance with applicablelaws and regulationsEthical decision making16%Dont know10%2%OtherIn your opinion,which of the following are the most common privacy failures in an organization?Select all that apply.FIGURE 16:Material Privacy Breaches Compared to Last YearIs you
97、r organization experiencing an increase or decrease in material privacy breaches as compared to a year ago?5%16%21%26%33%Is your organization experiencing an increase or decrease in material privacy breaches as compared to a year ago?More breachesFewer breachesThe same number of breachesPrefer not t
98、o answerDont knowOnly 11 percent of respondents report that their enterprise experienced a material privacy breach in the past 12 months,which is slightly higher than last year(10 percent).Sixty-four percent of respondents report that their enterprise did not have a privacy breach,17 percent do not
99、know and nine percent preferred not to answer.Although the percentage of respondents who do not know may seem high,it is possible that they know a security incident occurred but are unsure if personal information was compromised.Dwell time(the time between a breach and when an enterprise discovers t
100、he breach)may have also influenced why so many respondents do not know if a privacy breach occurred.Figure 16 shows the number of enterprises experiencing more or fewer breaches than last year.18PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.Privacy by DesignPrivacy by design is a systems e
101、ngineering method that“mandates that any system,process or infrastructure that uses personal data consider privacy throughout its development life cycle and identify possible risk to the rights and freedoms of the data subjects and minimize them before they can cause actual damage.”1 Figure 17 shows
102、 how often respondent enterprises practice privacy by design.Thirty percent of respondents indicate that their enterprises always practice privacy by design,and 30 percent of respondents say that their enterprises frequently practice privacy by design.Some interesting trends emerge when comparing th
103、e enterprises that always practice privacy by design to the total number of respondent enterprises.Those that always practice privacy by design:Are more likely to separate privacy training fromsecurity training(65 percent vs.57 percent total)Have survey respondents who are one-and-a-half timesmore l
104、ikely to be completely or somewhat confident intheir organizations ability to ensure the privacy of itssensitive data(65 percent vs.40 percent total)Are more likely to rely on artificial intelligence(AI)orautomation(25 percent vs.20 percent total)Given that not practicing privacy by design is viewed
105、 as a common privacy failure(figure 15),it is surprising that more enterprises do not always practice it.The reason may be that enterprises that always practice privacy by design are more likely to have resources that enable them to do so(figure 18).The median privacy staff size among enterprises th
106、at always practice privacy FIGURE 18:Trends in Enterprises That Always Use Privacy by DesignThe median privacy staff sizeFeel that their privacy departmentis adequately staffedFeel that their boardproperly prioritizes privacyEnterprises that always practice privacy by designTotal respondents 34%44%5
107、5%76%1 ISACA,“Eight Strategies to Help Organizations Implement Privacy by Design and Default,”21 October 2021,https:/www.isaca.org/why-isaca/about-us/newsroom/press-releases/2021/eight-strategies-to-help-organizations-implement-privacy-by-design-and-default FIGURE 17:Frequency of Practicing Privacy
108、by DesignHow often does your enterprise practice privacy by design?How often does your enterprise practice privacy by design?AlwaysFrequentlySometimesRarelyNever4%30%30%10%26%19PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.by design is almost twice as large19 compared to 10 for total respo
109、ndents.Forty-four percent of respondent enterprises that always practice privacy by design feel that their privacy department is adequately staffed,compared to 34 percent of total respondents.It also appears that the boards of directors of enterprises that always practice privacy by design better pr
110、ioritize privacy;76 percent of these enterprises feel that their board properly prioritizes privacy,compared to just 55 percent of total respondents.Respondents from enterprises that always practice privacy by design are significantly more likely to be completely or somewhat confident in their teams
111、 ability to ensure data privacy and achieve compliance with new privacy laws and regulations.Seventy-six percent of these respondents feel completely or somewhat confident in this ability,compared to 35 percent of total respondents.Those who always practice privacy by design are less likely to have
112、boards that view privacy programs as purely compliance driven(24 percent vs.33 percent).Given that a key tenet of privacy by design is that privacy should be proactive and not reactive,and purely compliance-driven programs are often reactive,it makes sense that enterprises that always practice priva
113、cy by design do not operate reactively.The Future of PrivacyThe numerous new privacy laws and regulationsand data subjects increased attention to privacyindicate that privacy is important,and the work of privacy professionals is crucial to an enterprises success.Given the various requirements privac
114、y teams must meet and the growing number of international privacy laws and regulations,it makes sense that the demand for privacy professionals is expected to grow in the next year.Sixty-two percent of respondents say the demand for legal/compliance roles will increase in the next year,and 69 percen
115、t say the demand for technical privacy positions will increase.A primary responsibility of privacy professionals is to respond to privacy breaches.Figure 19 shows the likelihood of experiencing a privacy breach in the next year.FIGURE 19:Likelihood of a Material Privacy Breach in the Next YearHow li
116、kely is it that your organization will experience a material privacy breach next year?4%11%Very likelyLikelyNeither likely nor unlikely22%UnlikelyVery unlikelyDont know20%21%Prefer not to answer12%How likely is it that your organization will experience a material privacy breach next year?10%20PRIVAC
117、Y IN PRACTICE 2023 2023 ISACA.All Rights Reserved.Approximately one-fifth of respondents do not know the likelihood of experiencing a privacy breach in the next year.This may indicate that privacy risk is an area that is not very mature or that enterprises are just not prioritizing it.The challenges
118、 in hiring the right people for privacy positions and the consequences of a material privacy breach are leading some enterprises to start or plan to use AI for privacy.Figure 20 shows respondent enterprise use of AI for privacy.More respondents use AI this year than last year,but the same number of
119、respondents say they plan to use AI for privacy in the next 12 months.Given the significant understaffing of privacy teams,it is surprising that nearly 38 percent of respondents do not plan to use AI.This result may be because of the privacy-related concerns associated with AI.2 The large number of
120、respondents who do not know of plans to use AI for privacy may also be explained by these concerns surfacing when considering AI for privacy-related functions.FIGURE 20:Plans to Use AI for Privacy-Related TasksWhat are your organizations plans to use AI(bots or machine learning)to perform any privac
121、y-related tasks?11%20%We currently use AI for this functionWe plan to use AI for thisfunction in the next 12 monthsWe have no plans to useAI for this function38%Dont know31%2 Pearce,G.;“Beware the Privacy Violations in Artificial Intelligence Applications,”ISACA Now Blog,28 May 2021,https:/www.isaca
122、.org/resources/news-and-trends/isaca-now-blog/2021/beware-the-privacy-violations-in-artificial-intelligence-applicationsConclusionData can provide information about an individuals health,religion,orientation,political beliefs and more.Protecting data subjects privacy is critical to building and pres
123、erving digital trust,so enterprises must prioritize privacy accordingly.The number of privacy laws and regulations will only increase in the coming years,and making headlines for a privacy violation can damage trust with consumers.Despite the challenges associated with data privacy,the ISACA survey
124、reveals good news:It appears that enterprise budgets have started adjusting for the growing emphasis on privacy.Privacy teams are larger this year than they were last year.Although there is room for improvement,and many enterprises believe they need more resources,enterprises are moving toward bette
125、r supporting their privacy teams.21PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.AcknowledgmentsISACA would like to recognize:Board of Directors Pamela Nigro,Chair CISA,CGEIT,CRISC,CDPSE,CRMA Vice President,Security,Medecision,USAJohn De Santis,Vice-Chair Former Chairman and Chief Executiv
126、e Officer,HyTrust,Inc.,USANiel Harper CISA,CRISC,CDPSE,CISSP Chief Information Security Officer,Data Privacy Officer,Doodle GmbH,GermanyGabriela Hernandez-Cardoso Independent Board Member,MexicoMaureen OConnell NACD-DC Board Chair,Acacia Research(NASDAQ),Former Chief Financial Officer and Chief Admi
127、nistration Officer,Scholastic,Inc.,USAVeronica Rose CISA,CDPSE Senior Information Systems AuditorAdvisory Consulting,KPMG Uganda,Founder,Encrypt Africa,KenyaGerrard Schmid Former President and Chief Executive Officer,Diebold Nixdorf,USABjorn R.Watne CISA,CISM,CGEIT,CRISC,CDPSE,CISSP-ISSMP Senior Vic
128、e President and Chief Security Officer,Telenor Group,USAAsaf Weisberg CISA,CISM,CGEIT,CRISC,CDPSE,CSX-P Chief Executive Officer,introSight Ltd.,IsraelGregory Touhill CISM,CISSP ISACA Board Chair,2021-2022 Director,CERT Center,Carnegie Mellon University,USATracey Dedrick ISACA Board Chair(2020-2021)a
129、nd Interim Chief Executive Officer Former Chief Risk Officer,Hudson City Bancorp,USABrennan P.Baybeck CISA,CISM,CRISC,CISSP ISACA Board Chair,2019-2020 Vice President and Chief Information Security Officer for Customer Services,Oracle Corporation,USARob Clyde CISM,NACD-DC ISACA Board Chair,2018-2019
130、 Independent Director,Titus,Executive Chair,White Cloud Security,Managing Director,Clyde Consulting LLC,USA22PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.About ISACAISACA(www.isaca.org)is a global community advancing individuals and organizations in their pursuit of digital trust.For more
131、 than 50 years,ISACA has equipped individuals and enterprises with the knowledge,credentials,education,training and community to progress their careers,transform their organizations,and build a more trusted and ethical digital world.ISACA is a global professional association and learning organizatio
132、n that leverages the expertise of its more than 165,000 members who work in digital trust fields such as information security,governance,assurance,risk,privacy and quality.It has a presence in 188 countries,including 225 chapters worldwide.Through its foundation One In Tech,ISACA supports IT educati
133、on and career pathways for underresourced and underrepresented populations.DISCLAIMERISACA has designed and created Privacy in Practice 2023(the“Work”)primarily as an educational resource for professionals.ISACA makes no claim that use of any of the Work will assure a successful outcome.The Work sho
134、uld not be considered inclusive of all proper information,procedures and tests or exclusive of other information,procedures and tests that are reasonably directed to obtaining the same results.In determining the propriety of any specific information,procedure or test,professionals should apply their
135、 own professional judgment to the specific circumstances presented by the particular systems or information technology environment.RESERVATION OF RIGHTS 2023 ISACA.All rights reserved.1700 E.Golf Road,Suite 400 Schaumburg,IL 60173,USAPhone:+1.847.660.5505Fax:+1.847.253.1755Support:support.isaca.orgWebsite:www.isaca.orgParticipate in the ISACA Online Forums:https:/engage.isaca.org/onlineforumsTwitter: in Practice 2023