1

WHERE CYBERSECURITY

IS HEADING—FAST

Perspectives

The pressure to protect personal data has most multinationals fi ghting to stay ahead.

2

Making a little beer money by participating in a clinical trial is a part-time job for a large portion of college kids around the world; a Google search for “clinical trials for college students” returns 262 million results. Now, under Europe’s new General Data Protection Regulation (GDPR), those kids can request that the data from their side hustle as a human guinea pig be deleted.

Prevailing wisdom in legal and healthcare circles is that this part of GDPR, known as the “right to be forgotten,” doesn’t apply to them, however. To be sure, as written, it sets out a few exemptions that would apply to clinical trial research, such as if the data erasure request severely impairs the results of a trial or the data is needed for legal or public health purposes. As it currently stands, researchers are required to retain clinical trial data for a specifi ed period of time, sometimes 10 years or more. But, whether determined by an actual court or a court of public opinion, do organizations really want to test the limits of this provision? Is it worth the risk, for instance, to challenge a privacy request?

The problem:Data privacy is changing from a cybersecurity issue to a critical business one for organizations.

Why it matters: Chief security offi cers are already stretched thin from their ever-growing responsibilities.

The solution: With the stakes so high, organizations need to establish a primary role for a C-suite executive to own data privacy.

It’s a question that leaders of organizations around the world are asking. Employees, consumers, politicians, investors, and other stakeholders are as well. With data breaches, identity theft, and other ways of illegally harvesting personal data an omnipresent part of digital life, privacy is transforming from a cybersecurity issue to a business one.

“People are increasingly looking at organizations through a privacy lens,” says Jamey Cummings, a senior client partner at Korn Ferry and co-leader of the fi rm’s Cybersecurity practice.

Organizations are taking notice. Part of the reason Apple CEO Tim Cook has been so vocal about the tech industry’s need to take privacy more seriously is to position Apple as a company people can trust. American Express’s ubiquitous commercials starring Tina Fey close by reminding consumers it is the go-to fi nancial company for security. If security is about how organizations protect personal data, then privacy is about how it is used. Put another way, privacy is no longer a question about what is legal to do. Rather, it is about what is ethical to do—and what is ethical is being defi ned more and more by consumers and users.

Aileen Alexander, senior client partner and co-leader of Korn Ferry’s Cybersecurity practice, says the need for a C-suite executive that owns data privacy will become more important as organizations seek to collect and use more data in ways that haven’t been done before.

“The responsibility for privacy cannot and should not simply be added to those of the chief security offi cer or general counsel,” says Alexander. “It can report in to one of those functions, but privacy is becoming so complex and so intertwined with business operations that it needs to be elevated.”

* * *A decade ago, cybersecurity was still largely considered a component of information technology. It wasn’t until around 2014 that organizations began to fully grasp the devastating eff ects a data breach can have on shareholder value, market share, reputation, and even long-term survival, and elevated cybersecurity to its own C-suite position.

Since then, the responsibilities of the chief security offi cer (CSO) or chief information security offi cer (CISO) have grown in proportion to the number of threats. And there are a lot of threats. In addition to overseeing network security, computer security, and in some cases physical security, the growth in connected devices has put product security under the CSO’s remit. Many cybersecurity breaches still go undetected, in part because there is more data for hackers to hack. Consider that by some

“There’s a lot more about privacy in the media; it has captured people’s attention because there are laws behind it.”

3

4

estimates more than 20 billion connected devices will be on the market by 2020. Put another way, that’s 20 billion ways for hackers to get passwords, credit card numbers, consumer data, proprietary data, financial data, and more to leak, hold for ransom, or sell on dark markets.

Eighty-two percent of leaders surveyed for the World Economic Forum’s latest Global Risks Report believe cyberattacks leading to financial theft or data fraud will increase this year, citing the “deepening integration of digital technologies into every aspect of life.”

No Sector Is Immune

Not unlike the flu, data breaches and other cyberattacks affect everyone. Per the chart below, from the United States government’s Council of Economic Advisers 2018 report, no sector—and by extension no company—is immune.

Distribution of Security Breaches by Industry(Percentage of 2016 GDP and Breaches)

Industry percentage of 2016 GDP

Industry percentage of reported breaches

0

5

10

15

20

25

Source: Bureau of Economic Analysis; Verizon; CEA Calculations.

Man

ufac

turi

ng

Pub

lic

Rea

l est

ate

Fin

ance

Hea

lthc

are

Pro

fess

iona

l

Ret

ail

Info

rmat

ion

Trad

e

Co

nstr

ucti

on

Tran

spo

rtat

ion

Ad

min

istr

ativ

e

Oth

er s

ervi

ces

Man

agem

ent

Ag

ricu

ltur

e

Uti

litie

s

Min

ing

Ed

ucat

ion

Ent

erta

inm

ent

Acc

om

mo

dat

ions

With CSOs already stretched thin from their ever-growing responsibilities, privacy is a frontier that’s too vast and evolving for them to take on in isolation. Moreover, security and privacy aren’t always aligned from a business perspective. “Organizations have a bias for collecting data, but they also have to meet user expectations about how it is being used,” says Katherine Fithen, a managing principal consultant at Secureworks who worked on information security on the Internet when it was still a private network within the US government. Majority-owned by Dell, Secureworks, based in Atlanta, provides technology that detects and fi ghts security breaches.

In the past, there had been waves of discontent over how organizations use personal data from users, but it was nothing like the tsunami of anger that occurred after it was revealed that Cambridge Analytica used Facebook data to create psychological profi les for political gain

without users’ consent. The aftermath included hundreds of millions of dollars in lost shareholder value, a #deletefacebook campaign, testimony by CEO Mark Zuckerberg and COO Sheryl Sandberg in Congress, and the implementation of Europe’s GDPR standard across all of Facebook, not just in Europe. To many, the incident crystallized the importance of trust between organization and user in the digital age.

“There’s a lot more about privacy in the media; it has captured people’s attention because there are laws behind it,” says Fithen. “And it is prominent in the minds of executives and boards, because it is in the media and there is actual accountability for meeting those laws.”

Perspectives

“Privacy can enhance your market reputation and be leveraged by sales and marketing to infl uence revenue.”

5

6

Business and political leaders around the world are currently debating whether to adopt universal regulations that govern data privacy similar to Europe’s GDPR. Some believe there is a need for a harmonized privacy law; others do not. The US tech industry, for instance, historically has been resistant to government regulation. Some business leaders argue that universal regulations would increase costs to run, manage, and secure the right technology, as well as stifle innovation. Moreover, universal regulations would negate the value proposition between organization and user as to what data they are willing to give up in return for a service or product they need.

* * *Many forward-thinking companies already have chief privacy officer positions, or something akin to one. Over the last year or so, in the lead-up to the passing of GDPR, business leaders and boards increasingly have been pursuing ways to define a framework and reporting relationship to create a C-suite position for privacy. Some organizations have the position report to the CSO, others to the general counsel. In other organizations, the role reports to the chief technology officer, and in at least one case this leader reports to the chief financial officer. The variety of reporting structures is a testament to both how privacy touches all areas of a business and how confused organizations are about where it belongs.

7

Perspectives

ELEVATING PRIVACY

Whether hiring a chief privacy officer or appointing a board director with privacy expertise, organizations are making it a focus of leadership.

CAREER-PATHING

Some are providing education, training, certification programs, and other avenues around privacy skills designed to lead to promotions.

BUILDING RELATIONSHIPS

Consumer trust is one of the most important success factors for a company today, and firms understand that respect for data privacy is a business issue.

FIRE DRILLS

Simulated cyberattacks, system breaches, and other exercises are routinely run to help create and optimize a comprehensive quick-response game plan.

HIRING MORE VETS

Former military personnel are attractive for their tech skills and ability to manage threats.

Creating a Secure Culture What companies are doing.

8

Wells Fargo’s Rich Baich draws a parallel to the early days of CSOs. Hired as Wells Fargo’s first-ever CISO in 2012—the bank realized earlier than most the importance of security—Baich initially reported to tech. After a restructuring, he then reported to risk management. Late last year, however, his position was moved back under tech. To understand how large the CISO function has grown, consider that over those six years, Baich has deployed more than 30 different security technologies, and his team has filed for more than 50 patents. He also grew his department to 3,000 employees from 550.

Baich says that security and privacy have been working much more closely in recent years. “New regulations require more collaboration with privacy,” he says.

Korn Ferry’s Cummings says the fact that organizations are recognizing that privacy needs to be a separate function within the C-suite or reporting directly to a member of the C-suite is more important than where exactly it sits on the org chart. Indeed, the constantly evolving expectation of privacy means the skills and character profiles of the talent needed is also evolving. As with CSOs, privacy is no longer just a tech role.

Privacy officers have to be increasingly fluent in customer experience and product development, for instance. They need to have a global perspective and be able to distill complex tech and legal issues into business terms leaders can understand, among other traits.

In fact, given the increasingly public-facing nature of privacy both with employees and consumers, Cummings argues that privacy could also be considered a business services function.

“Privacy can enhance your market reputation and be leveraged by sales and marketing to influence revenue,” he says.

For more information, contact Jamey Cummings at jamey.cummings@kornferry.com or Aileen Alexander at aileen.alexander@kornferry.com.

© 2019 Korn Ferry. All rights reserved.