Login
As part of Cisco’s recognition of International Data Privacy Day, today we released the Cisco 2023 Data Privacy Benchmark Study, our sixth annual review of key privacy issues and their impact on business. Drawing on responses from more than 3100 organizations in 26 geographies, the findings show that organizations continue to prioritize and get attractive returns from their privacy investments, while integrating privacy into many of their most important processes, including sales motions, management metrics, and employee responsibilities.
Nearly all organizations have recognized the importance of privacy to their business. Ninety-four percent (94%) of respondents said their customers wouldn’t buy from them if their data was not properly protected, and 95% said privacy has become a business imperative.
Even in a difficult economic environment, the average privacy spend in 2022 was $2.7 Million, up 125% from 3 years ago. Estimated benefits from privacy rose to $3.4 Million with significant gains across all organization sizes. The average organization is getting benefits of 1.8 times spending, meaning they get $180 of benefit for each $100 invested in privacy. Thirty-six percent (36%) of organizations are getting returns at least twice their spending with many getting returns upwards of 3 or 5 times.
More organizations are recognizing that everyone across the organization plays a vital role in protecting personal data. Ninety-five percent (95%) of survey respondents said that “all of their employees” need to know how to protect data privacy. Among the security professionals who completed our survey, one-third (33%) included data privacy in their top three areas of responsibility.
Another important indication of privacy’s importance to the organization is the use of privacy metrics. Ninety-eight percent (98%) of organizations said they are reporting one or more privacy-related metrics to the Board of Directors. The average number of privacy metrics was 3.1, which is up from 2.6 in last year’s survey. The most-reported metrics include the status of any data breaches, impact assessments, and incident response.
Privacy legislation continues to be very well-received around the world. Seventy-nine percent (79%) of all corporate respondents said privacy laws have had a positive impact, and only 6% indicated that the laws have had a negative impact.
Ninety-six percent (96%) of organizations said they have an ethical obligation to treat data properly. However, when it comes to earning and building customer trust, their priorities are not fully consistent with those of consumers. Transparency – providing easily accessible and clear information about how their data is being used – was the top priority (39%) for respondents in the consumer survey, well ahead of not selling personal information or complying with privacy laws. Yet, when asked what builds trust for consumers, organizations in the Benchmark Survey selected compliance over transparency. It seems consumers consider legal compliance to be a “given” with transparency more of a differentiator.
This disconnect can also be seen when it comes to the use of Artificial Intelligence (AI). Ninety-six percent (96%) of organizations in our survey believe they have processes already in place to meet the responsible and ethical standards that customers expect. Yet, the majority of consumers don’t see it that way. As reported in our 2022 Consumer Privacy Survey, 65% already have lost trust in organizations over their AI practices. Fortunately, organizations may be starting to get the message that they aren’t doing enough. Ninety-two percent (92%) of respondents said that when it comes to AI applications, their organization needs to be doing more to reassure customers that their data is only being used for intended and legitimate purposes.
Many governments and organizations are putting in place data localization requirements, which forces data to be kept within a country or region. The vast majority (88%) of survey respondents believe that their data would be inherently safer if it is only stored locally. Remarkably, 90% also said that a global provider, operating at scale, can better protect the data compared to local providers. When viewing these two statements together, it seems that while organizations would ideally like to keep their data local, they still prefer and trust a global provider over a local provider. Of course, if they can get both — a local instance set up by a global provider — they would presumably like that even better.
This research suggests that organizations should continue to build and apply privacy capabilities into their operations and solutions, particularly among engineering, IT and security professionals, and those who work with personal data. Transparency is particularly important to customers, and organizations need to do more to reassure customers on how their data is being used, especially when applying and using AI and automated decision-making. Finally, organizations should consider the consequences of data localization requirements and recognize that these add cost and may degrade functionality, privacy, and security.
To learn more, check out the Cisco 2023 Data Privacy Benchmark Study, Infographic, and our Principles for Responsible AI.
Also, the new Cisco 2022 Purpose Report (Power section) and the Cisco ESG Reporting Hub (Integrity and Trust section) to see how trustworthiness, transparency, and accountability are key to Cisco’s approach to security, privacy, and trust.
All this and more can be found on the Cisco Trust Center.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
How do organizations earn and build trust when it comes to the personal data that customers share with them? Customers certainly expect these organizations to comply with all privacy laws that are now in place in more than 130 countries. Customers also expect them not to sell personal data without consent and to try to avoid data breaches that could expose personal data. While these actions are necessary, organizations still need to do more when it comes to customer trust. According to our latest research, consumers’ top priority is, in fact, for organizations to be more transparent about how they use personal data.
The Cisco 2022 Consumer Privacy Survey, released today, explores what organizations can do to earn and build trust with customers, the actions individuals are taking to protect their data, the impact of privacy laws around the world, and some of the benefits and costs of Artificial Intelligence (AI) and data localization requirements. The report, our fourth annual look at consumer privacy issues, draws on anonymous responses from 2600 adults in 12 countries.
Here are some highlights from the survey:
Check out the associated infographic that provides visual and easily consumable descriptions of the key data.
At Cisco, we believe that privacy is a fundamental human right. Privacy continues to be a high priority for consumers, and organizations need to do their part to protect personal data and build consumer confidence in how this data is being used. Some recommendations for organizations include:
Privacy remains a critical element of trust. Consumers want more transparency and control of their personal data, especially as we continue to see innovations in technology. As we are now in the midst of Cybersecurity Awareness Month in the US and other countries around the world, it’s a great time to learn more and join in activities and discussions that advance cybersecurity.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Jason Button is a director at Cisco and leads the company’s Security and Trust Mergers and Acquisitions (M&A) team. He was formerly the director of IT at Duo Security, a company Cisco acquired in 2018, making him uniquely positioned to lend his expertise to the M&A process. This blog is the second in a series focused on M&A cybersecurity, following Jacob Bolotin’s post on Managing Cybersecurity Risk in M&A.
All good relationships are built on trust. Add in transparency, and the union becomes even more substantial. “Trust and transparency underpin everything we do,” says Button, “Cisco takes security, trust, and transparency very seriously, and it’s part of our team’s fabric.”
When Cisco acquires a company, the Security and Trust M&A team looks at not only what they can offer in the way of security but also what unique qualities the acquired company brings to Cisco. These qualities might be related to security, but they’re also found in the acquired company’s culture, technical knowledge, and processes.
In all acquisitions, the M&A team needs to move fast. In fact, the Cisco team is committed to pushing even faster as long as they never compromise on security. Around 2020, Button and his team began taking stock of how it does things. They evaluated everything from the ground up, willing to tease out what is working and toss out what isn’t.
The team is also on a trajectory of identifying how it can digitize and automate security.
“If we were going to do things differently, we needed to be bold about it,” says Mohammad Iqbal, information security architect in the Security and Trust M&A team. One of the changes Iqbal proposed to his colleagues is to ensure that an acquired company is integrated into Cisco’s critical security controls within three months after the acquisition deal closes.
To successfully meet the three-month target, the M&A team works closely with the acquired company to identify and address all non-integrated risks (NIRs) that Cisco inherits from an acquisition and encompass:
NIRs are a subset of eight security domains, or operating norms, that align with Cisco’s security and trust objectives and top priorities of the larger security community (Figure 1). The M&A team’s focus on NIRs steers the due diligence conversation away from identifying the acquisition’s security deficiencies and towards understanding the inherent risks associated with the acquisition and measuring the security liability.
“Acquisitions are coming in with these risks, and so we must address NIRs early when we’re signing non-disclosure agreements. In doing so, we help put these companies in a position to integrate successfully with all the security domains. And this integration should be done in the shortest time possible within a year of close,” Iqbal says.
Building trust and being transparent early on is critical so the acquired company knows what’s expected of them and is ready to accomplish its three-month and first-year goals.
“I wish this type of conversation was offered to me when Cisco acquired Duo,” Button says. “Being on the Duo side of that deal, I would’ve been able to say with confidence, ‘OK, I get it. I know what’s expected of me. I know where to go. I know what I need to do with my team.’”
“We have a limited time window to make sure an acquisition company is heading down the right route. We want to get in there early and quickly and make it easy,” adds Button.
Reducing the manual intervention required by the acquired company is integral to helping the acquisition meet the three-month goal. Here’s where automation can play a significant role and the M&A team is looking toward innovation.
“We’re working on bringing in automated processes to lessen the burden on the acquired company,” says Iqbal. The M&A team realizes that much of the automation can be applied in instrumenting the security controls and associated APIs to help the team move beyond what they have already assessed at acquisition day 0 and gain the visibility they need to get the acquired company to its three-month goal. For example, they can automate getting the acquired company on Cisco’s vulnerability scans, using internal tools, or attaining administrative access privileges.
So, Iqbal, Button, and the rest of the team are working on automating processes—developing the appropriate architecture pipeline and workflows—that help acquired companies integrate critical security controls. While the ability to automate integration with security controls is not novel, the innovation that the M&A team brings to the table is the ability to position an acquired target to integrate with security controls in the most expedited way possible.
As with due diligence, the M&A team strives to complete the discovery phase before the acquisition deal close. Here’s another step where digitization and automation can simplify and shorten processes. Take the acquisition company questionnaire, for instance.
“Instead of asking dozens of questions, we could give the company an audit script to run in their environment,” Iqbal says. “Then, all they have to do is give us the results.”
Also, the questionnaire can be dynamically rendered through a dashboard, improving the user experience, and shortening completion time. For example, the number of questions about containers could automatically retract if the acquired company uses Azure Kubernetes Service.
Many teams within Cisco compete for an acquired company’s time before and after an acquisition deal closes. The acquired company is pulled in several different directions. That’s why the Security and Trust M&A team doesn’t stop looking for ways to digitize and automate security processes after the close—to continue to help make the acquired company’s transition more manageable.
“If we can make processes simple, people will use them and see the value in them within days, not weeks or quarters,” says Button.
“The majority of companies we acquire are smaller,” Button says. “They don’t have large security teams. We want them to tap our plethora of security experts. We want to enable an acquired company to apply Cisco’s ability to scale security at their company. Again, we want things to be simple for them.”
The M&A team helps facilitate simplicity by telling a consistent story (maintaining consistent messaging unique to the acquired company) to all the groups at Cisco involved in the acquisition, including M&A’s extended Security and Trust partners such as corporate security, IT, and supply chain. Because each group deals with different security aspects of the integration plan, it’s essential that everyone is on the same page and understands the changes, improvements, and benefits of the acquisition that are relevant to them. Maintaining a consistent message can go a long way toward reducing complexity.
The human element can easily get overlooked throughout an acquisition’s myriad business, technical, and administrative facets. Balancing the human aspect with business goals and priorities is essential to Button and the entire Security and Trust M&A team. They want to bring the human connection to the table. In this way, trust and transparency are on their side.
“Emotions can run the gamut in an acquisition. Some people will be happy. Others will be scared. If you don’t make a human connection, you’ll lose so much value in the acquisition,” Button says. “You can lose people, skillsets, efforts. If we don’t make that human connection, then we lose that balance, and we won’t be off to a great start.”
One way the M&A team helps maintain that balance is by embracing the things that make the acquired company unique. “It’s vital to identify those things early on so we can protect and nurture them,” says Button.
He also wants to remind companies that they don’t have to be experts at everything asked of them during acquisition. “Cisco has been here for a while. We have entire teams within M&A that are dedicated to doing one thing. We can help acquired companies find out where they’re struggling. We can handle the things they don’t want to deal with.”
“M&A is complex, but complexity is off the chart when you talk about M&A and security. Our team won’t be successful if we can’t find a way to make things easier for the acquired company. They need to understand where they’re headed and why,” Button says. “It’s up to us to motivate them towards a successful outcome.”
Managing Cybersecurity Risk in M&A
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
FreshRSS 