by Daniel J. Solove
As I discussed in a previous post, the two key things that organizations can do to prevent data incidents can be summed up in a simple rhyme:
The C-Suite must care
The workforce must be aware
In this post, I want to focus on the “C-Suite” – a term used for the upper management of an organization, its top officers.
The C-Suite must care about data security.
But far too often, the C-Suite doesn’t fully appreciate the risks and could use a better understanding of the law.
Here are a few facts that are quite troubling:
- A recent study suggests only 32% of IT and IT security practitioners believe their organizations to be “vigilant in protecting regulated data on mobile devices.”
- According to another study, nearly a third of IT security teams never speak with their company’s executives about data security. Of those who do, conversations are rare.
- A recent HIMSS Security Survey found that only 52% of healthcare organizations have a full-time resource for security.
These facts indicate the C-Suite needs to pay a lot more attention to data security officials. Indeed, I think that the C-Suite needs to pay more attention to privacy officials too because privacy and security go hand-in-hand. I think that the C-Suite needs to meet with the privacy and security officials each week.
I know that isn’t likely to happen, but there should be constant dialogue.
Resources for security and privacy at many organizations must be increased dramatically.
Why does the C-Suite need to be paying more attention?
1. Privacy and security risks are quite costly. There are costs from forensic investigations, regulatory investigations, regulatory fines, lawsuits, data breach notification expenses, lawyers and consultants, PR professionals, and remedial measures.
2. A privacy or security incident takes a lot of time. Many people, including folks in the C-Suite, must deal with public relations and the media. Incidents are tremendously time-consuming, and these lost hours have a tremendous cost.
The best medicine is prevention. And that means: (1) more resources; and (2) more workforce training.
I recommend that all CEOs should drink coffee with their privacy and security officers one morning and ask: “Is there anything more we should be doing to protect data?”
The answer will most likely require another cup of coffee.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security awareness training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 800,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter
Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security