Post on 19-Oct-2014
description
Privacy & Data Breach Management Benchmarks, Informal Survey, Solutions
Presentation by Dr. Larry Ponemon
Webinar sponsored by Co3 Systems
September 13, 2012
Agenda
• Benchmark Analysis
• Cost Benchmarks
• Informal Influencer Survey
• Market Need For Breach Management Solutions
9/13/2012 Ponemon Institute: Private & Confidential Information 2
About Ponemon Institute
• Ponemon Institute conducts independent research on cyber security, data protection
and privacy issues.
• Since our founding 11+ years ago our mission has remained constant, which is to
enable organizations in both the private and public sectors to have a clearer
understanding of the practices, enabling technologies and potential threats that will
affect the security, reliability and integrity of information assets and IT systems.
• Ponemon Institute research informs organizations on how to improve upon their data
protection initiatives and enhance their brand and reputation as a trusted enterprise.
• In addition to research, Ponemon Institute offers independent assessment and
strategic advisory services on privacy and data protection issues. The Institute also
conducts workshops and training programs.
• The Institute is frequently engaged by leading companies to assess their privacy and
data protection activities in accordance with generally accepted standards and
practices on a global basis.
• The Institute also performs customized benchmark studies to help organizations
identify inherent risk areas and gaps that might otherwise trigger regulatory action.
9/13/2012 Ponemon Institute: Private & Confidential Information 3
Benchmark Analysis
Analysis is based on Ponemon Institute’s 2012 benchmark on corporate privacy management (n=89 companies)
Background
• Ponemon Institute has conduct detailed benchmark surveys of corporate privacy
program activities for the past 10 years (starting in January 2003).
• Ponemon Institute has conducted more than 500+ separate benchmark studies.
• A total of 89 large, US-based organizations in various industries participated in
this 2012 study (fieldwork concluding in August).
• The primary contact in these organizations was the chief security officer, the chief
information security officer, the chief privacy officer or another individual who has
overall responsibility for privacy & data protection.
• All results were gathered by the researcher. All individual and company-
identifiable information was removed to protect the confidentiality of responding
organizations.
• Caveats – Benchmarks provide descriptive information that may not be
representative of all corporate privacy initiatives.
9/13/2012 5 Ponemon Institute: Private & Confidential Information
Industries
9/13/2012 Ponemon Institute: Private & Confidential Information 6
21%
12%
12%
8% 7%
7%
6%
6%
6%
6%
3% 2% 4%
Financial services
Health & pharma
Retail
Public sector
Industrial
Services
Consumer products
Technology & software
Transportation
Energy & utilities
Communications
Education & research
Other
A total of 89 companies participated in this 2012 research
Minimum headcount of participating companies is > 1,000
Overall Benchmark Score
9/13/2012 Ponemon Institute: Private & Confidential Information 7
61%
47%
42%
53%
0%
10%
20%
30%
40%
50%
60%
70%
> 25,000 FTE 5,000 to 25,000 FTE < 5,000 FTE Overall
The benchmark scores for the 2012 sample of 89 companies are presented in a percentage form.
These scores are compiled from a proprietary instrument containing 130 items presented in seven
(7) sections. Each section is weighted equally for purposes of comparison.
Overall Benchmark Score
9/13/2012 Ponemon Institute: Private & Confidential Information 8
The benchmark scores for the 2012 sample of 89 companies are presented in a percentage
form. These scores are compiled from a proprietary instrument containing 130 items presented
in seven (7) sections. Each section is weighted equally for purposes of comparison.
79%
56%
42%
70%
61%
33% 29%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Policy% Com% Mgmt% Security% Compliance% Choice% Redress%
Benchmarks on Privacy Policies
9/13/2012 Ponemon Institute: Private & Confidential Information 9
38%
41%
43%
49%
0% 10% 20% 30% 40% 50% 60%
Acceptable use policies for mobile devices (BYOD)
Acceptable use policies for social media
Harmonized approach to global policies
Centralized version control procedures
56% 59% 60%
63% 62% 65%
68% 71%
76% 79%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
Benchmarks on Training & Communications
9/13/2012 Ponemon Institute: Private & Confidential Information 10
12%
15%
29%
30%
37%
41%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Privacy awareness for customers
Privacy awareness for business partners
Incident response training for readiness
Metrics for assessing training effectiveness
Specialized training for high risk employees
Mandatory training for all employees
46% 47% 45% 48% 46%
50% 52% 50% 52% 56%
0%
10%
20%
30%
40%
50%
60%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
Benchmarks on Privacy Program Management
9/13/2012 Ponemon Institute: Private & Confidential Information 11
17%
21%
29%
33%
35%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Independent audit or assessment
Data inventory for sensitive PI
Formal privacy or data governance strategy
Adequacy of program resources
Centralized authority
40% 41% 39% 40%
46% 50%
52% 48%
44% 42%
0%
10%
20%
30%
40%
50%
60%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
Benchmarks on Data Security
9/13/2012 Ponemon Institute: Private & Confidential Information 12
24%
27%
29%
31%
33%
0% 5% 10% 15% 20% 25% 30% 35%
Privileged user visibility
Extensive use of data loss prevention tools
Controls over PI data in cloud environments
Extensive use of encryption for data at rest
Alignment of privacy and cyber security strategy
50% 53%
59% 64% 66% 65%
68% 66% 68% 70%
0%
10%
20%
30%
40%
50%
60%
70%
80%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
Benchmarks on Privacy Compliance & Monitoring
9/13/2012 Ponemon Institute: Private & Confidential Information 13
21%
21%
22%
25%
29%
0% 5% 10% 15% 20% 25% 30% 35%
Evaluation of information theft upon employee termination
Board level reporting
Advanced assessments of marketing compaigns
Mock regulatory audits or assessments
Compliance monitoring over contract and temporaryemployees
39% 41% 40% 43%
46% 45% 48%
54% 59% 61%
0%
10%
20%
30%
40%
50%
60%
70%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
Benchmarks on Consent & Choice
9/13/2012 Ponemon Institute: Private & Confidential Information 14
18%
18%
22%
23%
26%
0% 5% 10% 15% 20% 25% 30%
Readiness for do not track
Global harmonization of consumer preferences
Rigorous monitoring of secondary uses of sensitive PI
Testing that customer preferences are honored
Exclusive use of permission-based lists forcustomer/consumer contact
35% 33%
28%
33% 34% 32% 33%
30%
35% 33%
0%
5%
10%
15%
20%
25%
30%
35%
40%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
Benchmarks on Redress & Enforcement
9/13/2012 Ponemon Institute: Private & Confidential Information 15
20%
21%
24%
26%
27%
0% 5% 10% 15% 20% 25% 30%
Enforcement actions reported to executive management
Specific timeline to investigate incidents
Escalation procedures
Redress process involves the privacy leader
Whistle blowing protection
27% 28%
32% 33% 34% 35% 36% 33%
31% 29%
0%
5%
10%
15%
20%
25%
30%
35%
40%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
Net change over 10 years
9/13/2012 Ponemon Institute: Private & Confidential Information 16
The benchmark scores for the 2012 sample consists of 89 companies. The benchmark scores
for the 2003 sample consist of 68 companies. Please note that both samples were matched
by organizational headcount (size), industry sector and geographic footprint. Certain items in
the proprietary benchmark instrument were edited or updated over this 10-year period.
79%
56%
42%
70%
61%
33% 29%
56%
46%
40%
50%
39% 35%
27%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Policy% Com% Mgmt% Security% Compliance% Choice% Redress%
FY 2012 FY 2003
Cost Benchmarks
Analysis is based on Ponemon Institute’s 2012 benchmark on corporate privacy management (n=265 companies)
Extrapolated cost of privacy programs $US millions (000,000 omitted)
9/13/2012 Ponemon Institute: Private & Confidential Information 18
3.92
3.12 2.92 2.53
4.84
3.27
1.70 1.65
8.75
6.39
4.61 4.18
-
1.00
2.00
3.00
4.00
5.00
6.00
7.00
8.00
9.00
10.00
Quartile 1 (SES 1.1) Quartile 2 (SES .71) Quartile 3 (SES .35) Quartile 4 (SES -.11)
Direct cost Indirect cost Total
This graph reports the average direct and indirect program spending for FY 2012 based on SES quartiles
from 1 = highest to 4 = lowest. The SES is a metric ranging from -2 (lowest) to +2 (highest) that attempts to
measure the effectiveness of an organization’s information security posture. The SES was developed by
Ponemon Institute and his been validated in more than 50 studies conducted over nearly eight (8) years. As
can be seen, organizations with a higher SES spend more direct and indirect costs on privacy programs.
While not shown in this graph, the average privacy program cost for our benchmark sample of companies
totals $5.98 million.
Analysis is based on Ponemon Institute’s 2012 benchmark on corporate privacy management (n=265 companies)
Extrapolated cost of privacy programs $US millions (000,000 omitted)
9/13/2012 Ponemon Institute: Private & Confidential Information 19
This graph reports the average direct and indirect program spending for FY 2012 based on six expenditure
or spending categories totaling $5.98 million. As can be seen, the two highest spending categories are data
security ($1.55 million) and program management ($1.50 million). In contrast, the two lowest spending
categories are redress and enforcement ($.30 million) and policies and procedures ($.60 million). While not
shown separately, our benchmark sample of companies spend approximately 25% of budget on program
management activities, which includes all costs associated with data breach incident management.
Analysis is based on Ponemon Institute’s 2012 benchmark on corporate privacy management (n=265 companies)
$0.60
$0.90
$1.50 $1.55
$1.14
$0.30
$-
$0.20
$0.40
$0.60
$0.80
$1.00
$1.20
$1.40
$1.60
$1.80
Policies &procedures
Training &communication
Programmanagement
Data security Compliancemonitoring
Redress &enforcement
Informal Influencer Survey
Benchmark study of 107 privacy influencers
• Results in this report are based on Ponemon Institute’s proprietary
database of privacy practices in US organizations.
• Examined perceptions about data breach incident response management.
• Purpose of analysis is to determine the value privacy leaders place on an
automated tool or system to deal with the data breach incident management
process.
• The results indicate that privacy leaders believe automated management
tools are important to deal with the data breach incident management
process due to the numerous separate incidents that require ongoing
tracking.
9/13/2012 Ponemon Institute: Private & Confidential Information 21
Is there a need to have an automated tool or system
to deal with the data breach incident management
process?
9/13/2012 Ponemon Institute: Private & Confidential Information 22
81%
15%
4%
Yes
No
Unsure
Benchmark question posed to 107 privacy leaders in U.S. based corporations
Do you have an automated data breach management
tool or system today?
9/13/2012 Ponemon Institute: Private & Confidential Information 23
62%
36%
2%
No
Yes, homemade
Yes, commercial
Benchmark question posed to 107 privacy leaders in U.S. based corporations
What is your company’s primary focus for data
breach management issues?
9/13/2012 Ponemon Institute: Private & Confidential Information 24
50%
31%
10%
6% 2%
US
Global
North America
Europe/EU
Latin America
Asia-Pacific
Benchmark question posed to 107 privacy leaders in U.S. based corporations
Approximately, how many separate incidents
require tracking over a 12-month period?
9/13/2012 Ponemon Institute: Private & Confidential Information 25
5%
10%
36%
24%
15%
9%
0% 5% 10% 15% 20% 25% 30% 35% 40%
> 2
2 to 4
5 to 10
11 to 20
21 to 40
< 40
Benchmark question posed to 107 privacy leaders in U.S. based corporations
Need for a Data Breach Management Tool
• Ponemon Institute’s tracking study of the cost of privacy programs reveals the
potential market demand data breach incident management tool for the following
reasons:
– Cost effective – TCO of the tool versus labor costs and professional fees
– A comprehensive and accurate repository of summarized privacy and data
breach laws reduces research costs and legal services.
– Benefits SMBs that cannot afford a fully-dedicated privacy staff.
– Secures (lock-down) sensitive and confidential information concerning data
breach incidents and events.
– Avoid redundant or inconsistent operating practices and reduce operational
complexity.
• Ponemon Institute’s proprietary benchmarks on corporate privacy spending for larger-
sized organizations (headcount > 1,000) reveal a substantial spending level for
program management (which includes incident response) and data security
measures.
9/13/2012 Ponemon Institute: Private & Confidential Information 26
Questions?
Ponemon Institute www.ponemon.org
Tel: 231.938.9900
Toll Free: 800.887.3118
Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA
research@ponemon.org