Privacy & Data Breach Management

27
Privacy & Data Breach Management Benchmarks, Informal Survey, Solutions Presentation by Dr. Larry Ponemon Webinar sponsored by Co3 Systems September 13, 2012
  • date post

    19-Oct-2014
  • Category

    Technology

  • view

    705
  • download

    2

description

 

Transcript of Privacy & Data Breach Management

Page 1: Privacy & Data Breach Management

Privacy & Data Breach Management Benchmarks, Informal Survey, Solutions

Presentation by Dr. Larry Ponemon

Webinar sponsored by Co3 Systems

September 13, 2012

Page 2: Privacy & Data Breach Management

Agenda

• Benchmark Analysis

• Cost Benchmarks

• Informal Influencer Survey

• Market Need For Breach Management Solutions

9/13/2012 Ponemon Institute: Private & Confidential Information 2

Page 3: Privacy & Data Breach Management

About Ponemon Institute

• Ponemon Institute conducts independent research on cyber security, data protection

and privacy issues.

• Since our founding 11+ years ago our mission has remained constant, which is to

enable organizations in both the private and public sectors to have a clearer

understanding of the practices, enabling technologies and potential threats that will

affect the security, reliability and integrity of information assets and IT systems.

• Ponemon Institute research informs organizations on how to improve upon their data

protection initiatives and enhance their brand and reputation as a trusted enterprise.

• In addition to research, Ponemon Institute offers independent assessment and

strategic advisory services on privacy and data protection issues. The Institute also

conducts workshops and training programs.

• The Institute is frequently engaged by leading companies to assess their privacy and

data protection activities in accordance with generally accepted standards and

practices on a global basis.

• The Institute also performs customized benchmark studies to help organizations

identify inherent risk areas and gaps that might otherwise trigger regulatory action.

9/13/2012 Ponemon Institute: Private & Confidential Information 3

Page 4: Privacy & Data Breach Management

Benchmark Analysis

Analysis is based on Ponemon Institute’s 2012 benchmark on corporate privacy management (n=89 companies)

Page 5: Privacy & Data Breach Management

Background

• Ponemon Institute has conduct detailed benchmark surveys of corporate privacy

program activities for the past 10 years (starting in January 2003).

• Ponemon Institute has conducted more than 500+ separate benchmark studies.

• A total of 89 large, US-based organizations in various industries participated in

this 2012 study (fieldwork concluding in August).

• The primary contact in these organizations was the chief security officer, the chief

information security officer, the chief privacy officer or another individual who has

overall responsibility for privacy & data protection.

• All results were gathered by the researcher. All individual and company-

identifiable information was removed to protect the confidentiality of responding

organizations.

• Caveats – Benchmarks provide descriptive information that may not be

representative of all corporate privacy initiatives.

9/13/2012 5 Ponemon Institute: Private & Confidential Information

Page 6: Privacy & Data Breach Management

Industries

9/13/2012 Ponemon Institute: Private & Confidential Information 6

21%

12%

12%

8% 7%

7%

6%

6%

6%

6%

3% 2% 4%

Financial services

Health & pharma

Retail

Public sector

Industrial

Services

Consumer products

Technology & software

Transportation

Energy & utilities

Communications

Education & research

Other

A total of 89 companies participated in this 2012 research

Minimum headcount of participating companies is > 1,000

Page 7: Privacy & Data Breach Management

Overall Benchmark Score

9/13/2012 Ponemon Institute: Private & Confidential Information 7

61%

47%

42%

53%

0%

10%

20%

30%

40%

50%

60%

70%

> 25,000 FTE 5,000 to 25,000 FTE < 5,000 FTE Overall

The benchmark scores for the 2012 sample of 89 companies are presented in a percentage form.

These scores are compiled from a proprietary instrument containing 130 items presented in seven

(7) sections. Each section is weighted equally for purposes of comparison.

Page 8: Privacy & Data Breach Management

Overall Benchmark Score

9/13/2012 Ponemon Institute: Private & Confidential Information 8

The benchmark scores for the 2012 sample of 89 companies are presented in a percentage

form. These scores are compiled from a proprietary instrument containing 130 items presented

in seven (7) sections. Each section is weighted equally for purposes of comparison.

79%

56%

42%

70%

61%

33% 29%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Policy% Com% Mgmt% Security% Compliance% Choice% Redress%

Page 9: Privacy & Data Breach Management

Benchmarks on Privacy Policies

9/13/2012 Ponemon Institute: Private & Confidential Information 9

38%

41%

43%

49%

0% 10% 20% 30% 40% 50% 60%

Acceptable use policies for mobile devices (BYOD)

Acceptable use policies for social media

Harmonized approach to global policies

Centralized version control procedures

56% 59% 60%

63% 62% 65%

68% 71%

76% 79%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012

Page 10: Privacy & Data Breach Management

Benchmarks on Training & Communications

9/13/2012 Ponemon Institute: Private & Confidential Information 10

12%

15%

29%

30%

37%

41%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Privacy awareness for customers

Privacy awareness for business partners

Incident response training for readiness

Metrics for assessing training effectiveness

Specialized training for high risk employees

Mandatory training for all employees

46% 47% 45% 48% 46%

50% 52% 50% 52% 56%

0%

10%

20%

30%

40%

50%

60%

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012

Page 11: Privacy & Data Breach Management

Benchmarks on Privacy Program Management

9/13/2012 Ponemon Institute: Private & Confidential Information 11

17%

21%

29%

33%

35%

0% 5% 10% 15% 20% 25% 30% 35% 40%

Independent audit or assessment

Data inventory for sensitive PI

Formal privacy or data governance strategy

Adequacy of program resources

Centralized authority

40% 41% 39% 40%

46% 50%

52% 48%

44% 42%

0%

10%

20%

30%

40%

50%

60%

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012

Page 12: Privacy & Data Breach Management

Benchmarks on Data Security

9/13/2012 Ponemon Institute: Private & Confidential Information 12

24%

27%

29%

31%

33%

0% 5% 10% 15% 20% 25% 30% 35%

Privileged user visibility

Extensive use of data loss prevention tools

Controls over PI data in cloud environments

Extensive use of encryption for data at rest

Alignment of privacy and cyber security strategy

50% 53%

59% 64% 66% 65%

68% 66% 68% 70%

0%

10%

20%

30%

40%

50%

60%

70%

80%

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012

Page 13: Privacy & Data Breach Management

Benchmarks on Privacy Compliance & Monitoring

9/13/2012 Ponemon Institute: Private & Confidential Information 13

21%

21%

22%

25%

29%

0% 5% 10% 15% 20% 25% 30% 35%

Evaluation of information theft upon employee termination

Board level reporting

Advanced assessments of marketing compaigns

Mock regulatory audits or assessments

Compliance monitoring over contract and temporaryemployees

39% 41% 40% 43%

46% 45% 48%

54% 59% 61%

0%

10%

20%

30%

40%

50%

60%

70%

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012

Page 14: Privacy & Data Breach Management

Benchmarks on Consent & Choice

9/13/2012 Ponemon Institute: Private & Confidential Information 14

18%

18%

22%

23%

26%

0% 5% 10% 15% 20% 25% 30%

Readiness for do not track

Global harmonization of consumer preferences

Rigorous monitoring of secondary uses of sensitive PI

Testing that customer preferences are honored

Exclusive use of permission-based lists forcustomer/consumer contact

35% 33%

28%

33% 34% 32% 33%

30%

35% 33%

0%

5%

10%

15%

20%

25%

30%

35%

40%

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012

Page 15: Privacy & Data Breach Management

Benchmarks on Redress & Enforcement

9/13/2012 Ponemon Institute: Private & Confidential Information 15

20%

21%

24%

26%

27%

0% 5% 10% 15% 20% 25% 30%

Enforcement actions reported to executive management

Specific timeline to investigate incidents

Escalation procedures

Redress process involves the privacy leader

Whistle blowing protection

27% 28%

32% 33% 34% 35% 36% 33%

31% 29%

0%

5%

10%

15%

20%

25%

30%

35%

40%

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012

Page 16: Privacy & Data Breach Management

Net change over 10 years

9/13/2012 Ponemon Institute: Private & Confidential Information 16

The benchmark scores for the 2012 sample consists of 89 companies. The benchmark scores

for the 2003 sample consist of 68 companies. Please note that both samples were matched

by organizational headcount (size), industry sector and geographic footprint. Certain items in

the proprietary benchmark instrument were edited or updated over this 10-year period.

79%

56%

42%

70%

61%

33% 29%

56%

46%

40%

50%

39% 35%

27%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Policy% Com% Mgmt% Security% Compliance% Choice% Redress%

FY 2012 FY 2003

Page 17: Privacy & Data Breach Management

Cost Benchmarks

Analysis is based on Ponemon Institute’s 2012 benchmark on corporate privacy management (n=265 companies)

Page 18: Privacy & Data Breach Management

Extrapolated cost of privacy programs $US millions (000,000 omitted)

9/13/2012 Ponemon Institute: Private & Confidential Information 18

3.92

3.12 2.92 2.53

4.84

3.27

1.70 1.65

8.75

6.39

4.61 4.18

-

1.00

2.00

3.00

4.00

5.00

6.00

7.00

8.00

9.00

10.00

Quartile 1 (SES 1.1) Quartile 2 (SES .71) Quartile 3 (SES .35) Quartile 4 (SES -.11)

Direct cost Indirect cost Total

This graph reports the average direct and indirect program spending for FY 2012 based on SES quartiles

from 1 = highest to 4 = lowest. The SES is a metric ranging from -2 (lowest) to +2 (highest) that attempts to

measure the effectiveness of an organization’s information security posture. The SES was developed by

Ponemon Institute and his been validated in more than 50 studies conducted over nearly eight (8) years. As

can be seen, organizations with a higher SES spend more direct and indirect costs on privacy programs.

While not shown in this graph, the average privacy program cost for our benchmark sample of companies

totals $5.98 million.

Analysis is based on Ponemon Institute’s 2012 benchmark on corporate privacy management (n=265 companies)

Page 19: Privacy & Data Breach Management

Extrapolated cost of privacy programs $US millions (000,000 omitted)

9/13/2012 Ponemon Institute: Private & Confidential Information 19

This graph reports the average direct and indirect program spending for FY 2012 based on six expenditure

or spending categories totaling $5.98 million. As can be seen, the two highest spending categories are data

security ($1.55 million) and program management ($1.50 million). In contrast, the two lowest spending

categories are redress and enforcement ($.30 million) and policies and procedures ($.60 million). While not

shown separately, our benchmark sample of companies spend approximately 25% of budget on program

management activities, which includes all costs associated with data breach incident management.

Analysis is based on Ponemon Institute’s 2012 benchmark on corporate privacy management (n=265 companies)

$0.60

$0.90

$1.50 $1.55

$1.14

$0.30

$-

$0.20

$0.40

$0.60

$0.80

$1.00

$1.20

$1.40

$1.60

$1.80

Policies &procedures

Training &communication

Programmanagement

Data security Compliancemonitoring

Redress &enforcement

Page 20: Privacy & Data Breach Management

Informal Influencer Survey

Page 21: Privacy & Data Breach Management

Benchmark study of 107 privacy influencers

• Results in this report are based on Ponemon Institute’s proprietary

database of privacy practices in US organizations.

• Examined perceptions about data breach incident response management.

• Purpose of analysis is to determine the value privacy leaders place on an

automated tool or system to deal with the data breach incident management

process.

• The results indicate that privacy leaders believe automated management

tools are important to deal with the data breach incident management

process due to the numerous separate incidents that require ongoing

tracking.

9/13/2012 Ponemon Institute: Private & Confidential Information 21

Page 22: Privacy & Data Breach Management

Is there a need to have an automated tool or system

to deal with the data breach incident management

process?

9/13/2012 Ponemon Institute: Private & Confidential Information 22

81%

15%

4%

Yes

No

Unsure

Benchmark question posed to 107 privacy leaders in U.S. based corporations

Page 23: Privacy & Data Breach Management

Do you have an automated data breach management

tool or system today?

9/13/2012 Ponemon Institute: Private & Confidential Information 23

62%

36%

2%

No

Yes, homemade

Yes, commercial

Benchmark question posed to 107 privacy leaders in U.S. based corporations

Page 24: Privacy & Data Breach Management

What is your company’s primary focus for data

breach management issues?

9/13/2012 Ponemon Institute: Private & Confidential Information 24

50%

31%

10%

6% 2%

US

Global

North America

Europe/EU

Latin America

Asia-Pacific

Benchmark question posed to 107 privacy leaders in U.S. based corporations

Page 25: Privacy & Data Breach Management

Approximately, how many separate incidents

require tracking over a 12-month period?

9/13/2012 Ponemon Institute: Private & Confidential Information 25

5%

10%

36%

24%

15%

9%

0% 5% 10% 15% 20% 25% 30% 35% 40%

> 2

2 to 4

5 to 10

11 to 20

21 to 40

< 40

Benchmark question posed to 107 privacy leaders in U.S. based corporations

Page 26: Privacy & Data Breach Management

Need for a Data Breach Management Tool

• Ponemon Institute’s tracking study of the cost of privacy programs reveals the

potential market demand data breach incident management tool for the following

reasons:

– Cost effective – TCO of the tool versus labor costs and professional fees

– A comprehensive and accurate repository of summarized privacy and data

breach laws reduces research costs and legal services.

– Benefits SMBs that cannot afford a fully-dedicated privacy staff.

– Secures (lock-down) sensitive and confidential information concerning data

breach incidents and events.

– Avoid redundant or inconsistent operating practices and reduce operational

complexity.

• Ponemon Institute’s proprietary benchmarks on corporate privacy spending for larger-

sized organizations (headcount > 1,000) reveal a substantial spending level for

program management (which includes incident response) and data security

measures.

9/13/2012 Ponemon Institute: Private & Confidential Information 26

Page 27: Privacy & Data Breach Management

Questions?

Ponemon Institute www.ponemon.org

Tel: 231.938.9900

Toll Free: 800.887.3118

Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA

[email protected]