Privacy concerns may not be the first issue that comes to mind when building an enterprise cyber resilience plan. However, you should expect them to gain prominence. For perspective, consider for a moment that the NIST Privacy Framework is a relatively new tool. It was only first deployed in January 2020.
Even ISO only released its new standalone standard in August 2019. As part of the 27000 family, ISO/IEC 27701:2019 “specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.”
Now get this: the technical team responsible for its development is called ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection (emphasis added).
Let’s up the ante to emphasize the connection to cybersecurity resilience just a little bit more. Want to know what NIST did? They developed a very handy crosswalk tool, which maps controls from the Privacy Framework to the Cybersecurity Framework and vice-versa.
Therefore, the interplay between the two issues, cybersecurity and privacy, really begs the question: does a strong cybersecurity program begin in a strong privacy program?
See how all of a sudden privacy issues really do tie into your overall resilience? There are a few areas in particular that privacy issues could really test your organization. Keep in mind reputation, disclosure, compliance and financial cost.
How much is your reputation worth?
Gossip, rumor, and yes, even legitimate bulletins and news blaze across the world at record speeds. Managing your reputation at warp speed is critical to your organization’s cyber resilience. Largely thanks to social media, a negative story can cause major damage to your reputation and brand. It can happen even within a matter of minutes.
Yes, minutes.
As a publicly traded company, you could see massive dips in your market cap. Think about it. Trading has become less about ‘boring’ things like EBITA, Price-to-Book ratio or quarterly earnings. It has become more speculative, with an emotional flare to it.
So what is the link to privacy, then? Well, if we’re still riding that emotional flare, candidly speaking, people take their personally identifiable information (PII) pretty darn seriously. It is an emotional reaction that triggers what happens next, not necessarily a deliberate, well-thought-out course of action.
Keep your customers’ faith
Keep in mind that no matter how common breaches become, or the growing awareness in the general public that they are happening, few things can frustrate people more than spending time to set up credit alerts, chasing down possible fraud and living with that feeling of being violated somehow. That ‘contract’ or bond between the customer and the organization breaks.
And if you think losing part of your customer base does not impact the organization’s cyber resilience, I have a bag of beans to sell you, magic not included.
One perspective that ties together privacy, security and reputation is an intangible issue: your organization’s goodwill. How much is that worth to you?
I can make you a promise: standing up your applications, spinning up new instances, loading up backups and getting all your transactional capabilities up and running means nothing if your customers no longer have faith or confidence in doing business with you. You have reached bust. Kaput. The end.
That’s one of the reasons privacy matters to cyber resilience: it’s keeping an eye out on the hidden cost.
Time is not your friend when it comes to cyber resilience
Now let us look at a couple of the tangible issues: disclosure and compliance. Or, put another way, time and money. If you have been following what the Security Exchange Commission (SEC) has been up to regarding cybersecurity disclosures, the message is pretty blunt: provide timely and quality disclosures related to breaches. All the more reason your crisis communication planning needs to have these close partnerships with external bodies all ready to go.
Think about it like this: in a crisis situation, you want to drive the message as much as possible, because that is one of your control levers. If somebody else drives the message (or knocks on your door asking why you haven’t disclosed in time) you’re losing and you’re looking for a bruising.
Let’s look at part of a privacy breach scenario for a moment:
- Word leaks (who cares how, or if it is even true) that your organization has suffered a breach and PII has made it out into the wild.
- That information makes it to social media, and a couple of major news organizations or security influencers pick up the story and amplify it.
- Every day people start to digest the news item and begin to worry (e.g., is their information exposed?).
- Other stakeholders, namely shareholders, start to panic because there are signs of a sell-off happening.
- Phone calls are being made at the board level to contain this looming disaster.
See how this is going? We’re not even at the SEC “ahem” call yet!
This is an extreme example, right? Perhaps it is. But there is something larger going on here: if you are not planning and preparing for extreme, you may as well be faking it.
Cyber resilience: Ride the storm
Have you perhaps noticed that the cybersecurity issue is becoming more difficult to manage and not easier? Perhaps you have noticed breaches are also becoming costlier? Let’s do a quick rundown of IBM’s Data Breach Report 2021 is as follows:
- Highest average cost in 17 years
- Remote work increasing the cost
- Compromised credentials are the main source of breaches
- Security AI has the biggest cost-mitigating effect
- Zero trust approach helps reduce cost
- Cloud migrations impacted cost containment.
Okay, so what does it all have to do with privacy? What impact will it make on organizational resilience?
Simple: privacy is both amplifier and sleeping giant. That is why preparing for the extreme event is required. What happens when you lose the confidence and faith of all your customer base? You may be able to survive the fines, the penalties, the downed operational time and even the rebuild costs.
But the reputational hit? Perhaps not. Do what you can to ensure that the unspoken contract between you and your customer is not broken: protect their privacy.
Next in the journey, we look at security-by-design. Or as I like to call it: break it while you build it.
Senior Director, Educator and Author