Hardly a week goes by without headlines about a breach of customer data. Less frequent, but just as alarming, are the publicly reported examples and allegations of intellectual property theft. Data security and privacy — and, by extension, brand reputation — are front and center today and will quickly become a business differentiator for tomorrow. The question remains: How will organizations respond?
IBM commissioned Forrester Research to evaluate data security decision-making by security buyers and influencers. Much of the research focused on what it means to engage in proactive data security and privacy efforts to address threats both today and in the future. This study began in May 2014 and was completed in June 2014. Forrester developed a hypothesis testing the assertion that enterprises today have many more stakeholders involved in data control, data governance, security and privacy. However, despite this involvement, organizations approach data security in a very reactive fashion and often do not have a clear understanding of the value of their data.
As part of the study, Forrester conducted surveys with 200 security decision-makers in the U.S., U.K. and Germany and had five in-depth follow-up phone interviews for additional context. The final report found that while these companies’ data security efforts are primarily driven by compliance and are tactical in nature, security teams have the attention of executives who are increasingly aware of and concerned about data security. These decision-makers also place a high priority on helping securely enable big data and data quality initiatives, both of which have implications for revenue growth and customer experience.
Forrester’s study yielded five key findings:
1. Data security efforts are policy- and compliance-driven.
Compliance is necessary, and policies are an important part of data security. However, organizations that drive data security efforts based on policy and compliance put the business at risk by neglecting to take a more holistic and proactive approach to their data security strategy. Remember: Compliance does not equal security.
2. Firms do not understand what sensitive data is.
What is sensitive data to the organization? And does the entire organization share a common understanding of what constitutes sensitive data? In order to protect our data, we must first know and understand it.
3. Proactive data security goes beyond technology implementation.
Technology is only one part of the equation; people and processes matter. Data privacy and security are conjoined concepts that require coordination between businesses’ employees, customers and operations to successfully address these concerns.
4. Many firms struggle with data security and are not mature in measuring the success of data security initiatives.
The transition from network- and device-centric security to data-centric security is new to most enterprises. There is a significant cultural shift that must take place for organizations to mature their data security practices.
5. For better or worse, breaches are an organizational catalyst.
As a direct result of a data breach, 45 percent of firms implemented new security controls and policies, and 42 percent said that security and privacy have become bigger topics of discussion. However, 35 percent also indicated that the breach caused a lot of disruption in the organization, with 18 percent of companies laying off employees as a direct result.