article banner

Strategically aligned, organisationally distinct

It’s time to merge cyber security and data privacy into one digital risk function

The development of digital information has multiplied the possibilities for businesses of all shapes and sizes to carve out a competitive advantage. Just consider how companies are harnessing technology to improve their performance, collecting customer data to create personalised services and targeted marketing campaigns, or scrutinise employee performance data or supply chain information to drive productivity to improve efficiency.

This offers huge potential, but also creates vulnerabilities and interdependencies between previously discrete threats. This is particularly the case for cyber security and data privacy risks, which are now linked due to the increased use of personal data. For example, data breaches can result from a cyber-attack, but have data privacy implications.

But business leaders’ attempts to come to terms with the changing nature of these threats is hampered because the past three years have seen businesses around the world bogged down in data privacy compliance. Still getting to grips with GDPR in Europe, they face new regulation in Australia, in California, in Canada.

No wonder two-thirds of businesses surveyed for Grant Thornton’s latest International Business Report (IBR) are focusing more on privacy than cyber security. And the majority (59%) are actively preparing for the next wave of privacy regulation. But cyber security threats have also soared. The number of cyber-attacks causing losses in excess of $1m have increased by 63% during the past three years. 

So it is critical for businesses to effectively and efficiently get to grips with both risks: data privacy and cyber security. Yet they are struggling, because data privacy and cyber security are often managed by different teams. The CPO takes responsibility for the former; the CISO or CTO for the latter.

In this perspective, Alessandro Leone, Partner at Grant Thornton Financial Advisory Services in the Business Risk Services area, stated: “Is it right to manage cyber security and data privacy separately? These two subjects are strongly interrelated, thanks to the technology development which has led to a management of data (included personal ones) based on complex IT systems, which are often held by different suppliers. In fact, for example, companies are increasingly using algorythms to predict consumers behaviour, based on a high quantity of data collected from both digital and “physical” activities (e.g. monitoring movements through devices localization, etc.).”

“Although an integrated management of cyber security and of data privacy” – continued Alessandro Leone – “many companies still do not do it, sometimes due to a lack of specialized skills in one single function. The situation is even more critical in those organization where cross-functional communication channels are insufficient. So it could be necessary to create a new professional figure, i.e. a chief digital risk officer, having specific IT and legal skills and able to support executives in pursuing their strategies through the management of digital risk.”

It would be far better for both to be managed by the same team. After all, a lot of work that ensures compliance with data privacy can be used to bolster cyber security, and vice versa. In addition to helping businesses manage digital risks, this approach adds value by enabling them to start digital transformation initiatives quicker.

Optimising data classification

A single digital risk team will also ensure that the data classification companies are undertaking across the business for various purposes is aligned and coordinated.

companies could use the data classification conducted to aid compliance with data privacy regulations such as GDPR to enhance cyber security. Similarly, they could categorise data according to its value to the business. And identifying the most valuable data means it can be better protected with more sophisticated cyber defences.

Where privacy and cyber security merge

Assessing data privacy and cyber security risk within one digital risk function is even more relevant in case of a data breach. Businesses need to know how the breach occurred and which cyber defences (if any) failed. They also need to understand how data were compromised , valuating the risk for people rights and freedom and, if so, it will need to be disclosed.

However, today, most businesses are not fully equipped to do this. Only 28% of surveyed businesses are ‘highly satisfied’ with their ability to protect against the risk of a serious breach and just 26% with their ability to respond consistently to a major breach across the entire business, no matter when or where it takes place.

Integrate privacy and security into one function, and businesses will be able to respond more effectively to data breaches due to their combined resources and more wholistic understanding of the threat.

Third-party assurance

The increased interconnectedness of  cybersecurity and privacy has implications for how third-party assurance is conducted.

For example, data privacy regulation such as GDPR requires businesses to get robust guarantees from suppliers that handle data on their behalf. And since businesses also have to check whether their suppliers are vulnerable to cyber attack, why not assess also privacy compliance?

A single function that conducts comprehensive assessments of third-party digital risk, cyber, and privacy is better positioned to ensure a higher consideration of risk. This approach should also be helpful in the supplier selection process.  

Although such integrated approach is clearly advantageous, it is actually not so widespread.

Board oversight is key, combined management essential

The case for an integrated digital risk function is clear. But who should manage it?

At the moment, there is confusion about where responsibility ultimately lies, and this is hampering digital risk management. Tellingly, surveyed businesses say that a lack of understanding about which risks individuals and teams are responsible for is their second-greatest weak point in managing digital risk.

Like financial risk, digital risk’s severity means that the board must take an active role in overseeing it.  Ideally, a specific digital risk committee should be established within the board to oversee this risk, with representation from experts.

Most companies put the chief risk officer or chief technology officer in charge of the day-to-day management of these risks. But effective digital risk management relies on a lot more than technology. Chief risk officers typically focus on financial risks, and so may not possess the expertise needed to effectively manage digital risk. That’s why there is the need to establish a chief digital risk officer, i.e. a figure that is comprehensively responsible for all aspects related to digital risk.

Three steps to integrated digital risk management

  1. Work out who is responsible for managing cyber security and data privacy risk, map out their activities and daily workflows, and see if there is any overlap. Strip out duplicated processes.
  2. Ensure that digital risk processes are managed on an end-to-end basis. For example, third-party assurance should assess both cyber security and data privacy. Both factors should also be evaluated when classifying data.
  3. Create an integrated digital risk management team or function that has the skills to manage both cyber security and data privacy threats. Head it up with a chief digital risk officer capable of championing digital risk and ensuring it’s factored into strategic and operational decisions across the business. Make sure that the board actively oversees digital risk.