The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements

7/30/2019 The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements

1/27

Privacy & Data Breach ManagementBenchmarks, Informal Survey, Solutions

Presentation by Dr. Larry Ponemon

Webinar sponsored by Co3 Systems

September 13, 2012


2/27

Agenda

Benchmark Analysis

Cost Benchmarks

Informal Influencer Survey

Market Need For Breach Management Solutions

11/21/2012 Ponemon Institute: Private & Confidential Information 2


3/27

About Ponemon Institute

Ponemon Institute conducts independent research on cyber security, data protectionand privacy issues.

Since our founding 11+ years ago our mission has remained constant, which is toenable organizations in both the private and public sectors to have a clearerunderstanding of the practices, enabling technologies and potential threats that willaffect the security, reliability and integrity of information assets and IT systems.

Ponemon Institute research informs organizations on how to improve upon their dataprotection initiatives and enhance their brand and reputation as a trusted enterprise.

In addition to research, Ponemon Institute offers independent assessment andstrategic advisory services on privacy and data protection issues. The Institute alsoconducts workshops and training programs.

The Institute is frequently engaged by leading companies to assess their privacy anddata protection activities in accordance with generally accepted standards and

practices on a global basis.

The Institute also performs customized benchmark studies to help organizationsidentify inherent risk areas and gaps that might otherwise trigger regulatory action.



4/27

Benchmark Analysis

Analysis is based on Ponemon Institutes 2012 benchmark on corporate privacy management (n=89 companies)


5/27

Background

Ponemon Institute has conduct detailed benchmark surveys of corporate privacy

program activities for the past 10 years (starting in January 2003).

Ponemon Institute has conducted more than 500+ separate benchmark studies.

A total of 89 large, US-based organizations in various industries participated inthis 2012 study (fieldwork concluding in August).

The primary contact in these organizations was the chief security officer, the chiefinformation security officer, the chief privacy officer or another individual who hasoverall responsibility for privacy & data protection.

All results were gathered by the researcher. All individual and company-identifiable information was removed to protect the confidentiality of respondingorganizations.

Caveats Benchmarks provide descriptive information that may not berepresentative of all corporate privacy initiatives.

11/21/2012 5Ponemon Institute: Private & Confidential Information


6/27

Industries


21%

12%

12%

8%7%

7%

6%

6%

6%

6%

3%2% 4%

Financial services

Health & pharma

Retail

Public sector

Industrial

Services

Consumer products

Technology & software

Transportation

Energy & utilities

Communications

Education & research

Other

A total of 89 companies participated in this 2012 research

Minimum headcount of participating companies is > 1,000


7/27

Overall Benchmark Score


61%

47%42%

53%

0%

10%

20%

30%

40%

50%

60%

70%

> 25,000 FTE 5,000 to 25,000 FTE < 5,000 FTE Overall

The benchmark scores for the 2012 sample of 89 companies are presented in a percentage form.

These scores are compiled from a proprietary instrument containing 130 items presented in seven(7) sections. Each section is weighted equally for purposes of comparison.


8/27

Overall Benchmark Score


The benchmark scores for the 2012 sample of 89 companies are presented in a percentage

form. These scores are compiled from a proprietary instrument containing 130 items presentedin seven (7) sections. Each section is weighted equally for purposes of comparison.

79%

56%

42%

70%

61%

33%29%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Policy% Com% Mgmt% Security% Compliance% Choice% Redress%


9/27

Benchmarks on Privacy Policies


38%

41%

43%

49%

0% 10% 20% 30% 40% 50% 60%

Acceptable use policies for mobile devices (BYOD)

Acceptable use policies for social media

Harmonized approach to global policies

Centralized version control procedures

56%59% 60%

63% 62%65%

68%71%

76%79%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012


10/27

Benchmarks on Training & Communications


12%

15%

29%

30%

37%

41%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Privacy awareness for customers

Privacy awareness for business partners

Incident response training for readiness

Metrics for assessing training effectiveness

Specialized training for high risk employees

Mandatory training for all employees

46% 47% 45%48% 46%

50% 52% 50% 52%56%

0%

10%

20%

30%

40%

50%

60%

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012


11/27

Benchmarks on Privacy Program Management


17%

21%

29%

33%

35%

0% 5% 10% 15% 20% 25% 30% 35% 40%

Independent audit or assessment

Data inventory for sensitive PI

Formal privacy or data governance strategy

Adequacy of program resources

Centralized authority

40% 41% 39% 40%

46%50%

52%48%

44%42%

0%

10%

20%

30%

40%

50%

60%

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012


12/27

Benchmarks on Data Security


24%

27%

29%

31%

33%

0% 5% 10% 15% 20% 25% 30% 35%

Privileged user visibility

Extensive use of data loss prevention tools

Controls over PI data in cloud environments

Extensive use of encryption for data at rest

Alignment of privacy and cyber security strategy

50%53%

59%64% 66% 65%

68% 66% 68%70%

0%

10%

20%

30%

40%

50%

60%

70%

80%

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012


13/27

Benchmarks on Privacy Compliance & Monitoring


21%

21%

22%

25%

29%

0% 5% 10% 15% 20% 25% 30% 35%

Evaluation of information theft upon employee termination

Board level reporting

Advanced assessments of marketing compaigns

Mock regulatory audits or assessments

Compliance monitoring over contract and temporary

employees

39% 41% 40%43%

46% 45%48%

54%59% 61%

0%

10%

20%

30%

40%

50%

60%

70%

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012


14/27

Benchmarks on Consent & Choice


18%

18%

22%

23%

26%

0% 5% 10% 15% 20% 25% 30%

Readiness for do not track

Global harmonization of consumer preferences

Rigorous monitoring of secondary uses of sensitive PI

Testing that customer preferences are honored

Exclusive use of permission-based lists for

customer/consumer contact

35%33%

28%

33% 34% 32% 33%30%

35%33%

0%

5%

10%

15%

20%

25%

30%

35%

40%

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012


15/27

Benchmarks on Redress & Enforcement


20%

21%

24%

26%

27%

0% 5% 10% 15% 20% 25% 30%

Enforcement actions reported to executive management

Specific timeline to investigate incidents

Escalation procedures

Redress process involves the privacy leader

Whistle blowing protection

27% 28%

32% 33%34% 35%

36%33%

31%29%

0%

5%

10%

15%

20%

25%

30%

35%

40%

2003 2004 2005 2006 2007 2008 2009 2010 2011 2012


16/27

Net change over 10 years


The benchmark scores for the 2012 sample consists of 89 companies. The benchmark scoresfor the 2003 sample consist of 68 companies. Please note that both samples were matchedby organizational headcount (size), industry sector and geographic footprint. Certain items inthe proprietary benchmark instrument were edited or updated over this 10-year period.

79%

56%

42%

70%

61%

33%29%

56%

46%

40%

50%

39%35%

27%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Policy% Com% Mgmt% Security% Compliance% Choice% Redress%

FY 2012 FY 2003


17/27

Cost Benchmarks



18/27

Extrapolated cost of privacy programs$US millions (000,000 omitted)


3.92

3.12

2.92 2.53

4.84

3.27

1.70 1.65

8.75

6.39

4.614.18

-

1.00

2.00

3.00

4.00

5.00

6.00

7.00

8.009.00

10.00

Quartile 1 (SES 1.1) Quartile 2 (SES .71) Quartile 3 (SES .35) Quartile 4 (SES -.11)

Direct cost Indirect cost Total

This graph reports the average direct and indirect program spending for FY 2012 based on SES quartilesfrom 1 = highest to 4 = lowest. The SES is a metric ranging from -2 (lowest) to +2 (highest) that attempts tomeasure the effectiveness of an organizations information security posture. The SES was developed by

Ponemon Institute and his been validated in more than 50 studies conducted over nearly eight (8) years. Ascan be seen, organizations with a higher SES spend more direct and indirect costs on privacy programs.While not shown in this graph, the average privacy program cost for our benchmark sample of companiestotals $5.98 million.



19/27

Extrapolated cost of privacy programs$US millions (000,000 omitted)


This graph reports the average direct and indirect program spending for FY 2012 based on six expenditureor spending categories totaling $5.98 million. As can be seen, the two highest spending categories are datasecurity ($1.55 million) and program management ($1.50 million). In contrast, the two lowest spendingcategories are redress and enforcement ($.30 million) and policies and procedures ($.60 million). While notshown separately, our benchmark sample of companies spend approximately 25% of budget on programmanagement activities, which includes all costs associated with data breach incident management.


$0.60

$0.90

$1.50$1.55

$1.14

$0.30

$-

$0.20

$0.40

$0.60

$0.80

$1.00

$1.20

$1.40

$1.60

$1.80

Policies &procedures

Training &communication

Programmanagement

Data security Compliancemonitoring

Redress &enforcement


20/27

Informal Influencer Survey


21/27

Benchmark study of 107 privacy influencers

Results in this report are based on Ponemon Institutes proprietary

database of privacy practices in US organizations.

Examined perceptions about data breach incident response management.

Purpose of analysis is to determine the value privacy leaders place on an

automated tool or system to deal with the data breach incident managementprocess.

The results indicate that privacy leaders believe automated managementtools are important to deal with the data breach incident managementprocess due to the numerous separate incidents that require ongoingtracking.



22/27

Is there a need to have an automated tool or systemto deal with the data breach incident managementprocess?


81%

15%

4%

Yes

No

Unsure

Benchmark question posed to 107 privacy leaders in U.S. based corporations


23/27

Do you have an automated data breach managementtool or system today?


62%

36%

2%

No

Yes, homemade

Yes, commercial



24/27

What is your companys primary focus for data

breach management issues?


50%

31%

10%

6%2%

US

Global

North America

Europe/EU

Latin America

Asia-Pacific



25/27

Approximately, how many separate incidentsrequire tracking over a 12-month period?


5%

10%

36%

24%

15%

9%

0% 5% 10% 15% 20% 25% 30% 35% 40%

> 2

2 to 4

5 to 10

11 to 20

21 to 40

< 40



26/27

Need for a Data Breach Management Tool

Ponemon Institutes tracking study of the cost of privacy programs reveals the

potential market demand data breach incident management tool for the followingreasons:

Cost effective TCO of the tool versus labor costs and professional fees

A comprehensive and accurate repository of summarized privacy and data

breach laws reduces research costs and legal services.

Benefits SMBs that cannot afford a fully-dedicated privacy staff.

Secures (lock-down) sensitive and confidential information concerning data

breach incidents and events.

Avoid redundant or inconsistent operating practices and reduce operational

complexity.

Ponemon Institutes proprietary benchmarks on corporate privacy spending for larger-sized organizations (headcount > 1,000) reveal a substantial spending level for

program management (which includes incident response) and data security

measures.



27/27

Questions?

Ponemon Institutewww.ponemon.orgTel: 231.938.9900

Toll Free: 800.887.3118Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA

[email protected]

Documents

The Ponemon Institute on Data Loss / Breach Solutions: The Market Need and Solution Requirements