Where cybersecurity is heading-Fast

March 12, 2019

The pressure to protect personal data has most multinationals fighting to stay ahead.

“There's a lot more about privacy in the media; it has captured people's attention because there are laws behind it."

A decade ago, cybersecurity was still largely considered a component of information technology. It wasn’t until around 2014 that organizations began to fully grasp the devastating effects a data breach can have on shareholder value, market share, reputation, and even long-term survival, and elevated cybersecurity to its own C-suite position.

Since then, the responsibilities of the chief security officer (CSO) or chief information security officer (CISO) have grown in proportion to the number of threats. And there are a lot of threats. In addition to overseeing network security, computer security, and in some cases physical security, the growth in connected devices has put product security under the CSO’s remit. Many cybersecurity breaches still go undetected, in part because there is more data for hackers to hack. Consider that by some estimates more than 20 billion connected devices will be on the market by 2020. Put another way, that’s 20 billion ways for hackers to get passwords, credit card numbers, consumer data, proprietary data, financial data, and more to leak, hold for ransom, or sell on dark markets.

Eighty-two percent of leaders surveyed for the World Economic Forum’s latest Global Risks Report believe cyberattacks leading to financial theft or data fraud will increase this year, citing the “deepening integration of digital technologies into every aspect of life.”

No sector is immune

Not unlike the flu, data breaches and other cyberattacks affect everyone. Per the chart below, from the United States government's Council of Economic Advisers 2018 report, no sector—and by extension no company—is immune.

no sector is immune

With CSOs already stretched thin from their ever-growing responsibilities, privacy is a frontier that’s too vast and evolving for them to take on in isolation. Moreover, security and privacy aren’t always aligned from a business perspective. “Organizations have a bias for collecting data, but they also have to meet user expectations about how it is being used,” says Katherine Fithen, a managing principal consultant at Secureworks who worked on information security on the Internet when it was still a private network within the US government. Majority-owned by Dell, Secureworks, based in Atlanta, provides technology that detects and fights security breaches.

In the past, there had been waves of discontent over how organizations use personal data from users, but it was nothing like the tsunami of anger that occurred after it was revealed that Cambridge Analytica used Facebook data to create psychological profiles for political gain without users’ consent. The aftermath included hundreds of millions of dollars in lost shareholder value, a #deletefacebook campaign, testimony by CEO Mark Zuckerberg and COO Sheryl Sandberg in Congress, and the implementation of Europe’s GDPR standard across all of Facebook, not just in Europe. To many, the incident crystallized the importance of trust between organization and user in the digital age.

“Privacy can enhance your market reputation and be leveraged by sales and marketing to influence revenue."

“There’s a lot more about privacy in the media; it has captured people’s attention because there are laws behind it,” says Fithen. “And it is prominent in the minds of executives and boards, because it is in the media and there is actual accountability for meeting those laws.”

Business and political leaders around the world are currently debating whether to adopt universal regulations that govern data privacy similar to Europe’s GDPR. Some believe there is a need for a harmonized privacy law; others do not. The US tech industry, for instance, historically has been resistant to government regulation. Some business leaders argue that universal regulations would increase costs to run, manage, and secure the right technology, as well as stifle innovation. Moreover, universal regulations would negate the value proposition between organization and user as to what data they are willing to give up in return for a service or product they need.

* * *

Many forward-thinking companies already have chief privacy officer positions, or something akin to one. Over the last year or so, in the lead-up to the passing of GDPR, business leaders and boards increasingly have been pursuing ways to define a framework and reporting relationship to create a C-suite position for privacy. Some organizations have the position report to the CSO, others to the general counsel. In other organizations, the role reports to the chief technology officer, and in at least one case this leader reports to the chief financial officer. The variety of reporting structures is a testament to both how privacy touches all areas of a business and how confused organizations are about where it belongs.

Creating a secure culture

What companies are doing.

elevating privacy

Elevating Privacy

Whether hiring a chief privacy officer or appointing a board director with privacy expertise, organizations are making it a focus of leadership.

hiring more vets

Hiring more vets

Former military personnel are attractive for their tech skills and ability to manage threats. lorem ipsum lorem ipsum lorem ipsum lorem ipsum



Some are providing education, training, certification programs, and other avenues around privacy skills designed to lead to promotions.

fire drills

Fire drills

Simulated cyberattacks, system breaches, and other exercises are routinely run to help create and optimize a comprehensive quick-response game plan.

building relationships

Building relationships

Consumer trust is one of the most important success factors for a company today, and firms understand that respect for data privacy is a business issue.

Wells Fargo’s Rich Baich draws a parallel to the early days of CSOs. Hired as Wells Fargo’s first-ever CISO in 2012—the bank realized earlier than most the importance of security—Baich initially reported to tech. After a restructuring, he then reported to risk management. Late last year, however, his position was moved back under tech. To understand how large the CISO function has grown, consider that over those six years, Baich has deployed more than 30 different security technologies, and his team has filed for more than 50 patents. He also grew his department to 3,000 employees from 550.

Baich says that security and privacy have been working much more closely in recent years. “New regulations require more collaboration with privacy,” he says.

Korn Ferry’s Cummings says the fact that organizations are recognizing that privacy needs to be a separate function within the C-suite or reporting directly to a member of the C-suite is more important than where exactly it sits on the org chart. Indeed, the constantly evolving expectation of privacy means the skills and character profiles of the talent needed is also evolving. As with CSOs, privacy is no longer just a tech role.

Privacy officers have to be increasingly fluent in customer experience and product development, for instance. They need to have a global perspective and be able to distill complex tech and legal issues into business terms leaders can understand, among other traits.

In fact, given the increasingly public-facing nature of privacy both with employees and consumers, Cummings argues that privacy could also be considered a business services function.

“Privacy can enhance your market reputation and be leveraged by sales and marketing to influence revenue,” he says.

For more information, please contact Jamey Cummings at or Aileen Alexander at