Connect with us

Hi, what are you looking for?



Investment in Privacy Pays Cybersecurity Dividends: Cisco

Better Privacy Means Better Security, Report Shows

Better Privacy Means Better Security, Report Shows

Cisco’s 2020 Data Privacy Benchmark Study attempts to quantify an often-repeated claim from cybersecurity experts: investment in privacy improves overall cybersecurity. For example, last year’s Cisco privacy study seemed to indicate that improved privacy improves vendors’ sales cycle.

“A year ago,” Robert Waitman, Cisco director of data valuation and privacy, security and trust, told SecurityWeek, “we found those organizations that were ready for GDPR did a better job when it came to streamlining their sales process. This is particularly so in B2B. With customers being more concerned and asking more questions about privacy, those companies with an effective privacy policy can more rapidly and efficiently answer those questions.”

This year, Cisco wanted to examine what other benefits investment in privacy might bring; and more specifically, whether a dollar figure could be applied as an ROI. It queried 2,800 companies from 13 countries in a double-blind survey; and found that an investment of $100 dollars brings $270 in cybersecurity benefits. This is an average figure that does not differentiate between B2B and B2C companies, nor the size of the company concerned.

Privacy Efforts Help Improve Cybersecurity

“That’s a very strong statement,” said Waitman, “that the investments that companies must make in privacy in order to comply with the growing number of privacy and data protection regulations are returning value way beyond the simple avoidance of GDPR and other regulatory fines.” It argues that companies should not treat privacy compliance as a tick box requirement, but an opportunity to improve their cybersecurity posture.

The survey found that 70% of organizations say they receive significant privacy benefits in areas such as operational efficiency, agility and innovation. Furthermore, states the survey report, “Using the ‘Accountability Wheel’ created by the Centre for Information Policy Leadership (CIPL), we found strong correlations between organizations’ privacy accountability and lower breach costs, shorter sales delays, and higher financial returns.”

“There are a few things we can speculate on for why better privacy means better security,” said Waitman. “Privacy regulations generally force companies to get their data in order. This is necessary for personal data holders to be able to tell customers what data they have, and to be able to delete it if required.” 

Advertisement. Scroll to continue reading.

This should have been done from the beginning, but without the forcing nature of regulations, things have just drifted. Companies are now required to have a legal reason for processing personal data, which means old and stale, unuseful data gets removed rather than hidden away or lost and forgotten in obscure locations. “One of the reasons we saw for security benefits coming from privacy was that the data environment has been to some extent rationalized,” continued Waitman.

It’s a bit like tidying your house and putting important items in a secure place, and valuable documents and money in the safe in case of burglars, he suggested. If you do get a burglary, you are likely to lose less, understand what is lost and take the right steps to minimize the effect of any loss. Same for a company breech. “Privacy is like that,” he said. “Companies that invest in privacy are seeing fewer data breaches, fewer records impacted, less downtime, and less overall cost of a breach. These are all highly correlated with the privacy investment that we were focusing on.”

Even some of the less obvious improvements can be explained by the better internal data controls required by privacy investments — such as improved agility and innovation. The result, said Waitman, is that “respondents indicated a correlation between privacy investment and a better turnaround in app development.” The reason, he suggested, is that without the investment in privacy and the corresponding greater knowledge of what personal data can be used in app development and what cannot, developers fail to make best use of their resources. Privacy provides knowledge of what data can be used and how it can be used in development, replacing the fear of using personal data in case it is illegal.

Privacy is considered so important that 82% of the responding organizations now view privacy certifications such as ISO 27701 and Privacy Shield as a buying factor when selecting a product or vendor in their supply chain. Certifications are a vexed problem. Security professionals often feel they need to spend time and money to gain personal certifications, but also believe that the certification companies exist simply to make money from selling certificates. This is also a potential problem for any company certifications — but Waitman points out that there is a big difference between personal certifications and corporate privacy certifications.

Personal certifications are generally awarded against a ‘syllabus’ designed and required by the selling organization. Privacy certifications are effectively underwritten by the requirements of government mandated specifications as the syllabus, lessening the scope for the certifying company to treat the exercise as a simple money-making exercise. Waitman believes that the certification of privacy is an area that needs to be developed.

His conclusions from the Cisco Data Privacy Benchmark Study 2020 (PDF) are clear. “Firstly,” he told SecurityWeek, “companies should be honest and transparent about what they do with personal data. Secondly, privacy is a good corporate investment. There’s now a lot of evidence suggesting that companies should go beyond the minimum possible to comply with the law, and seriously invest in privacy. Finally, the issue of privacy certifications is important.”

Related: Microsoft Chief Calls for ‘Global Standard’ on Privacy 

Related: California, Home of Silicon Valley, Ramps Up Online Privacy Law 

Related: Eight Steps to Data Privacy Regulation Readiness 

Related: Battle Lines Forming Ahead of a Looming U.S. Privacy Law Fight

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.