Australian CISOs continue to struggle on privacy

A decade has passed since Australia passed major reforms of its Privacy Act—but as the flood of data breaches continues, new figures suggest that many companies are still struggling to formalise their privacy practices, differentiate between security and privacy, or understand their obligations to protect personally identifiable information (PII).

Understaffing delays or undermines privacy efforts

Fully 55% of technical privacy roles are now understaffed, ISACA’s recent Privacy in Practice survey of privacy practitioners found. And 46% of legal/compliance roles were understaffed—up dramatically from 33% a year ago.

The widening capability gap around privacy staff reflects hiring challenges that are diminishing companies’ ability to build and enforce privacy policies, the study found, noting that “enterprises cannot backfill positions easily upon attrition of privacy talent”.

Not only are qualified staff hard to find, but many executives are proving reluctant to fund privacy roles adequately. “Understaffing issues are not likely to resolve soon,” the report notes, warning that “senior management support for privacy does not always ensure funding for additional staff to meet privacy needs.”

Those dynamics have created an administrative nightmare for Australian privacy regulators, with recent Senate enquiry questions on notice responses confirming that the Office of the Australian Information Commissioner (OAIC) started February 2022 with 1,404 open privacy complaints. That included 402 that have been open for between six and 12 months, and 136 that have been languishing for over a year.

Staffing has long been an issue at the OAIC, which some argue has been starved of resources to slow down enforcement of privacy, freedom of information (FOI), and activities around enforcement of Australia’s notifiable data breaches (NDB) scheme.

Whether the recent appointment of a Freedom of Information commissioner will ease the burden—Leo Hardiman will commence the role on 19 April 2022 after a prolonged recruitment period—remains to be seen.

But some change is critical, with recently released NDB statistics confirming that Australian organisations continue to be ravaged by data breaches, with 464 notified data breaches during the second half of 2021—up 6% on the previous year.

With 36% of organisations reporting that it takes more than three months to fill legal/compliance privacy roles and 38% reporting the same for technical roles, actually doing so is bound to be a long-term effort.

Despite looking for appropriate staff to join their teams, 64% said they were struggling to find candidates with experience with different technologies and applications—and that fully half are struggling to bridge the skills gap around understanding privacy laws and regulations.

Despite this, most companies see demand for privacy professionals increasing over the next year; meeting this demand, Sofia Kazi, a privacy professional practices lead with ISACA said during a recent webinar, would require more collaboration across the fence than ever before. “Legal and compliance professionals know the laws and regulations but likely don’t have the technical expertise to implement controls that can achieve compliance,” she explained. “By contrast, technical privacy professionals have the technical knowhow, but they probably don’t understand the ins and outs of all the laws and regulations that may be at play.”

Finding the motivation to implement by privacy by design

With reports suggesting the OAIC is chronically understaffed just like the organisations it oversees, the impetus for better privacy practices seemingly come not from fear of getting caught violating the Australian Privacy Principles—created in 2012, putatively to help organisations implement privacy by design policies—but from inside the business.

Yet before they can do privacy properly, ISACA found, businesses need to figure out who’s responsible for it.

Although privacy is a far-reaching issue with significant business implications, technical staff such as CISOs and CIOs are nonetheless responsible for privacy in 37% of responding companies—suggesting that many other executives are handballing privacy to technical staff as a matter of course.

Collaboration across the business was still intermittent, the figures found, with 55% of technical staff meeting with legal/compliance professionals once per quarter, one or two times per year, or not at all.

“If privacy is your focus, you need to be talking to your colleagues in security,” said Adelaide-based Jo Stewart-Rattray, a long-time security executive and board advisor who serves on ISACA’s Information Security Advisory Group. She told CSO Australia that Australian companies had been slow to change their mindset around privacy.

“We’ve had privacy legislation in this country since the ’80s,” she  Stewart-Rattray, “but it’s like security was 10 years ago—which was that security was very unsexy. I think we see the same with privacy now. “It’s seen as legal and compliance, therefore it’s not groovy in any way, shape, or form—but the reality is that this is something we have to be working with.”

That reality is still dawning on many companies, with just 12% of CEOs and 3% of boards holding primary accountability for privacy—and just one in five companies having a dedicated chief privacy officer.

That reality often left security professionals holding the bag: “Security professionals have always had an eye on the privacy side,” Stewart-Rattray said. “I’m not sure that it’s been the same for [executives], but I think we’re seeing that dawning that security of information is absolutely of paramount importance to the privacy side.”

Noting that she works proactively to prioritise privacy—and to ensure that the board’s audit and risk committee is along for the ride—Stewart-Rattray said regular engagement was crucial to making privacy work as it’s supposed to. “I make sure this melding of the two together is seen as a priority,” she said, arguing that PII “has to be protected from the data governance and security governance level all the way through to the practical, operational side.”

Privacy should not just a tick in the box, but often is

Just how to build that strategy, however, remains something of a moving feast—with many companies still treating privacy as a tick-the-box compliance item rather than an ongoing business and technology function that must be reinforced with a privacy-by-design approach.

Indeed, 63% of ISACA respondents blamed their privacy failures on the lack of a privacy by design approach, while 59% blamed a lack of training—although 70% admitted that they managed privacy training by monitoring how many employees complete privacy training, not by tracking how effective that training had been.

Incredibly, 47% admitted being unable to track their PII, reporting “bad or non-existent” detection of PII that confirmed surging data volumes have outpaced companies’ technical and governance capabilities.