How to Use Privacy Metrics for Program Improvement and to Prove ROI
Privacy professionals face tough questions: How do you quantify the value of your privacy program? How do you use operational metrics to improve the efficiency of your program? And as the pandemic rages on, these issues become even more critical.
In online polls conducted during a recent Privacy Collective/RadarFirst User Summit Q&A session:
- 59 percent of participants said they had insufficient or no access to the metrics needed to drive efficiency and produce actionable insights.
- 77 percent said they either somewhat leveraged or did not leverage the operational metrics available to them.
So how do you capture and use the metrics you need to justify privacy program ROI to senior executives? And how can these numbers help your program to more efficiently manage privacy risks?
To find out, we talked to Michelle Wraight, director of privacy automation and technology at BNY Mellon, a worldwide banking and financial services holding company. BNY Mellon operates in 35 countries globally and has $2 trillion in assets under management.
How can privacy teams use metrics to justify the value of their program to executives?
“Avoid what I call the “so-what” metrics—those numbers without context around them. To say that you had 25 privacy incidents in the last month doesn’t give any perspective, regardless of the size of your organization.
“Avoid what I call the “so-what” metrics—those numbers without context around them. To say that you had 25 privacy incidents in the last month doesn’t give any perspective, regardless of the size of your organization.
But if you could say those 25 incidents show a downward trend over the last three months due to a specific reason, such as incorporating a new control, then you’ve given meaning to that number.”
“To demonstrate the potential value of that data to your organization, make the metrics you do have meaningful—give them that context—especially if you’ll be expanding those metrics. It’s like having a great appetizer before a big meal. The appetizer is really tasty and you just can’t wait for that great meal. Give your stakeholders a taste of what meaningful metrics could be like, and how automating those metrics could benefit your organization.”
What advice would you give to teams who do not yet have what they need?
“It depends on the type of business you’re in and what your executive management feels is most important to your company. If your number one goal is to improve client satisfaction in your business, perhaps you need to look at metrics such as which privacy incidents directly affected your clients. Which clients did you have to notify? How many times did you notify them? What was their reaction? The value of your organization will really shine when you show how you’re mapping these metrics to the goals of your organization.”
How do you determine what to measure first in order to produce helpful operational metrics for your privacy team?
“For larger firms, focus on the lines of business. When you’re working for a very large organization, it can be difficult to drill down from an enterprise perspective on where your risks are and how the privacy program is operating within the lines of business.”
“We drill down on metrics for each line of business and even regions—especially because privacy laws vary widely in regions across the globe. If there’s a region with an emerging privacy regulation, we may want to look at privacy efficiencies there to identify (and anticipate) any compliance gaps.”
What purpose does each metric serve?
Wraight highlighted three ways privacy professionals can use metrics to improve their programs:
Inform a specific audience
“Make sure you’re targeting your audience for certain metrics. You may have 40 different metrics you’re pulling in on a regular basis, but only 10 of them are applicable to the executive committee. You’ll want to create a meaningful dialogue to explain those metrics and also to explain what you’re doing about them.”
Increase privacy program efficiency
“If you’re performing a program maturity exercise, these metrics can help you define the maturity of your program currently and where you want to be in one, three, or five years.”
Inform organization-wide training
“Human error can be the weakest link in terms of risk. If employees aren’t given the training or exposed to repeated awareness messages, you’re more likely to conduct business in a way that could present risks to your company’s personal information. You can use metrics to identify lines of business, departments, or even individuals who have caused disclosures of personal information and assign training to them.”
How do you turn operational metrics into actionable items to improve your privacy program?
To improve a privacy program, Wraight suggests a data-driven quality strategy from Six Sigma that includes these steps:
- Define the problem, risk, stakeholders, and scope.
- Measure process performance.
- Analyze the process to determine the root causes of poor performance.
- Improve process performance by addressing and eliminating the root causes.
- Control the performance of the improved process by monitoring the metrics or KPIs.
How often does the board seek these metrics versus the privacy team proactively providing them?
“Having spent a lot of my career in information security, I can say that many companies—usually in less-regulated industries—want to see the metrics when news of a cybersecurity issue or privacy disclosure reaches the board level.
“Having the metrics in place before a big breach can help you identify the risks and calculate the numbers that explain how you got there and what the gaps were. It will pay off if you start gathering metrics now, because it’s highly likely that most companies will experience some level of unauthorized privacy disclosure.”
How do you use operational metrics to demonstrate ROI?
“One of the most important components of demonstrating ROI is to be able to ‘train’ your metrics. This demonstrates how you’re trying to improve privacy risks over time and identify areas of risk that require attention moving forward.
“Some companies build a privacy program dashboard. To do this, you need to determine what you’re going to measure and the time intervals for gathering metrics—I recommend monthly, at least. You’ll also need to decide who will do the measuring and who your audience is, such as upper management. And finally, how frequently will you share this information with that audience?
“You need to be able to interpret the meaning of the metrics in your dashboard. Explaining the what, the how, and the why will provide better insight and enable you to make better program decisions.
“Also, consider KPIs or KRIs. In a typical larger organization, you want to partner with stakeholders to ensure you’re identifying the right KPIs/KRIs. These might include the number of staff yet to complete new privacy regulation training or the number of systems without encryption at rest.”’
How can you partner with security/IT to create joint operational metrics that show privacy program value?
“Let me give you an example we’re considering. Your privacy and infosec teams could develop metrics regarding the number of DLP incidents that turn into privacy incidents and the impact that those incidents have on personal information. This really brings home the value of both the DLP system and your privacy program—and how well you are tracking your privacy incidents. By highlighting the privacy aspects of security incidents, both teams can really support each other and drive home improvements for change. It can be an excellent partnership.”