New report reveals technical privacy skills gaps impacting privacy programs

The report, which examines responses from the global ISACA State of Privacy survey conducted in the third quarter of 2021, highlights the persistent understaffing that is impacting enterprise privacy teams. Respondents indicate that both legal/compliance (46 per cent of respondents) and technical privacy roles (55 per cent of respondents) at enterprises are understaffed, and the issue has only worsened since last year. Forty-one per cent also report that the biggest challenge in forming a privacy program is a lack of competent resources.

According to Jo Stewart-Rattray, Information Security Advisory Group, ISACA, as Australia seeks to amend and update its national privacy law following a discussion paper released in October 2021 seeking submissions, it is imperative that understaffing issues and skills gaps are addressed.

"Privacy professionals are critical in ensuring enterprises adhere to privacy laws and regulations and protect the personal data of customers and staff, particularly challenging in this era which has seen the explosion of e-commerce," Stewart-Rattray said.

"There is no doubt the spotlight will be on this important sector as Australian privacy legislation is assessed to more accurately reflect the realities of the digital economy."

In line with this, global survey respondents largely expect that privacy professionals will only become more in-demand, with 63 per cent anticipating increased demand for legal/compliance roles and 72 per cent expecting more demand for technical privacy roles.

In seeking professionals to fill these roles, respondents indicate they are looking for three key things:

• Compliance/legal experience (62 per cent);
• Prior hands-on experience in a privacy role (56 per cent); and
• Technical experience (48 per cent).

A university degree is not necessarily a prerequisite - 29 per cent of respondents say that it is not an important factor when evaluating a candidate.

However, respondents indicate that candidates do not always have the skills required for these roles, citing these common skills gaps:

VIEW ALL

• Experience with different technologies and/or applications (64 per cent);
• Understanding the laws and regulations to which an enterprise is subject (50 per cent);
• Experience with frameworks and/or controls (50 per cent); and
• Lack of technical experience (46 per cent).

People are an essential component of any privacy program. Both the privacy professionals driving the work forward and employees across the enterprise who follow good data privacy practices, according to Safia Kazi, ISACA privacy professional practice advisor.

"Enterprises need to sufficiently invest in their privacy programs and teams, not only to retain privacy staff and up-skill talent to fill open roles, but to also prioritise privacy training efforts to ensure all employees are supporting privacy initiatives," Kazi said.

Despite issues with staffing and skills gaps, 41 per cent of respondents report they are very confident or completely confident in the ability of their privacy team to ensure data privacy and achieve compliance with new privacy laws and regulations. One in 10 respondents’ enterprises have experienced a material privacy breach in the last 12 months, consistent with last year’s results.

When exploring the main types of privacy failures that enterprises experience, survey respondents point to these as the most common:

• Not building privacy by design in applications or services (63 per cent)
• Lack of training (59 per cent)
• Bad or nonexistent detection of personal information (47 per cent)

When it comes to privacy training at enterprises, most (71 per cent) respondents perceive privacy training to have a positive impact. However, the survey finds that many may approach it as a "check the box" exercise, with nearly 70 per cent indicating that they evaluate the success of a privacy training program by looking at the number of employees who complete the training rather than measuring the efficacy of the training.

To further protect themselves, many enterprises implement additional privacy controls in addition to what they are legally required to do, including encryption (76 per cent), identity and access management (74 per cent) and data security (71 per cent).

"Privacy professionals are vital in driving transparency and accountability across their organisations, and that has never been more important, as more consumers, employees and investors dictate the success of organisations that they do, or don’t, trust," Alex Bermudez, OneTrust privacy manager, further explains.

"The role of the privacy professional continues to evolve, with many now taking their organisations on a journey from compliance to building trust as a competitive advantage - helping to make companies stand out based on the values they hold and the commitments they fulfil.

"Continuing to monitor the changes in resources, board-level sponsorship, and the positive trajectory of privacy at-large form an important part of a privacy professional’s value, and impact on an organisation."

[Related: Telstra set to launch Sovereign SecureEdge cyber security capability]