Why have a data privacy strategy?

A rebuttal to Jay Cline's Linkedin blog post

Welcome to The Rebuttal, where we read articles on privacy or security and rebut some of the points made by the author.

This week, I read a great Linkedin blog post by Jay Cline. The title is "A CEO primer on data privacy strategy.” He made me laugh and cry when he said that if a business doesn't remember approving a privacy strategy, then that means the de facto strategy is “to comply with privacy laws and contractual terms, spending the least amount of money possible."

This is so true. It is also true in the security world. I am quite sure all my vCISO colleagues would agree that the "minimum viable security" approach is all too common in information security.

In fact, my colleague, Brian Blakley, posted on Linkedin an approach to risk assessments that I think gets at the same point. Brian is a virtual CISO and implements risk assessments. On this particular post, he suggested a simple strategy and process to invoke for risk assessments. As Mr. Cline said, not having a process means the business does the minimum, so Brian is also trying to help business go above the minimum viable security. I can only assume he did this because he, too, struggles with clients who want minimum viable security.

However, the reason I included Mr. Cline's blog post in The Rebuttal is because I disagree with the objective he gives for having a data privacy strategy. He says the objective is Trust. I believe the objective is the same as most other company objectives and aligns to the CEO's objective. To put it plain and simple, it is Revenue.

Revenue is what a CEO is responsible for at their company. It is their primary objective. So, if you want to get their attention as to why the business needs a data privacy strategy and to put real budget behind it, well, you must present it as fulfilling their objective.

And there is no doubt that data privacy and data security fulfill a revenue objective. Sure, trust is a part of it. But to win customers and retain them, a business must be able to answer the customer's questions about how the data will be used and secured. It is the same as answering product questions.

If you can't do that, you can't get revenue and you can't keep it.

I have talked to a lot of CEOs who admitted to losing deals because of a lack of a data privacy and data security strategy. The minimum viable compliance and security approach isn't enough. So, if you need to argue for a budget to build your program, tell the CEO, it fulfills their primary objective: revenue.