Despite cybersecurity being top of mind for the C-suite, data privacy is lagging, a new report finds

But when organizations look internally for risk mitigation and compliance with data privacy laws, there’s a lack of qualified people to do so, according to a new report by ISACA, a professional IT governance association. Both technical privacy and legal/compliance teams are understaffed, enterprise privacy budgets are underfunded, and there are skills gaps. The findings are based on a global survey of 1,890 data privacy professionals who hold positions in IT, audit, compliance, and risk management, for example.

Non-compliance with privacy laws and regulations, like Europe’s General Data Protection Regulation or even state laws including the California Consumer Privacy Act (CCPA), is costly, Safia Kazi, principal of ISACA’s privacy professional practices, tells me. CCPA had compliance updates go into effect on Jan. 1, regarding providing employees and job applicants notice of the company’s privacy practices. 

So this is an issue that may fall under a finance chief’s purview. “CFOs’ risk expertise is invaluable,” Kazi says. "This is especially true with regard to procurement.” Not only can third parties be the source of a significant privacy breach, but selecting unqualified third parties can result in a “devastating privacy violation and fine,” Kazi says. About a quarter of the survey respondents said they always or frequently work with their organization’s finance department. But that percentage may need to increase. 

'Security incidents and privacy incidents are not the same'

But lots of risk means lots of reward—at least for the VCs investing in this new generation of cybersecurity products. The global cybersecurity market is expected to reach $403 billion by 2027 as my colleague Lucy Brewster details in her new report, “Cybersecurity is red hot. Here are the top 13 VCs to know.” The VCs she features include Chenxi Wang, who invested in the software-as-a-service (SaaS) cybersecurity platform Claroty, and Ariel Tseitlin, who invested in the SaaS security platform AppOmni—products that may one day be standard in a secure organization.

Regarding having a designated data privacy program, ISACA’s survey found that 42% of respondents said their privacy budget is underfunded, and just 34% indicated their privacy budgets will increase in 2023. Meanwhile, 40% said there wasn’t clarity on the mandate, roles, and responsibilities, and 39% cited a lack of executive or business support. 

“Ransomware was a big concern last year, and many organizations took steps to be prepared for a ransomware attack,” Kazi explains. “But it’s possible that they view security incidents and privacy incidents as one and the same, which they are not. Heavily investing in security without also thinking about privacy is a serious misstep—something as seemingly small as an improper privacy notification to customers (which would not be addressed through any security investments) may cost an enterprise millions of dollars and reputational harm.”

She continues, “Some organizations’ board members may not fully understand the difference between security and privacy and consequently not prioritize privacy appropriately.”

Both cybersecurity and privacy are essential, Kazi says. But points out one caveat: “It is impossible to have privacy without security, but it is possible to have security without privacy.”

She added, “Digital trust is increasingly becoming a board and C-suite priority, and privacy is a key component of digital trust.”

*Quick note: Thanks to the finance chiefs who took the time to answer the question: What is the most important thing you did before landing your first CFO position? (For example, was it networking, P&L management, or something else?) What made you ready to take on a CFO position? There's still time to share your experience and insights with the next generation of CFOs for an upcoming column. Send me an email!

See you tomorrow.

Sheryl Estrada
sheryl.estrada@fortune.com

Sign up here to receive CFO Daily weekday mornings in your inbox.