Despite cybersecurity being top of mind for the C-suite, data privacy is lagging, a new report finds

January 24, 2023, 12:29 PM UTC
Young Asian woman relaxing at home drinking a cup of tea, logging in to her smartphone device. Lifestyle business, privacy protection, internet and mobile security concept
d3sign for Getty Images

Good morning,

As tech transformations—for example a business unit built around A.I. or a new app geared toward personalized customer experience—have picked up steam in recent years, so have cyber risks and data privacy concerns.

But when organizations look internally for risk mitigation and compliance with data privacy laws, there’s a lack of qualified people to do so, according to a new report by ISACA, a professional IT governance association. Both technical privacy and legal/compliance teams are understaffed, enterprise privacy budgets are underfunded, and there are skills gaps. The findings are based on a global survey of 1,890 data privacy professionals who hold positions in IT, audit, compliance, and risk management, for example.

Non-compliance with privacy laws and regulations, like Europe’s General Data Protection Regulation or even state laws including the California Consumer Privacy Act (CCPA), is costly, Safia Kazi, principal of ISACA’s privacy professional practices, tells me. CCPA had compliance updates go into effect on Jan. 1, regarding providing employees and job applicants notice of the company’s privacy practices. 

So this is an issue that may fall under a finance chief’s purview. “CFOs’ risk expertise is invaluable,” Kazi says. “This is especially true with regard to procurement.” Not only can third parties be the source of a significant privacy breach, but selecting unqualified third parties can result in a “devastating privacy violation and fine,” Kazi says. About a quarter of the survey respondents said they always or frequently work with their organization’s finance department. But that percentage may need to increase. 

‘Security incidents and privacy incidents are not the same’

But lots of risk means lots of reward—at least for the VCs investing in this new generation of cybersecurity products. The global cybersecurity market is expected to reach $403 billion by 2027 as my colleague Lucy Brewster details in her new report, “Cybersecurity is red hot. Here are the top 13 VCs to know.” The VCs she features include Chenxi Wang, who invested in the software-as-a-service (SaaS) cybersecurity platform Claroty, and Ariel Tseitlin, who invested in the SaaS security platform AppOmni—products that may one day be standard in a secure organization.

Regarding having a designated data privacy program, ISACA’s survey found that 42% of respondents said their privacy budget is underfunded, and just 34% indicated their privacy budgets will increase in 2023. Meanwhile, 40% said there wasn’t clarity on the mandate, roles, and responsibilities, and 39% cited a lack of executive or business support. 

“Ransomware was a big concern last year, and many organizations took steps to be prepared for a ransomware attack,” Kazi explains. “But it’s possible that they view security incidents and privacy incidents as one and the same, which they are not. Heavily investing in security without also thinking about privacy is a serious misstep—something as seemingly small as an improper privacy notification to customers (which would not be addressed through any security investments) may cost an enterprise millions of dollars and reputational harm.”

She continues, “Some organizations’ board members may not fully understand the difference between security and privacy and consequently not prioritize privacy appropriately.”

Both cybersecurity and privacy are essential, Kazi says. But points out one caveat: “It is impossible to have privacy without security, but it is possible to have security without privacy.”

She added, “Digital trust is increasingly becoming a board and C-suite priority, and privacy is a key component of digital trust.”

*Quick note: Thanks to the finance chiefs who took the time to answer the question: What is the most important thing you did before landing your first CFO position? (For example, was it networking, P&L management, or something else?) What made you ready to take on a CFO position? There’s still time to share your experience and insights with the next generation of CFOs for an upcoming column. Send me an email!

See you tomorrow.

Sheryl Estrada

Sign up here to receive CFO Daily weekday mornings in your inbox.

Big deal

The global corporate leadership training market size is estimated to grow by $18.59 billion from 2021 to 2026 at a compound annual growth rate of 9.51%, according to a report by Technavio, a global technology research company. North America is projected to account for 41% of the market's growth during the forecast period. One of the key corporate leadership training market trends is the emergence of gamification in corporate training, expected to impact the industry positively in the forecast period, according to the report

Courtesy of Technavio

Going deeper

FICO (NYSE: FICO), an analytics software platform provider, has released its third annual "State of Responsible A.I. in Financial Services" report, developed in collaboration with market intelligence firm Corinium. Half of 100 C-level A.I. leaders in the financial services sector surveyed said A.I. initiatives are a higher priority than 12 months ago. But 71% said their organizations have not implemented ethical and Responsible A.I. in their core strategies. Just 8% of respondents report that their A.I. strategies are fully mature with model development standards consistently scaled.


Patrick Hallinan was named EVP and CFO at Stanley Black & Decker (NYSE: SWK), effective April 6. Hallinan, who succeeds interim CFO Corbin Walburger, will report to Donald Allan Jr., president and CEO. Walburger will resume his previous role as VP of business development. Hallinan joins Stanley Black & Decker from Fortune Brands Innovations, a home, security, and commercial building products company, where he served as EVP and CFO. He had a 17-year career at the company, including various finance and technology leadership and general management roles across business segments. Before Fortune Brands, Hallinan worked at Booz Allen Hamilton as a principal in the firm's automotive, aerospace, and industrial goods practice.

David Barry was named EVP and CFO at Fortune Brands Innovations, Inc. (NYSE: FBIN), effective March 2. Barry will succeed Patrick Hallinan. Barry has been SVP of finance and investor relations at Fortune Brands since April 2021. Before that, he was CFO and SVP for the company’s water segment. He joined the company in 2015 as senior director of financial planning and analysis, strategic planning, and business development and was promoted to VP of finance in 2017. Before his time at Fortune Brands, Barry held various senior financial roles at J.M. Huber Corporation.


“The final stages of the bear market are always the trickiest, and we have been on high alert for such head fakes. Suffice it to say, we’re not biting on this recent rally because our work and process are so convincingly bearish on earnings.”

—Mike Wilson, Morgan Stanley’s chief investment officer and chief U.S. equity strategist, wrote in a Sunday research note. Although the S&P 500 has jumped more than 5% year to date, Wilson believes corporate earnings are still set to take a hit, which would make the rise just another bear market rally, Fortune reported

This is the web version of CFO Daily, a newsletter on the trends and individuals shaping corporate finance. Sign up to get it delivered free to your inbox.

Read More

CEO DailyCFO DailyBroadsheetData SheetTerm Sheet