The 2023 Benchmark survey of security pros worldwide found that companies are taking action on customer privacy, but transparency is key.
Cisco’s 2023 Data Privacy Benchmark Study found that companies that invest in closing the gap are benefitting: The study found that the estimated dollar value of benefits from privacy rose more than 13% in 2022 to $3.4 million from $3.0 million the year before, with significant gains across the various organization sizes.
However, 92% of respondents said their companies need to do more to protect consumer data. This finding is about the same as last year, when 90% of respondents expressed that opinion.
SEE: New cybersecurity data reveals persistent social engineering vulnerabilities (TechRepublic)
Cisco: Investing in protecting consumers’ privacy pays dividends
Cisco’s sixth annual 2023 benchmark is a double-blind study based on a survey of over 4,700 security professionals in 26 countries. This survey found that, economic headwinds notwithstanding, organizations are investing in privacy, with spending up significantly from $1.2 million just three years ago to $2.7 million this year, on average, which is a 125% increase.
A Cisco blog about its 2023 Data Privacy Benchmark Survey said its estimated $3.4 million value of benefits from privacy initiatives constituted 1.8 times spending on privacy, with 36% of organizations getting returns at least twice their spending. The study noted that 30% of respondents in the U.S. identified privacy as a job responsibility (Figure A).
Nearly three quarters of organizations Cisco surveyed said they were getting “significant” or “very significant” benefits from privacy investments. These included building trust with customers, reducing sales delays and mitigating losses from data breaches. Some 94% of all respondents indicated they believe the benefits of privacy outweigh the costs overall.
Almost all companies reporting privacy metrics to leadership
Almost every organization (98%) said they are reporting one or more privacy-related metrics to the board of directors, per Cisco, with the average number of privacy metrics at 3.1, up from the 2.6 metrics reported in last year’s benchmark survey (Figure B).
The most-reported privacy metrics include:
- The status of any data breaches.
- Impact assessments.
- Incident response.
Privacy legislation continues to be very well-received around the world. Seventy-nine percent of all corporate respondents said privacy laws have had a positive impact, and only 6% indicated that the laws have had a negative impact.
Companies can do more to reassure customers about privacy
Ninety-two percent of respondents to Cisco’s survey said their organizations need to do more to reassure customers about their data, and organizations’ privacy priorities differ with those expressed by consumers. The study also found:
- 90% said global providers are better able to protect their data compared with local providers.
- 94% of organizations said their customers won’t buy from them if data is not properly protected.
- 95% said all their employees need to know how to protect data privacy.
Still, a look at Cisco’s 2022 Consumer Privacy Survey suggests a persistent disconnect between data privacy measures by companies and what consumers expect from organizations, especially regarding how organizations apply and use artificial intelligence (Figure C).
Consumers are willing, sort of, to give AI the benefit of the doubt
Last year, Cisco issued a responsible AI framework and principles for responsible AI, in which the company stated it “informs customers when AI is being used to make decisions that affect them in material and consequential ways. Customers and users can then inform us of their concerns or let us know when they disagree with decisions.”
SEE: How does data governance affect data security and privacy? (TechRepublic)
In the 2022 Consumer Privacy Survey referenced above, Cisco reported that consumers showed some willingness to share data for AI models but are dubious on how that data will be used:
- 43% of consumers said they thought AI could be useful.
- 54% were willing to share anonymized personal data to improve AI products.
- 60% expressed concern about the business use of AI.
- 65% said they had already lost trust in organizations over their AI practices.
Consumers also said the top approach for making them more comfortable would be to provide opportunities for them to opt out of AI-based solutions. Only 21% of organizations participating in this year’s 2023 privacy benchmark survey said they would put in place ways for consumers to opt out of AI opportunities.
How organizations are mediating the AI relationship
Cisco’s 2023 privacy study suggests that organizations are taking steps to make consumers more comfortable with AI:
- 63% of organizations said they are ensuring a human is involved in the process.
- 60% said they are explaining how the AI application works.
- 55% are adopting AI ethics principles.
- 53% said they are applying an AI ethics management program to identify and reduce unintended bias.
- 47% said they are auditing for bias.
Cisco recommends baking in transparency, privacy and AI ethics
With exponential increases in the use of AI-driven metrics and business intelligence, based on the study’s findings, Cisco has recommendations toward improving organizations’ trustworthiness and maximizing the benefits of privacy investments:
- Invest in privacy throughout the organization, especially among security and IT professionals and those involved directly with personal data processing and protection.
- Bake transparency into customer communications around how customers’ personal data is being used. Pointedly, compliance should be considered table stakes and transparency a business imperative because it is the key to trust, per Cisco.
- Ensure that AI design walks lockstep with AI ethics principles, and that there are preferred management options to reassure customers, deliver greater transparency to the automated decision and ensure that a human is involved in the process when the decision is consequential to a person.
- Consider the costs and consequences of data localization and recognize that local providers may be more expensive and degrade the functionality, privacy and security of data than global providers operating at scale.
Read next: Artificial intelligence ethics policy (TechRepublic Premium)