Privacy professionals with the necessary technical skills are in demand and hard to find even for well-funded businesses, according to a new report of the IT government association ISACA. Companies are having a more difficult time staffing privacy technical teams than filling out their legal and compliance teams, with long delays in filling vacancies and understaffed departments are common. With demand for these specialized professionals only expected to increase in the short term, hiring managers are looking to train current employees to become experts on specific regional regulations, such as the General Data Protection Regulation (GDPR) of The EU.
The report surveyed more than 1,800 ISACA members around the world, and the majority of those surveyed had a Certified Information Security Manager (CISM) or Certified Information Systems Auditor (CISA) certification.
Privacy programs are now considered a priority
ISACA finds that support for the privacy initiatives of (and the tone set) by the board of executives are key to successful privacy programs. That said, it appears that most boards now recognize this and are making data privacy a priority. Most of the boards of directors surveyed see privacy as a combination of a regulatory requirement and an ethical issue. A large majority of respondents (69%) noted that the business privacy strategy is now also aligned with the overall goals of the organization. And only 4% of organizations reported that they don’t yet have a single person responsible for privacy decisions.
The survey also indicates that privacy teams interact frequently with other related departments as well: privacy teams typically work with information security teams (79% of organizations), legal and compliance teams (70%), and staff. internal audit / risk management (57%). ). Privacy teams are typically led by a Chief Information Security Officer (CISO) or Chief Privacy Officer (CPO); they are about half as likely to be headed by a CEO or information officer. In less frequent cases, programs are run by a chief compliance officer, board member, or other staff member.
How do privacy teams spend their time? Most of it will go to evaluations. Privacy professionals also spend a lot of time responding to internal requests, establishing or modifying governance, reviewing guidance and regulatory requirements, responding to issues or threats, following up on stakeholder requests, and training. While only 11% of respondents said that training was an important component of their regular duties, only 14% of organizations do not conduct any type of privacy training. Privacy training occurs more frequently annually, but just over half of organizations are now doing it as part of new hire training.
And how are privacy programs evaluated internally? Organizations most frequently use employee privacy program completion rates (66%) as a key metric. Other common metrics are the number of privacy incidents experienced and the number of privacy complaints received. 46% are conducting privacy risk assessments, 42% are conducting privacy impact assessments, 38% are conducting privacy self-assessments, and 37% have a privacy audit.
In a hot market for privacy professionals, companies are looking inward
The workload for privacy professionals is growing, but demand exceeds supply. Even with companies lowering hiring requirements (such as no longer strictly requiring applicants to have a legal or compliance background), a total of 43% of respondents said they had a related position that was not filled. 14% of respondents said it takes more than six months to fill a technical privacy position, and 12% said it takes that long to fill a legal / compliance position. About a fifth of respondents said the expected time to fill these positions increased in 2020. Only 2% of organizations fill these positions on a regular basis within two weeks, and most respondents need at least three months to find appropriate privacy professionals.
Finding qualified candidates is a great challenge. 96% of respondents said that some compliance or legal experience was very important, 94% wanted applicants to have a prior privacy role, 93% were looking for specific credentials or technical expertise, and 80% wanted to see the completion of relevant training courses. 13% of those surveyed said that more than 60% of their applicants were not eligible for positions requiring legal or compliance experience. Surprisingly, only 36% of respondents said the legal and compliance teams were understaffed compared to 46% of technical privacy teams.
How many positions are these organizations looking to fill? There is great variation between different companies and industries in workforce trends, but the average among respondents is about 22 full-time positions for privacy professionals per company and a median staff of seven. 59% see that legal and compliance roles in privacy will increase in the near future, and 70% see an increased need for technical privacy staff. Only 2% considered that staff reduction in any of these areas could be possible.
The workload for #privacy professionals is growing, but demand exceeds supply. Even with companies reducing hiring requirements, 43% said they had a job open. #respectdata
To combat these shortcomings and close skills gaps, organizations frequently turn to cross training. 22% of respondents said that none of their current privacy staff started their career in privacy or compliance. 24% said that less than 20% of their staff started out as privacy professionals. Privacy teams come from legal and compliance professionals, technical IT staff, risk professionals, and security professionals.