ISACA：2023年度隐私实践研究报告（英文版）.pdf

1PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.PrivacyPrivacy in Practice 2023 2023 ISACA.All Rights Reserved.2PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.C O N T E N T S3 Abstract4 Executive Summary 4/Key Findings4 Survey Methodology6PrivacyStaffing9/Skill Gaps10 Privacy Budgets10PrivacyProgramTrends 12/Privacy Team Interaction With Other Areas13/Boards of Directors Privacy Involvement13/Monitoring Privacy Programs14PrivacyAwarenessTraining16PrivacyFrameworks,LawsandRegulations16PrivacyBreachesandFailures18PrivacybyDesign19 The Future of Privacy20Conclusion21Acknowledgments3PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.Privacy in Practice 2023 reports the results of the ISACA global State of Privacy Survey,conducted in the fourth quarter of 2022.This report focuses on privacy staffing,budgets,program trends,awareness training and breaches,and privacy by design.Some survey findings are consistent with last years survey results,while others indicate relief from some of the privacy challenges identified last year.A B S T R A C T4PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.Executive SummaryPrivacy in Practice 2023 explores trends in privacy staffing,budgets,programs,awareness training and privacy by design,based on the results of the ISACA global State of Privacy Survey,conducted in the fourth quarter of 2022.Strong enterprise privacy practices are critical in a rapidly evolving privacy regulatory landscape.Privacy violations erode customer trust and increasingly result in enterprise reputation damage and significant fines.Enterprise privacy programs that aim to protect data subjects and gain their trust set their enterprises apart from competitors.This white paper explores the state of organizational privacy.Key FindingsThe following are key survey findings:Technical privacy roles are slightly more likely to besomewhat or significantly understaffed than legal/compliance privacy roles,although both types of rolesare impacted by staff shortages.Technical privacy roles are significantly more likelythan legal/compliance privacy roles to have increaseddemand in the next year.Experience is considered the most important factor indetermining if a privacy-position candidate is qualified.The demand for privacy professionals is expectedto increase over the next year for technical privacyprofessionals and legal/compliance privacyprofessionals.Privacy teams interact most frequently withinformation security,legal/compliance and riskmanagement teams.Enterprises that practice privacy by design are morelikely to:Have adequately staffed privacy teams Believe that their board of directors appropriatelyprioritizes enterprise privacy Require documented privacy policies,proceduresand standards Use more privacy controls overall than are legallyrequired Feel their privacy budget is appropriately fundedSurvey MethodologyIn the fourth quarter of 2022,ISACA sent survey invitations globally to approximately 46,000 ISACA constituents who hold the ISACA CSX Cybersecurity Practitioner Certification(CSX-P),Certified Information Security Manager(CISM)or Certified Data Privacy Solutions Engineer(CDPSE)designation,or have“privacy”in their job title.Survey data were collected anonymously via Survey Monkey.A total of 1,890 respondents completed the survey;their responses are included in the results.The most commonly held certification is the CISM certification:Seventy-five percent of respondents hold the CISM certification,42 percent hold the Certified Information Systems Auditor(CISA)certification and 35 percent hold the CDPSE certification.Forty-three percent of respondents are in a management role,26 percent are in senior leadership positions,21 percent are individual contributors and 10 percent are in executive leadership positions.Figure 1 shows additional information about survey respondents.5PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.Technology services/consulting24%21%24%19%14%14%8%Total revenueRegionNumber of employees at organizationTop industriesYears of experienceGovernment/militarynational/state/local15 610 1115 1620 2125 25+24%Less than$50M13%$50M$99M16%$100M$499M12%$500M$999M34%Greaterthan$1B47%20%North AmericaEurope4%Africa4%Latin America4%Middle East3%Oceania19%Asia1249 employees19%1,0004,999 employees23%250999 employees16%5,00024,999 employees18%25,000 or more employees25%13%Financial/banking23%FIGURE 1:Respondent Demographics6PRIVACY IN PRACTICE 2023 2023 ISACA.All Rights Reserved.Privacy StaffingAccording to the survey findings,the mean number of full-time-equivalent employees who have privacy-related responsibilities within an enterprise is 26,which is slightly higher than last years average(25).Privacy staff roles include legal/compliance practitioner,technical IT staff,risk professional or security professional.Figure 2 shows the percentage of staff in each of these roles.Privacy practitioners can usually be classified into one of two groupslegal/compliance or techni