Printer Friendly, PDF & Email

Budgeting considerations for continuous monitoring of data privacy and security

Ambler T. Jackson (amblertjackson@gmail.com) is a privacy subject matter expert located in Washington, DC, USA.

Businesses traditionally continuously monitor performance. In the digital age that we live in—and considering the amounts of personal data collected, used, and shared by businesses, organizations, and governments—monitoring performance is no longer enough. Businesses and organizations must also monitor data-driven business practices (e.g., collecting and sharing personal data) and information technology (IT) systems that process personal data. Cyberattacks involving the compromise or loss of personal data are becoming increasingly more common for organizations and businesses that collect, maintain, and use personal data. Compromised personal data may lead to identity theft of the data subject, embarrassment, or reputational harm to the compromised company. Therefore, continuous monitoring of business practices and IT systems is not only the appropriate, and in some cases mandated, course of action—it is simply the right thing to do.

Today, many organizations have a cybersecurity program. Depending on the size and the industry, a privacy program may fall within the organization’s larger cybersecurity program. Perhaps both privacy and security fall under the broader cybersecurity program. Some organizations may only have a privacy program, and no cybersecurity program at all. Others may simply have an IT department that focuses on security, but considers data privacy when necessary to meet a business need. Regardless of how data privacy and security is embedded in the organization, it will be necessary to continuously monitor activities that may pose a risk to data privacy and securing data assets. Continuously monitoring business practices and IT systems that collect personal information is required to appropriately manage risk. Implementing such a program requires resources, and a budget is required to obtain those resources.

Budgets for continuous monitoring activities will vary. The budget for a Big Tech company and the United States government will not be the same. Similarly, the budget for a new start-up in the online retail space and a new healthcare service will not be the same. In September 2018, the White House released the National Cyber Strategy, which reinforces ongoing work and provides strategic direction for the federal government to act on short- and long-term improvements to cybersecurity for the government, private sector, and individuals. The National Cyber Strategy: (1) recognizes that private and public entities have struggled to secure their systems as adversaries have increased the frequency and sophistication of their malicious cyberactivities, and (2) directs the federal government to do its part to ensure a secure cyber environment for our country. The FY 2020 President’s Budget includes $17.4 billion of budget authority for cybersecurity-related activities, a $790 million (5%) increase above the FY 2019 estimate.[1]

This document is only available to members. Please log in or become a member