Data privacy concerns are causing significant sales cycle delays for up to 65 percent of businesses worldwide, according to findings in the new Cisco 2018 Privacy Maturity Benchmark Study. In addition, the study shows that privacy maturity is connected to lower losses from cyber events – 74 percent of privacy-immature organizations experienced losses of more than $500,000 last year caused by data breaches, compared with only 39 percent of privacy-mature organizations.
Privacy maturity is a framework defined by the American Institute of Certified Public Accountants (AICPA) and is based on Generally Accepted Privacy Principles (GAPP). Cisco said that the study surveyed nearly 3000 global security professionals in 25 countries regarding their privacy maturity and any effects of data privacy on their business. A surprising two-thirds of respondents indicated that data privacy was causing delays in their sales cycles, with an average estimated delay of 7.8 weeks.
The pending May 2018 enforcement of the General Data Protection Regulation (GDPR), the new law enacted to increase protections of European Union (EU) citizens’ privacy and personal data, might also be a factor in these delays. Customers are increasingly concerned that products and services they buy provide appropriate privacy protections. GDPR’s provisions apply to any company that processes, stores, or uses this data.
Respondents were asked to assess their current privacy maturity level, according to the standard AICPA model, which defines five privacy maturity levels: ad hoc, repeatable, defined, managed, and optimized. The study found that the average sales delay for those with ad hoc maturity was 16.8 weeks, but delays decreased for businesses with higher privacy maturity levels. Businesses with optimized privacy processes reported 3.4 weeks of sales delay, which is an 80 percent reduction compared to ad hoc organizations.
Geography and industry also appear to play a significant role in the length of delay. Given these widespread and significant delays, every company should assess its own situation to evaluate where customer privacy concerns might postpone business. Aside from legal compliance, depending on the potential revenue effects and their current privacy maturity level, companies should explore the return on investment of privacy process improvements and the beneficial effects that deploying such measures could have on sales.
Companies in the government and healthcare sectors exhibited the longest average sales delays—19 weeks and 10.2 weeks, respectively—compared to other industries. Companies in the utilities, pharmaceuticals, and manufacturing sectors reported the shortest average delays, all 3 weeks or less.
By geography, Latin America and Mexico are experiencing the longest sales delays, at 15.4 weeks and 13 weeks, respectively. China and Russia have the shortest delays, at 2.8 weeks and 3.3 weeks, respectively, said report.
The average sales delay (in weeks) by privacy maturity stage were as follows: ad hoc (16.8), repeatable (9.8), defined (5.1), managed (4.4), and optimized (3.3). Since organizations in the defined stage experienced 70 percent shorter sales delays vs. those in the ad hoc stage, companies might benefit significantly from moderate improvements in privacy maturity. Those that are “optimized” saw 80 percent shorter delays, said study.
Overall, 53 percent of respondents reported losses greater than $500,000 related to cyberattacks in the last 12 months. Privacy-immature companies (i.e., ad hoc stage) had the highest percentage (74 percent), with the percentage decreasing with increasing privacy maturity. The other levels were repeatable (66 percent), defined (49 percent), managed (43 percent), and optimized (39 percent).
Given the potential effects of these delays on sales and revenues, Cisco advises organizations to take the steps like – Measure current delays: Assess the scope of sales delays due to data privacy issues and understand how much sales revenue might be affected by the delays. Assess root causes: Portions of a delay may be caused by sales teams being unable to address customer concerns, incomplete or inaccessible corporate policies, or engineering/design issues. Executives need to know root causes to determine resolutions.
Establish ongoing metrics and targeted initiatives: Regularly measure and track the sales delay metric, and set priorities for appropriate investments to reduce the delays. Explore effects on cyber losses: Assess the cause of any data breaches and losses that might have been avoided through more mature data privacy processes. Develop a data privacy and protection plan: If such a plan does not currently exist, plan to create policies and protocols that contribute to good security hygiene.
“This research demonstrates that good privacy is good for business, and organizations need to invest in data privacy governance and process to reap the benefits,” said Michelle Dennedy, Chief Privacy Officer, Cisco.