Jared Maslin
February 2022
The Business Case for Privacy

A colleague asked me recently, “How do we convince CEOs to pay for privacy?” It’s a common question we get in the consulting space. The short answer is, there is no singular business case for privacy. Being a nuanced, contextual subject matter and one that leaders across sectors struggle to address consistently, the act of “selling” privacy is as audience-specific as many other compliance-related or advisory-based functions.

As a privacy person who has worked with a wide variety of organizations, each new privacy challenge reminds me of how much we can and should learn from security. Like an older sibling, security has its own tendencies, motivations, and mannerisms, and there is a critical opportunity for privacy, as the younger, to learn from our older, more experienced sibling. I say this as a little brother who should have learned more from his older siblings. In the spirit of continual improvement, let’s take that lesson and apply it to some of the many privacy challenges facing us today.

If there’s no universal business case for privacy, then how does privacy get funded? Successfully selling privacy work involves connecting privacy initiatives to core business objectives and organizational performance. While some businesses see privacy as a potential differentiator, or even a catalyst for diversified revenue generation, many still see privacy as a cost avoidance, compliance-related topic that garners only as much focus as is necessary to manage enterprise risk and keep regulators at bay.

Furthermore, different functional areas within enterprises have very different views of the relative importance, urgency, and potential impact of focusing on privacy best practices. For example, user experience leaders assess privacy regulatory obligations and risk differently than sales and marketing leaders, data infrastructure stewards, engineering heads, analytics managers, and even core risk and compliance professionals. So, if everyone has a different approach, and the only constant in privacy demand seems to be a lack of consistency, how can you positively develop and champion privacy engagements (either as an internal resource or an external supporter)? Here are some core areas to help you successfully pursue a successful privacy initiative:

  1. Study the culture of the organization and develop an understanding of their overall risk profile.
    • Every organization, no matter how similar on the surface, holds a unique risk appetite – degrees of risk that they find palatable as an organization and a leadership team. Even businesses seen as peers or competitors can vary greatly under the surface in terms of the risk they are willing to accept. Privacy is an area where this becomes clear very quickly. Privacy policies are written differently, messaging of best practices vary, and the standards driven in normal operations of the businesses vary based on what is required and what may just be nice to have. Task number one is to determine how an organization views risk mitigation and how much risk they may be willing to swallow overall. With this, you can place yourself in the shoes of the leadership team and apply risk-based strategy and decision making at a material, fit-for-purpose level.
  2. Identify key operating initiatives, leadership objectives, and organizational messaging trends (including public facing materials and financial reporting, where applicable).
    • Anyone who’s ever spent time in forecasting and budgeting periods is likely to see a trend in what gets approved and what gets placed on the backburner. Approved projects normally key in on specific objectives and performance measures impacting members of the leadership team, where deprioritized projects (whose merit may very well be as much, if not greater than other approved projects) often lack a strong connection to leadership goals, objectives, and cultural initiatives. In this way, privacy projects are very much like any other kind of corporate project – the likelihood of success in a proposal has a strong correlation to one’s ability to connect that project with the core needs and passions of leadership team members. As such, develop clear, succinct messaging that aligns the details of your privacy project with the needs and motivations of the leadership team you’re seeking to support.
  3. Make direct, actionable connections between business objectives and privacy regulations and related market influences that can support those objectives.
    • Most messaging in the privacy space is tied to regulatory changes and new/evolving requirements in preserving privacy compliance. That said, not every leader reacts positively to the idea of expense for compliance-sake alone. Instead, it’s critical to tie the short and long-term impacts of your proposal to both the risk mitigation and revenue generation aspects of privacy investment. These benefits, when aligned directly with the goals of the business and the public persona seen by customers, can make the difference between a green-lit project and a “maybe later” idea.
  4. Integrate messaging from legal and compliance professionals with functional leadership in your organization for a cohesive value proposition.
    • Poorly crafted or non-extensible messaging can kill even the best, most effectively designed privacy projects, but this isn’t unique to privacy, at all. So, refer back to the tried and true “know your audience”, and craft communications accordingly. A single pitch for all audiences is likely threading the world’s smallest needle with its biggest thread – it’s awkward, difficult, and not an intuitive or effective approach to influencing decision makers. Instead, invest time in understanding how your project may impact (and as importantly, could benefit) each distinct audience to ensure that you put the most succinct and well-oriented narrative forward to those with influence in giving either a green or red light on your initiative.
  5. Design your approach and solution to match the distinct needs, expectations, and goals of your organization – not to a checklist of compliance or a template from other organizations.
    • After years in this space, I’m often asked, “Do checklists sell”? I must begrudgingly admit that yes, they sometimes do. However, they do most organizations a disservice, serving as faux panaceas in a world where none yet exist. Checklist-based solutions are often presented as “easy buttons” for compliance – do these 15 things and thou shalt be compliant! However, we see time and time again that these solutions are short-term engagements with an unavoidable long-term expense. That is, they create privacy programs without longevity or sustainability. They may be cheaper than more in-depth solutions, but the technical and procedural debt built from expecting an easy path to a complex and fast-evolving space like privacy make checklists obscenely harmful and often far more expensive in the long run than more customized, thoughtful privacy endeavors. Fit-for-purpose solutions are far more likely to serve as a stable foundation for continued privacy compliance in a manner that won’t break the bank long term and actually has a hope of sustained success.

So, how do we get CEO’s to pay for privacy? Well, CEO’s aren’t the only (or even primary) buyers of privacy support services. Making that assumption can severely lessen one’s ability to get a meaningful privacy initiative off the ground. Instead, you have to assess the organization, its risk posture, and the needs and demands of its leadership and customer bases. With this more complete view of the operating environment, you unlock a myriad of potential solutions that can be positioned in a manner more receptive to your audience and that actually possess the potential for long-term success and sustainability of your solution.

Many security teams started largely as standalone functions, tasked with magically achieving security for an entire organization. It’s a simple idea, really: Hire security professionals and they will take care of the problem. However, organizations have developed intriguing roadmaps for security, but failed to socialize those plans due to a lack of partnership and buy-in from functions across the business landscape.

  1. Leaders get an initiative that prioritizes their needs and incorporates the objectives that motivate their own (and their partners’) actions.
  2. You get an opportunity to drive meaningful change in a space that is critical to long-term risk mitigation and revenue preservation.
  3. And lastly, customers get a business with an intentional, clearer approach to privacy compliance that they can rely on as users of a given product or service.

Put another way, when you use this approach, everyone wins.

Thanks to Jennifer Chen and Jessica Traynor.