I learn a lot by watching television. Oh, not the programs; I am referring to the commercials. They tell me what people value and how some companies seek to capitalize on those values. Some years ago, I realized while watching a football game that one of my career objectives had been met. There were companies advertising that their hardware and software were secure. After years of writing, speaking, and teaching about the importance of information security, the general public was taking notice, and the private sector was responding to that concern. Wow!
Commercials for Privacy
A few years ago, there was a spate of commercials stressing that a company’s products would protect the privacy of their customers’ data.1 These ads underscored a significant evolution in society’s perception of data privacy, from something that was required by law to a value that had economic value in itself. It meant that some companies believed that people would willingly pay a premium for products that had privacy features. Whether there was actually any new technology involved was unimportant. What mattered was the perceptions of the marketplace, meaning that privacy was profitable.
Alas, I do not see these commercials anymore. Today, the security pitch concerns cyberattacks. Most of the commercials I have seen include worried businesspeople reacting with shock to what they see on their screens.2 There may have been a collective shrug about personal data theft on some mahogany rows, but ransomware got executives’ attention.
And, oh yes, there are commercials for artificial intelligence (AI). In general, so it seems to me, they say that one company’s AI is great, better than the rest, without much clarity about what it is great for. Security against (or for) AI does not seem to have yet entered the advertising mindspace.
Cyberattacks and Privacy
I do not believe that the general public is less concerned about privacy than it was only a few years ago. I understand why ransomware attacks would take priority. True, any attack that results in the theft of personally identifiable information (PII) is by definition a privacy breach. But if I were a corporate executive, I would be more concerned about ransomware than PII theft. These execs may receive a reprimand or even a fine from their governments for a data breach, but their companies could experience significant losses, maybe even go under, if their information systems are brought down for an extended period of time.
Clearly, information security executives (a.k.a. CISOs) have to deal foremost with cyberattacks today and maybe AI tomorrow. But that does not necessitate disregarding data privacy. Even if privacy is not the gravest issue that CISOs must address, it has not been solved (whatever that might mean). Privacy may not lead the security parade, but it has not been relegated to the reviewing stand either.
The Constituencies for Privacy
I suggest that the first step is to rally the internal constituencies for data privacy. One might be the legal function, but its concern is the avoidance of fines, which has not changed due to other priorities. Indeed, fines issued in European Union countries, subject to the best publicized privacy law, have been quite costly. The fact that there were 2,493 fines levied in 2024, with LinkedIn receiving the largest (€310 million), is viewed by some as a triumph.3 One source proclaims, “As of 2024, the cumulative total of GDPR fines is now getting close to €5 billion, underscoring the ongoing commitment to enforcing data protection regulations and the increasing financial consequences of non-compliance.”4 To my mind, the fact that companies that are making enormous profits while receiving large penalties is a sign that privacy laws are not working.
The most persuasive constituency for privacy should be the customers. It is their data that is being compromised, after all. But so far, customers have not risen in anger. They seem to be mollified with a sorrowful letter, “Your privacy is of the utmost importance, yada, yada, yada.”
So, who is going to pound the table for privacy? It seems to me that these people are the same who have stood up for information security in the past. This group differs from organization to organization, but CISOs know who they are. And if they do not know, they will not be CISOs for very long.
The Business Case for Privacy
Achieving data privacy costs money: to build safeguards, to monitor their effectiveness, and to deal with breaches should they occur. Moral obligations do not come cheap. Fortunately, a business case can be made for privacy, as must have been seen by those companies that tried to attract customers with ads touting their products’ privacy chops. Even if it is difficult to demonstrate that privacy pays for itself, there are quite a few tangible benefits to keeping personal information safe from prying eyes.
Privacy breaches result in the loss of customers. Or do they? Perhaps there is only a loss of customer satisfaction, but they stay loyal until and unless there are repeated incidents. Or maybe they just consider breaches to be so commonplace that they sigh and accept them.5 Perhaps the most that can be said is that there is evidence that customers may be lost due to a violation of the privacy of their data.
Even the skeptics agree that “data breaches cost firms millions of dollars and are often accompanied by reputational damage and sometimes fines.”6 And they have been shown to depress share values, at least in the short term and perhaps longer.7 Therefore, even if the figures are a bit questionable, they are substantial enough to support a business case for privacy.
Achieving data privacy costs money: to build safeguards, to monitor their effectiveness, and to deal with breaches should they occur. Moral obligations do not come cheap.My point is not that there is a business case for data privacy. Of course there is! Rather, I would like to stress that it is the role of information security professionals to make that case. Or, more pointedly, it is to assemble the advocates for privacy: the compliance function, lawyers, IT auditors, risk managers, and others. If there is a specific privacy office in any given organization, it should obviously have a major role. But the privacy officer pushing for privacy is like the coach cheering for the team: expected but less likely to influence others.
It is up to information security professionals to make sure that privacy is (still) on the organizational agenda. It should be a priority, included with and a part of the prevention of cyberattacks and securing artificial intelligence. Maybe we should make a TV commercial.
Endnotes
1 Perhaps the best known of these were those presented by Apple, stating that their products could prevent unauthorized disclosures. These were shown in 24 countries. Davies, C.; “Apple's New Privacy Commercial Puts Data Brokers on Notice,” Slashgear, 18 May 2022
2 One I like is from the AT&T telecommunications company. iSpot, “AT&T Business TV Spot, 'Next Level Network: Cyber Attack,'” 26 September 2023
3 The General Data Protection Regulation, or GDPR; GDPR Enforcement Tracker
4 Data Privacy Manager “20 biggest GDPR fines so far [2025],” 12 December 2024
5 There is a great deal of opinion on these matters, but not a lot of facts. Most of the relevant studies deal with data breaches, which often but not always involve PII. Some reports indicate that customers are lost. [Fie, S.; “What Happens to a Customer After a Data Breach?,” Security Boulevard, 13 January 2023] says that in the United States, “83% of consumers claim they will stop spending with a business for several months in the immediate aftermath of a security breach, and over a fifth (21%) of consumers claim they will never return to a business post-breach.” (Similar figures are given for other countries.) There is no indication whether they do move their business elsewhere. Others [Stewart, E.; “Companies Lose Your Data and Then Nothing Happens,” Vox, 21 April 2022] question whether anything actually happens.
6 Stewart; “Companies Lose Your Data”
7 Huang, K., Wang, X., et al.; “The Devastating Effects of a Cyber Breach,” Harvard Business Review, 4 May 2023
STEVEN J. ROSS | CISA, CDPSE, AFBCI, MBCP
Is executive principal of Risk Masters International LLC. He has been writing one of the Journal’s most popular columns since 1998. Ross was inducted into the ISACA® Hall of Fame in 2022. He can be reached at stross@riskmastersintl.com.