From the course: Privacy Strategies for Business Leaders

The need for metrics

- [Instructor] Privacy and security leaders are often deemed to be alarmists when they warn about gaps looking forward, but they're also accused of being careless if they fail to cover all the gaps when people look back. Competence, unfortunately, is taken for granted, since it is hard to prove a counterfactual, as in, things that would have gone wrong if not for the privacy program. Your job as an executive is to not allow effectiveness to become an argument against necessity. So you need to look for some qualitative indicators before the hard numbers start showing up. Some of those are, in my experience: At what point do you have so much data that protecting it becomes prohibitively expensive? What do you do when your ability to delete data at scale is dwarfed by your data collection, for example? When is the inflection point where you stop discovering data that ingenious engineers have tucked away? What does privacy do to help data quality; is there a common cause to be made with data science teams? These qualitative metrics will help you assess direction. That is, are you starting to move in the right direction? These metrics are critical not just for privacy, but organizational maturity as well, which is why they are critical for executive leaders. All of this being said, you will need to measure privacy success with hard metrics as well which is coming up in the next slide. Now these hard numbers will vary by company but some of these will overlap no matter the size of your company or what stage of growth you're in. Some of them are: percentage of data discovered, classified and measure for risk, percentage of data covered by access management or percentage of data protected by security. The rest of these are fairly intuitive but you will want to make sure that you are looking at data through the vernier of hard and soft metrics in order to assess the impact of your privacy program.
