Businesses must overhaul “outdated” recruitment mindset to tackle dearth of privacy expertise

Several anonymous faces imposed with binary to represent privacy
(Image credit: Getty Images)

The vast majority of businesses have reported a lack of skilled privacy personnel despite 87% reporting they offer privacy awareness training to employees.

Issues surrounding recruitment were cited as the main reasons why businesses are struggling to implement adequate privacy measures across various departments.

Currently, businesses are trying to hire candidates with specific privacy training when the focus should instead be placed on hiring capable people with the potential and willingness to be upskilled to a privacy expert, leaders at IT professional association ISACA said.

This "outdated" approach to recruitment is leading to job vacancies regularly going unfilled for six months or more, ISACA's latest research has revealed, highlighting the need to address a growing privacy skills gap in the industry.

"Instead, organisations need to lean on reskilling people in non-privacy roles, using contract employees and focusing on individuals with the right soft skills to reduce the privacy skills gap," said Tony Hughes, member of ISACA's emerging trends working group.

“For approximately one-fifth of respondent enterprises, less than one-quarter of privacy-position applicants were well-qualified for the positions to which they applied,” the association said. Companies used experience as the primary metric to determine an applicant’s qualifications.

What are the most common privacy failures in an organisation?

Businesses reported a range of different privacy failings within their organisation, chief among which were employees not taking training opportunities - an issue affecting 49% of those surveyed, despite 87% saying their organisation offers courses.

A large proportion of organisations (42%) also reported that their systems were failing to abide by privacy by design protocols. Privacy by design is a methodology which applies to software and other products so they're produced in a way that ensures every stage of the development lifecycle accounts for privacy-protection measures.

Systems should also identify and minimise risk to data subjects throughout this process. Only 30% of respondents said that their organisations always practise privacy by design, while an additional 30% said they do it frequently.

The report found that organisations that always practise privacy by design are more likely than others to separate privacy training from security training. Survey respondents at these organisations are also 1.5x more likely to be completely or somewhat confident in their company’s ability to ensure the privacy of its sensitive data, as well as rely on AI or automation.

Other privacy failings included the suffering of data breaches - 42% of respondents admitted to this. Not performing risk analyses was also included in the list, as was the poor or nonexistent detection of personal information throughout the business.

In the past 12 months, 11% said their enterprise had experienced a material privacy breach, which is only 1% higher than the previous year. Additionally, 64% of respondents also said their organisation didn’t experience a single privacy breach, 17% said they didn’t know, and 9% didn’t answer.

Recruitment issues broken down

76% of respondents said that expert-level privacy roles were the hardest to recruit for, followed by practitioner knowledge level at 51%, and entry-level/foundational knowledge level at 12%.

For legal/compliance privacy positions, 26% of respondents said it takes three to six months to fill a role, an almost equal proportion (25%) also said the same time scale applied for technical privacy positions too.

More than 10% reported positions taking longer than six months to fill across technical, and legal/compliance roles. Most respondents said the reported recruitment timeframes have stagnated over the past year, showing little change or improvement.


Employees are choosing how they work

And with the right secure digital strategy, this could be a great thing for your business: today and far into the future


Understaffing was also a common issue plaguing businesses. ISACA’s report found that 53% of technical privacy teams are somewhat or significantly understaffed, with 44% of respondents stating the same for their legal/compliance privacy teams.

The understaffing problem in technical privacy teams was evident in the previous year's report as well, ISACA said, but it has improved this year, which could be because businesses are prioritising privacy more, or have increased their privacy budgets. Last year, 35% of respondents expected their budget to increase the following year.

“Heightened privacy skills demand is good news for candidates with privacy technology knowledge but also bad news for businesses that are struggling to close the privacy skills gap,” said Chris Dimitriadis, global chief strategy officer at ISACA.

“As our new research highlights, businesses need to consider changing their training programmes and adopt privacy by design to limit the number of privacy breaches, build digital trust, and set the business up for long-term success.”

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.