Piiano logo

Enterprise Data
Security and Privacy Postures

by The Piiano Team

About the Report

The privacy landscape is changing fast. Data breaches continue to rise in tandem with the amount of private customer data service providers collect and store–resulting in higher risks of sensitive data leaks.

In an effort to increase transparency around enterprise perception of privacy and preparedness against sensitive data leaks, Piiano issued a survey to better understand current enterprise privacy postures, challenges and goals from a wide spectrum of enterprise job titles related to security, privacy and compliance. 

We believe that this survey and our findings also serve public interest. Consumer concerns over privacy are growing, and those charged with meeting them should have clear and up-to-date metrics by which to measure their current postures and base their decision-making. As such, we hope that this report is both interesting and informative to all readers.

Executive Summary

Today’s privacy best practice demands that sensitive data receive special treatment–especially Personal Identifiable Information (PII). Enterprises appear to recognize this, given that 76% of surveyed companies treat sensitive data differently, and 46% highly prioritize PII protection.

Nonetheless, only 24% of security and privacy leaders appear satisfied with their current protection of customer data, and over 72% suffer from insufficient visibility into where they store PII. Nearly the same amount (69%) believe that improved visibility is a critical first step in bolstering overall privacy  posture. 

Most companies recognize the utility of introducing privacy and data security early into their supply chain and workflows–requiring the help and expertise of developers to “shift” the responsibilities for these risks left. However, the projects involved in carrying this out properly require developers to build entirely new infrastructure for their organizations, which relies on a high degree of specialization and takes years to carry out. Both time- and resource-intensive, most enterprises are incapable of dedicating their talent and budgets to such efforts. Moreover, to this point, companies experience poor internal enforcement around privacy compliance. Most developers currently view privacy implementation as a “nice to have” rather than “need to have”, only handling privacy-related tasks when there is an explicit business request to do so.

These findings underscore the importance of making privacy and security engineering more accessible to enterprises by equipping developers with better tools and accelerated processes to harden their privacy postures.

The privacy landscape is changing fast. Data breaches continue to rise in tandem with the amount of private customer data service providers collect and store–resulting in higher risks of sensitive data leaks.

Our Findings at a Glance

24% of participating companies are satisfied with how they currently protect customer data. Many acutely feel the absence of privacy tools currently available in the market.

48% perceive privacy as a business differentiator, though it still is not prioritized as a standalone priority within company operations; 80% only handle privacy-related tasks when they are associated with explicit business needs or requests.

76% protect PII differently from non-PII data. However, 54% do not treat PII protection as a high priority, despite this being an essential best practice. It is possible that this is why, despite companies holding their approaches to privacy in high regard, we still see a growing number of sensitive data leaks.

48% employ privacy engineers and 85% provide developers with privacy-oriented training.

72% do not have high visibility into where they store PII, and discovery ranks as the most sought-after feature in privacy solutions.


Today, sensitive data leaks have become so commonplace that an individual’s social security number can cost as little as $1 USD on the black market. Despite the low prices, data breaches remain a lucrative and attractive activity to cybercriminals as the margins for conducting such attacks remain low. Conversely, the overhead of keeping data secure has skyrocketed–as have the financial and reputational penalties awarded to unsuccessful defenders against sensitive data leaks.
Enterprises are growing increasingly concerned by these trends and are responding accordingly. A recent Gartner projects that enterprises will increase Data Privacy and Data Security spending in 2023 by 16.9% and 14.2%, respectively. It is worth noting that the budgets already allocated to these domains exceed $5B in total. Intent on discovering how these numbers translate into practical outcomes, the Piiano team set out to understand where enterprise privacy postures currently stand and how the professionals dedicated to both privacy and security intend to improve them.
We prepared an extensive questionnaire completed by security and privacy leaders from a wide spectrum of industry types. Respondents included CISOs (48%), DPOs (8%), VPs of Engineering (3%) and CTOs (3%). The other 35% consisted of Product Security Owners, Directors of Platform Security, Security Leaders, Privacy Managers, Heads of Security Architecture, VPs of Information Security and Privacy, VPs of Product Security, BISOs and Chief Security & Privacy Officers. The majority (48%) of respondents hailed from B2B companies, while others included B2C (28%) and B2B2C (19%). 60% of participating companies employ more than 1000 people.

Enterprise Perception of Privacy

Satisfaction with Data Security Postures
We began our survey by asking respondents how satisfied they felt with their own data security postures, beginning with customer data protection. Using a scale, an overwhelming majority (71%) selected the range of “somewhat satisfied” (answered 3, 4, or 5 out of 7), conceding that more efforts are required to properly protect the sensitive data they store. However, it is worth noting the current market scarcity of tools to aid in privacy-related tasks.

Confidence in Compliance with Privacy Regulations

Along a similar vein, we received nearly equivalent responses when we asked about their organization’s compliance with privacy regulations. 58% of respondents indicated that they only feel somewhat confident in them (answered 3, 4, or 5 out of 7), though the number that felt fully confident was much higher, at 38% (answered 6, or 7 out of 7).
When analyzing the distribution of responses across participating companies, we found that B2C (75%) made up the largest portion of those with high confidence–as opposed to B2B’s 55%. We do not find this surprising, as the onus is much more clearly placed on B2C companies to both familiarize themselves with and honor regulations. It is important to note that regulations continue to be involved–meaning that these B2C companies also feel confident in their capacity to follow and translate any changes to policy on an ongoing basis.
Data breaches rose by 37% between 2022’s second and third quarter. As sensitive data leaks resulting from these breaches continue to rise, we must acknowledge the disconnect between company confidence in their compliance and the true number of exposed records. It is possible that this confidence is misplaced.

Is Privacy a Business Differentiator?

We also asked respondents how important they believed good privacy posture was for business differentiation. Nearly half (48%) answered in the affirmative–a number we expect to grow as consumer consciousness over privacy matters also grows. Currently, privacy lags behind the security sector’s maturity. This is reflected in both overall awareness and the number of available privacy vendors in the market. However, as more companies embed privacy into their messaging, we can already see the tides begin to shift. Once again, B2C companies formed the majority (75%) of respondents who placed more emphasis on privacy’s importance. This is hardly unexpected, given that they work directly with customers who would feel sensitive data leaks most acutely.

Current Practice

Treatment of PII

PII-Specific Protection

We carried on our research by asking respondents to share their current privacy practices, taking care to analyze how they stood against the data accumulated on their perception of privacy. Our first question determined whether or not respondents protected PII differently from non-sensitive information. Though a basic tenet of data privacy best practice, we were curious to see how this was actually realized by enterprises today. Given that companies now collect an overwhelming amount of data, it is impossible to afford data privacy the attention it requires as a discipline if the same treatment is given to all data equally.
76% of the respondents said that PII does receive special treatment, while 18% admitted to not providing PII with any special protection at all. Once again, B2C companies (83%) represented the most significant proportion that do, though B2B (76%) and B2B2C (67%) companies did not trail too far behind. It is worth noting that, at this point in the survey, we did not clarify what type of special protection might be employed.
Utilization and Privacy Assessments of Third-Party APIs Storing PII
We also asked if participating companies utilize third-party APIs to store sensitive information, following up with how extensively they vet third parties with privacy assessments before engaging with them. Both are important indicators of PII footprints, with the latter representing a baseline best practice for good security posture. Of the 34% of respondents who do store sensitive customer data with third parties, the majority (85%) expressly carry out such assessments. However, 17% of respondents did not know whether third parties store their information–a worrisome figure, as sensitive data protection isn’t possible without accounting for all of it.
Prioritizing Risk Mitigation Strategies for Storing Sensitive Data
Given the complexity of PII protection, especially for large organizations, we wished to learn how companies currently manage it. We were particularly interested in understanding if companies treat the discipline as a high priority. If not, there is a high chance that privacy-related tasks can remain bottlenecked while companies focus on more pressing matters on their “to-do” lists. Most companies (54%) indicated that they do not prioritize PII protection as a high priority. B2C companies were the most likely to prioritize it (47%), followed by B2B (39%).
Which Customer PII is Most Important to Protect?
Expanding on our question of whether PII receives special attention, we next asked what types of PII were most important for our respondents to protect. 53% shared that they assign the same importance to all PII. Those that ranked different types of PII first focused on financial information, such as bank account and credit card numbers–topping the list at 26%. Personal identifiers (26%), such as name, location, email, phone number and date of birth followed. Next came all other government-issued information (16%), Protected Health Information (12%) and digital information (12%). Biometric information, personal preferences and “other” occupied the bottom of the list.

* Respondents could select multiple answers (note that not every company collects all PII types).

Though privacy regulations treat all PII equally, and all PII requires protection, prioritization is necessary in actual practice. This is true for any security-related task, as the outcomes of some leaks are more detrimental than others and most companies do not have the resources to address everything at once. Thus, it is more critical to protect information like social security numbers over marital status or religion. Of course, this is entirely dependent on what kind of information companies collect on their customers.
Privacy Specialization
Employment of Privacy Engineers
We moreover investigated whether the responding organizations employed privacy engineers. 52% answered in the negative. Of those that responded in the negative, most hailed from either B2B or B2B2C companies. By contrast, 65% of B2C companies employ privacy engineers. The employment of privacy engineers is an important indicator of both good privacy posture and privacy posture maturity.

Privacy Training for Developers

Moving on, we asked respondents if developers in their organization must undergo any type of privacy-oriented training. 85% of the companies answered that some, or all, developers do. This number is very high, generating initial optimism around the future of improved privacy postures through efforts like privacy-by-design. However, it is important to note that this can only be realized if enough time and resources are allocated to actually put such training into practice. As we will see further in the report, this is not the case.

Privacy Tools
Privacy Tool Usage

Finally, we addressed the matter of privacy tooling, and asked our respondents if they used any. As previously noted, the privacy market is still nascent, and the majority of tools are only beginning to emerge. Most focus on PII discovery, some around cleaning identifiers when working with analytic tools and a small number are dedicated to improving access control to PII and hardening PII security.
38% of respondents answered that they are already using privacy tools, while 7% answered that their company is not currently interested in any. 21% indicated that they are currently in the process of replacing their existing tools. This represents a healthy trend of early adopters seeking to mature their privacy postures. Unsurprisingly, B2C companies were far more likely to employ privacy tooling, further supporting that these kinds of companies are most aware and proactive around the need for improved privacy postures.

Criteria for Selecting a Privacy Tool

Curious as to the decision-making surrounding the purchase of privacy tools, we asked respondents to share what they felt would make a privacy tool most useful. The most important criteria focused on how well they mesh with existing tech stacks, as well as reporting capabilities. Respondents also highly valued compliance-related features, PII Discovery, and PII security–underlining the growing acknowledgment of PII’s need for special treatment. Interestingly, only 21% were sensitive to whether their company PII would be stored by a solution (SaaS). We were also interested to learn that only 2% of respondents saw direct value in open-source solutions.


Visibility Into Where Customer PII is Stored

Given our role as a privacy solution vendor, we are naturally curious to learn as much as we can about enterprise privacy posture challenges. We asked how they would rate their visibility, and the majority of respondents (68%) responded with average, at best (answered 3,4, or 5 out of 7). Visibility is a critical baseline requirement for good security postures. Partial visibility is a critical indicator of an underdeveloped privacy program, as it means that companies do not have enough handle on risk and fulfilling compliance requests. In this particular area of difficulty, both B2B and B2C afforded themselves the same ranking.

The Need to Achieve Full Visibility into PII Footprints

We next asked what full visibility into their organization’s PII footprint might help achieve. 69% believe that improved visibility is critical for hardening the security of sensitive data, echoing the long-standing security truth that you cannot protect what you cannot see. 45% wish they had better visibility in order to carry out RTBF and DSAR requests. Naturally, compliance with these GDPR requirements cannot happen without being able to locate customer data. Nearly the same amount (43%) are also interested in other, additional privacy compliance needs–namely better cross-organizational collaboration on privacy initiatives.

Developer Buy-In

Developers are now recognized as a critical part of the security pipeline, and this belief is bleeding into the privacy realm, too. Given that they build the environments enterprises rely on, the prevailing theory is that developers can introduce necessary policies directly into their frameworks and infrastructures. When done correctly, this can directly reduce risk by creating privacy-oriented workflows and cultures. However, due to limited numbers, time and resources, actualizing this theory is still a major challenge for most organizations. There are a number of reasons why privacy-related tasks may not appeal to them. First, privacy regulations are relatively new and the urgency around them is usually only felt after a breach takes place. To this point, there is also poor enforcement around privacy compliance. As far as hierarchical perceptions are concerned, privacy implementation is ultimately viewed as a “nice to have” rather than “need to have”. When directly asked, we discovered that 80% of companies will not handle privacy-related tasks unless there is an explicit business request to do so.

Future Goals

The Need for Additional Privacy Tools

Intent on understanding what our respondents wish to achieve for their privacy postures in the future, we asked what they have planned. Most companies are looking to expand their programs and are even considering building privacy solutions themselves.

Building vs. Buying a Privacy Solution

Most companies will consider building privacy solutions themselves. 58% will either compare privacy solutions by vendors to their planned DIY solution, or have already decided to build it themselves (12%).
17% of B2B companies indicated that they would build privacy solutions themselves, as opposed to only 7% of B2C companies. This was a very interesting contrast for us. We believe that B2C companies–who, throughout the survey, have demonstrated a feeling of greater stakes in privacy posture–are more familiar with the inherent complexities and major scope of self-building privacy. Such projects not only require an extraordinary amount of specialized knowledge and expertise but also take years and many resources to complete.

Required Privacy Tools

When asked what type of privacy tools they were searching for, 55% responded with PII discovery tools. This underscores the nascency of privacy programs, given that discovery is the first step to improving privacy posture. However, the complexity of carrying out PII discovery often forms a barrier to progress, especially for large and mature organizations with a large number of assets and moving parts. 34% are searching for data masking solutions–a set of tools usually intended to minimize data risk by minimizing the data utilized by BI teams. 25% are looking for a tokenization tool. Tokenization is a growing necessity for privacy compliance and a necessary tool for hiding sensitive information. In the tokenization process, a PII is replaced with a token that serves as a pointer to the original data that is kept elsewhere (e.g., within a data privacy vault).

* Respondents could select multiple answers

Final Insights

Data breaches continue to occur on a daily basis despite the relatively high confidence that companies hold in their security postures. Were it possible, it would be fascinating to review our survey findings after aggregating enterprise privacy audit results to see how actual enterprise privacy postures compare with their perception of them.
Nonetheless, enterprises appear increasingly aware of the need to mature their security postures–and are open to future initiatives to improve it. B2C companies are the type of company most sensitive to the growing importance of privacy among consumer bases; this is reflected in both the initiatives they are already undertaking and their recognition, likely through experience, of the true difficulties involved in building a meaningful privacy program.
In the meantime, enterprises are on the right track to improving their security postures. As best practice dictates, most are giving sensitive data the special treatment it requires and a sizable number prioritize PII protection. They further recognize that developers can be a helpful part of the process–though not to the extent of dedicating actual resources and structures to help them succeed.

Though stances are mixed on the notion of adopting external tools for better privacy, we believe that this underscores the privacy realm’s immaturity, rather than the real urgency in governing the massive amounts of consumer data enterprises collect today. We are confident in our prediction that this will be more strongly felt in the coming quarter in accordance with rising cybercrime rates that typically accompany recessions as well as the privacy field’s maturation.

Key Takeaways for Hardening Security Posture

The first step towards hardening PII protection is visibility. It is critical to identify which types of PII are collected before moving on to gradually implementing protections for them. Given that it is impossible to address all PII at once, it is best to prioritize and begin with those that have a higher potential for damage, such as SSN, credit card number, and bank account.
The market is mostly void of solutions to provide these services, and the majority of enterprises do not have the necessary resources to build proprietary solutions on their own. Moreover, even those that do risk failure to scale, perform and remain resilient, given the vast nature of enterprise environments and movements. In truth, it is best to introduce privacy at the software level rather than as an afterthought. Just as with all other security efforts to shift risk left, privacy is best handled by beginning with code.
Thank you
We would like to thank everyone who helped make this report possible, especially the participants that took the time from their busy schedules to fill out our extensive survey. We truly value your insight, as well as your expertise and efforts to keep sensitive data safe.
We would also like to thank YL Ventures for their help in preparing and distributing the survey, as well as their help in preparing this report.
Finally, we would like to thank you, the reader, for your interest and time.

About Piiano

Piiano provides developer infrastructure to protect customer sensitive data and ensure their privacy–even in the event of a breach. Safely use and store sensitive data in our Vault and leverage our Scanner to quickly identify PII usages across source code for full visibility into your privacy issues. With Piiano’s building blocks, engineers and security leaders can save time, effort and resources while achieving secure and compliant applications.
This website uses cookies. See our Privacy Policy