Four Questions to Start the Security Discussion

August 5, 2011 by · Leave a Comment
Filed under: Digital Breach Newswire 

Article Author: Brian McGinley

Intelligent businesses walk the security journey every day, whether management models security-smart behavior in the office or IT stays abreast of the latest technology developments.

But for newcomers those first steps can feel like major leaps, especially if it involves getting coworkers, employees and executive management on the path.

Discussion prompts action, and I’ve found over my years in corporate management and data security that these four simple questions can often get the ball rolling:

 

1. When it comes to the protection of your confidential company information—the information entrusted to you by your customers, clients and employees—do you have it right? What about other sensitive company information regarding financial, strategic, intellectual property and other sensitive data?

Having it right isn’t as easy as it sounds. There are administrative, operational and systemic considerations. Is the information really protected as it is collected and/or acquired; as it is transmitted; as it is used; and as it is stored?

And is it handled with a sense of importance by your employees with an understanding of the threats, vulnerabilities, and consequences of loss, as well?

That is to say, are there outlined policies and procedures for the collection, retention, use and disposal of that information that is accompanied by appropriate awareness communications, training and management reinforcement?

 

2. Are you confident that you, your management team, and your IT shop understands the complexities and interrelationships of the legal, regulatory, operational, and systemic data risk management protection requirements for sensitive material?

Questions of legality and compliance compound if your business handles Personally Identifiable Information (PII), Protected Health Information (PHI), Payment Card Industry Data (PCI) or other sensitive and classified data.

An important follow-up question is, Has your team responded to threats against these kinds of data with appropriate protection measures?

 

3. If your company’s financial system or bank access credentials were compromised and funds were stolen from your accounts, would your bank immediately repay those funds? Would the loss be covered by the current insurance that you have in effect?

These answers might not be as straightforward as you think. Bank policies and insurance policies vary greatly when it comes to commercial financial fraud and data breach.

 

4. If your company’s confidential information was compromised by a data breach tomorrow, would you know what to do? Do you have the appropriate plans and resources in place to respond effectively? If so, has this plan be vetted and tested?

Prevention and response, ultimately, is the name of this game. By looking hard at these four questions you’ll be able to realistically gauge where you are—and where you need to go—on the journey that is sound data security.

 

Story reprinted from Infosec Island

Brian McGinley, Senior Vice President of Data Risk Management, Identity Theft 911 With more than 30 years of experience in risk management, security, loss management and compliance within financial institutions, Brian has held senior positions at Wachovia Corp. and Citigroup. He served as board chairman of the Financial Services Roundtable/BITS Identity Theft Assistance Center.

Data Governance threatens corporate reputation

May 21, 2011 by · Leave a Comment
Filed under: Digital Breach Newswire 

Article Authors: Vasant Dhar and Arun Sundararajan

Over the last two decades, the primary contribution of information technologies in firms has been about efficiency and enablement: to improve processes, make people more productive, reduce time to market, or enable things that couldn’t be done previously. The focus has been on costs and payoffs. This decade is witnessing a new challenge: data. There is suddenly too much of it, and while firms rush to mine it, they do so without adequate regard for the risks in keeping and using it.

Hardly a week goes by without yet another major breach or scandal involving data. The last month has been particularly bad. Tom Tom sold location data to law enforcement without asking its consumers, Apple has been gathering consumer movement and use data on its devices, while Epsilon and Sony were hacked, with sensitive data on hundreds of millions of individuals stolen. Despite reassurances from these companies, it is hard to be certain whether and when this data will be misused. More importantly, the reputations of these companies have been badly damaged.

Are these incidents any different in terms of potential impacts on franchises from product recalls due to defects in industrial products? Not really. And perhaps some companies are beginning to realize this. Indeed, one major positive development from the Sony fallout has been the creation by the company of a “Chief Information Security Officer (CISO)”. This is a laudable step that others should follow. But it doesn’t go far enough in acknowledging the real problem.

Sony and many other firms view the security and use of data as a technical problem. But in fact, the governance of data is a management problem. The lapses we are seeing are not technical ones, but failures in management. Where data is the lifeblood of commercial activity, its management in many industries must reside in the C-suite, not in the trenches.

Lapses in data governance in data-dependent industries are no different than product defects in the physical world. The reason is simple. Increasingly, it is information itself that is the product, with technology being the critical conduit for its exchange. Many industries that touch our lives on an everyday basis involve information products. If one considers the firms that we deal with every day, such as Google, Facebook, banks, media, and telecommunication companies, their products are information-based. Even when there is a physical product, digital interaction with consumers transforms part of the consumer experience into one that is information-based. Information products have different properties than traditional physical products and are subject to different economics and risks. Furthermore, the growing volume of data created as a by-product of this digital interaction brings with it significant benefits as well as risks.

CEOs who are insulated from technology have largely failed to grasp the implications of this shift in the role of information technology from enabler to product and still expect their technologists to deal with all aspects of data. This is a mistake. They must partner actively with their CIOs in assessing the importance of data to their product or service and the franchise to avoid the reputational risks from the lack of effective data governance.

Isn’t It Time CEOs Were Held Accountable For Technology?

When an automobile has a defect, it involves the CEO. If a brake or gas pedal is defective or a tire substandard, the CEO steps in immediately to manage the fallout and address its customers directly. The same must be true for data breaches and misuse. The Sony data breach was an important milestone in that its chief apologized, albeit somewhat late, for a defect in its information-based product. While Sony appointed a dedicated CISO to deal with data security, it didn’t go far enough in acknowledging that this is a management problem, not a technical one.

We believe that firms need to give the same level of importance to their firm’s data governance policies as they do to their company’s products, financial reporting practices, or brand equity management. Viewing data privacy management through the lens of network management or potential liability is too narrow. This isn’t a legal, technological or compliance issue. Rather, it’s an executive matter, one made more critical by the continual increase of data and the corresponding increase of risk in cyberspace. As devices become more powerful, providing more and richer electronic touch points to human activity, the scope of available electronic information explodes, and the associated risks to handling these data also grow exponentially. Companies actively collect and mine this data and even sell it without considering the risks, as the recent Apple, TomTom and Epsilon incidents reveal.

These developments strengthen the case for the CIO being a full-fledged member of the C-suite and embracing the new role of managing their firm’s data with a more holistic and strategic approach. CIOs should partner with their CEOs in putting in place a coherent and transparent policy that defines the frequent and deliberate choices about what data to acquire, keep, use and share. A first question that such a policy might answer is: Do we keep too much data? Our research (in conjunction with NYU research scientist Jessy Hsieh) suggests that the answer to this question is generally “yes.”

The less data you keep, the less you need to worry about keeping it secure. Next, it is essential to have a clear idea about the use of the data you keep, and specifically, to assess whether this use is congruent with the customers’ intent when they provided it to your firm. We have developed a framework that provides executives with a roadmap for answering these questions, the details of which are available in our working paper titled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” available from the Center for Digital Economy Research at the NYU Stern School of Business.

It took a global financial crisis to get the public to pay attention to systemic financial risk. There is equivalent and growing systemic risk in cyberspace. We hope it does not take a massive data breach at an Apple, Google or Facebook to make data governance a top executive priority. Because once that data is out there, it’s out there for good, and there’s no taking it back.

Story reprinted from Computerworld

Vasant Dhar is the Daniel P. Paduano Fellow and Professor at NYU’s Stern School of Business, and Director of Stern’s Center for Digital Economy Research. Arun Sundararajan is the NEC Faculty Fellow and Associate Professor at NYU’s Stern School of Business, and a Distinguished Academic Fellow at the Indian School of Business for 2010-12. Vasant and Arun conduct research about how information technology transforms markets and corporate strategy, with expertise in privacy, business intelligence and digital business models.