Posted by: David Scott
business management, data breach, data privacy, identity breach, identity theft, IT security, IT Wars, organizational security, the business-technology weave
You say To-MAY-to, I say To-MAH-to… one thing’s for certain: When it comes to organizational security we cannot call the whole thing off. Today, any business that has a single computer has an interwoven Business-IT security challenge.
I was speaking with a colleague who works in Washington, DC last evening. We were talking about the interwoven (mutually reinforcing, mutually vulnerable) security means, methods and practices in the business-technology realm – the Weave.
Amazingly, his Fortune 500 ® company deals with clients who mount discussions and attempt whole solutions with virtually NO security considerations. None, that is, until the client is brought back on balance by my friend’s company’s project managers and allied teams. Unfortunately, there are other solutions providers in the mix and often his company has to deal with security considerations across a broad range of other “solutions,” associated providers, and competing lines of authority.
Consider this: Almost any discipline in the physical world considers security up front. Adding a room to your house? The strength of the materials necessary has long been established – but beyond that, you or your contractor will consider how the room attaches to the existing structure; the floor will be sound, as will the walls, extended roof… etc. Adding a deck? The first consideration?…
The size, number and strength of the supports holding the deck up. The size of the deck will yield the potential capacity of people, therefore pointing to the size, strength and number of the supports. You are securing the people’s safety who will be standing on that deck – before you even start to build.
In any circumstance, there must be a virtual “security prism” through which every activity and construct is viewed. The same goes for today’s IT-Business solutions: Security must be Job One. And yet, security lags and is often a sidebar consideration – or overlooked entirely.
It’s not difficult to find a great example – one that potentially touches us all. According to a study by the Ponemon Institute (sponsored by Compuware), most banks are lacking critical data, privacy and security controls. I picked banking because that should hit home – we likely all have bank accounts, and some measure of money and associated personal data associated with them, and we’d like to think those things protected and secure! But…
Even though the survey found that 76% of organizations have a data protection plan, only 47% of those same organizations review new software apps and databases for privacy concerns and compliance to law prior to placing them in operation. If that were the case 30, 20, maybe even 10 years ago, that would be one thing. Today, it is stunning.
The survey also found that over 83% of financial service companies use live information, such as customer and employee data, for developing and testing. More than half of these companies admit a lack of appropriate protections for real data in these circumstances.
What about vetting business partners when sending data to third parties regarding customers, employees and others? Only 49% review these partners – and the same percentage lack even a standard contract for ensuring privacy protections of that data.
In the agencies I counsel and contract with, I hammer home the points:
1) Everyone in the organization must be a mini-Security Officer, and –
2) They must view every action, project, implementation, business and IT change, through a virtual Security Prism.
Tomorrow: What I uncovered at a State agency concerning personal privacy and data (the State and agency will have to remain nameless, but just wait until you hear this…)