Perspective: Time to face the truth about data security

From a layman's perspective, all data breaches essentially mean the same thing: supposedly protected personal information gets left in the open. But behind the scenes, data breaches come in varying shapes and sizes.

At Bank of America, lost backup tapes led to a big breach, while password compromises figured in the one at LexisNexis. A lost laptop was the culprit at Fidelity Investments, and a hacker attack penetrated security at CardSystems.

With confidential data at stake, the worries are real. Customer credit card numbers may be created in a secure database, but pretty soon that data winds up all over the place--multiple applications, backup tapes, employee laptops, e-mail attachments and so on.

Ask a room full of IT professionals where their private data resides, and they'll burst into laughter. They have no idea.

The typical knee-jerk reaction is to blame the problem on the lack of adequate security technologies. For years, business executives just didn't know--or care--about IT risk management and information security. So they underinvested and now are left unprotected.

Confidential data security is a big, ugly problem that touches everyone and every system.

Most security professionals would passionately concur that security defenses are lacking, but that's only part of the story. Technology finger-pointing ignores the fact that many companies do a lousy job at monitoring, communicating and enforcing security policies and procedures.

Here's a real-world analogy. Every day I drive to my office on Route 495 in Massachusetts. There is a speed limit (65 mph) and traffic laws (pass on the left, do not cross multiple lanes at once, and so on), yet no one seems to comply. The police can't possibly catch all of the violations, so it is up to drivers to follow the rules. Some do, some have no idea that they are breaking the law, and most simply ignore the rules.

This is exactly where we are with confidential data security. Most organizations also have "rules of the road" but few proactively enforce the law.

The Enterprise Security Group, where I work, recently surveyed 227 North American-based security professionals who work at organizations with 1,000 employees or more. Respondents were asked to rate their organization on a number of policies and procedures related to confidential data security. More than half of these folks said that their organization was fair or poor at "classifying and tracking the movement of confidential data" and "communicating and training employees on confidential data security policies."

Forty-three percent said that their organization was fair or poor at monitoring and auditing confidential data security policies, while just over one-third claimed that their organization was either fair or poor at "implementing access controls for private data." I could go on and on, but you get the picture.

So that is where we stand. Private data resides on devices all over the enterprise, and IT has no idea where it is. People with access to this data have not received the appropriate training on data protection, and the security team does not have adequate tools to monitor or enforce user behavior. Is it any wonder why we have a problem?

Blaming security staff and IT managers is a copout. Executives haven't spent enough or integrated security into the corporate culture. Developers haven't been trained on secure coding. Human resources and legal staff don't understand technology vulnerabilities or security device limitations. CIOs have limited dollars and infinite tasks. Everyone is involved here.

It's time we faced facts. Confidential data security is a big, ugly problem that touches everyone and every system. You simply can't address this with the security widget du jour; rather it will take a coordinated and complicated enterprise effort.

When it comes to confidential and private data security, the tired tech industry buzz phrase of "people, process and technology" is truly in play. Each of the three areas is badly broken and in dire need of repair.

Biography
Jon Oltsik is a senior analyst at the Enterprise Strategy Group.

More Perspectives

[Vetter83]

Nothing will change....

until we (read: Federal Law) requires that companies that use, store, sell or handle any confidential consumer information are FULLY financially responsible for its security.... Things would change in a huge hurry if companies were liable for ALL expenses, costs and fees to repair anyones credit, data, and security regardless of the circumstances or cost..

[ejevo]

The ONLY thing I've seen that's been effective...

The ONLY thing I've seen that's been effective in initiating change in areas of security is legislation that includes harsh penalties and specific levels of enforcement. HIPAA was a prime example, although there are now rumors that since the buzz has worn off, compliancy is beginning to wane.

In your traffic analogy, if the penalties were much harsher then less drivers would be willing to risk the consequences.

Make non-compliance hurt - really hurt - and you'll see companies start to toe a much better line. Otherwise companies just can't justify the expenditures necessary to put themselves in a better defensive position.

[wbenton]

Security Just Ain't...

It's generally safe to consider that data security "Just plain Ain't" until such can be proven otherwise.

And even if it can be proven otherwise... it's only a matter of time before that otherwise can be proven inefficient.

Walt