Security divide

When PricewaterhouseCoopers surveyed executives last year, asking them, among other things, what the primary driver of corporate information security was, you might have expected a range of answers. But there were only two. CEOs, CFOs and CIOs all said business continuity. Chief information security officers (CISOs), on the other hand, answered compliance.

Getting only two answers split so neatly is surprising, and perhaps concerning. Having the CEO, CFO and CIO not consider compliance an issue that so many executives cite as a perpetually tormenting thorn in their side, while CISOs focus on nothing else but compliance, is downright weird. The results point to a problem that many who look at both compliance and security have seen many times. A large number of corporations continue to treat the two as fragmented concerns. Because of this, businesses actually risk the integrity of their information and the quality of their compliance – not just from some gang of technology thieves – but from disgruntled employees, bad practices leading to accidental release of private information or something as simple as a wrong keystroke in an application.

To understand the situation requires a full grasp of the relationship a corporation has with information security. ‘We are at a nascent stage of thinking about data security,’ says Lisa Sotto, partner and head of the privacy and information management practice at Hunton & Williams. ‘The corporate world generally understands that there is some level of risk and there is some amorphous compliance issue with respect to data security, but it hasn’t really gotten its arms around it yet in a holistic way.’

Many companies see data security primarily in terms of keeping criminal hackers from accessing their systems or information. There are good reasons for this focus with inadvertent loss of data (or devices carrying data) and deliberate breaches occurring almost every day. A quick look at some statistics highlights the extent of the problem. For example, the Ponemon Institute, through work sponsored by Dell, surveyed 106 airports and 800 business travelers. It found that up to 12,000 laptops are lost at US airports each week, with 65 percent to 70 percent never being recovered. About 65 percent of those who were carrying confidential information had not taken steps to protect it and 42 percent of respondents said that they did not back up their data. Looking at the problem of spyware and other invasive software, the ‘2008 virtual criminology report’ from the security vendor McAfee revealed that the recent growth in the number of potentially unwanted software on computers is enormous.

Missing the bigger picture
Despite the breadth of these problems it is really only a small part of the picture, because it assumes that the only concern a corporation need have is data theft by criminals. But data security must be far broader in scope. ‘I think our people have always looked at [security] as part of compliance,’ says Craig Nordlund, senior vice president, general counsel and secretary of precision measurement vendor Agilent Technologies. ‘There is sensitive information that if released can create a problem. As a government contractor, there are some security requirements imposed by the government. I know for a fact that Sarbanes-Oxley does look at the security and integrity of the data streams. But there is the business continuity aspect as well. Both are legitimate reasons. I don’t think of them separately. Security is a way of protecting company assets.’

The SOX connection is, of course, a challenge for any publicly listed company, but many other regulations need to be taken into consideration. Any company engaged in government contracting is faced with an extra level of data security compliance. But government contracts are far from the only area that attract supplemental compliance requirements. Pick any other – finance, healthcare, pharmaceuticals, public utilities – and statutes spell out specific data security requirements. For example, Kroll Fraud Solutions conducted a study with HIMSS Analytics on the security of patient data in 2008. Kroll Fraud Solutions COO Brian Lapidus says, ‘We saw a huge focus on compliance over risk mitigation.’

There are a number of compelling reasons for executives to emphasize security, including the demands of regulations and the potential for bad publicity resulting from a breach or failure, and the corresponding impact this will have on a business. ‘It only takes a few headlines [about security breaches at healthcare companies] for our executive team to have their attention piqued,’ says Christopher Paidhrin, HIPAA and IT security officer for Southwest Washington Medical Center. ‘They say, Christopher, do whatever needs to be done and make sure that doesn’t happen to us.’

Short attention span
Yet, even in the regulated industries, top managers can quickly forget how important the topic is to them. According to the Kroll-HIMSS study, 13 percent of respondents admit to having experienced a data breach. Over a third of them did not change their security policies after the breach. Only 18 percent of the organizations that experienced a breach believe that they experienced a negative financial impact, although in a range of estimated costs of data breaches at healthcare facilities, the number can run as high as $197 per record and $6.3 million per incident.

For most companies and industries, ‘there isn’t that strong, burning platform’ to drive executive interest in security, says Jose Granado, a principal at Ernst & Young’s information technology enablement center. And for many executives, the pressure is often greater to pay attention to other things.

‘I was a CIO for a couple of years at a bank here in Houston,’ says Granado, who spent most of his career in information security. ‘My number one priority every day when I woke up was that our services were up and running. Our business positively, absolutely depended on those applications being up and running for our brokers and traders to execute trades.’

‘Executives view security in the same way they see insurance: It’s something they need to have so that they can say they had it when things go wrong,’ says security expert William Horne of William Warren Consulting. ‘Executives don’t care about the details and are unwilling to be involved in any detailed discussions, planning or rehearsals to assure continuity before disaster strikes.’

Talking business to IT
On the other hand, the technical people who manage security issues approach the topic differently. ‘Techies need things spelled out,’ Horne says. ‘We don’t have a lot of tolerance for ambiguity. It’s [a result of] our background. A single misplaced quote will bring a system to a crashing halt.’

So executives and security personnel have widely diverging ways of thinking. Now add the 1,001 things nipping at the attention of top management and you have a recipe for enforced disinterest. ‘They don’t want to pay attention to me because I’m a line item among all the other line items clamoring for attention,’ Horne says.

As security people focus on details, they fail to paint the proper picture for management, which is that perhaps the biggest security risk facing corporations is not attack from without, but attack and negligence from within. ‘We often see someone being irresponsible with backup tapes and not securing them,’ says Lapidus. ‘You see organizations who don’t screen their employees, who don’t screen their vendors. You’ve got people who infiltrate your organization for nefarious intent. They’re there to steal data. They’ve been arrested before for the same charge.’

Unfortunately, the most likely source of information security violations – inadvertent mistakes made by employees – are difficult to detect and remain largely invisible to all but the most vigilant of companies. A change in any specific data element might seem relatively unimportant and remain unnoticed, even under the attention of a normal audit. But when decisions are made based on the information, or when the data must be accurately reported in a case of e-discovery, a small change or error can quickly become compounded and the damage can be serious.

The law is not your friend
The current prevailing corporate legal culture and the practice of regulatory compliance don’t necessarily help. ‘My experience with attorneys is that they don’t have the broad-based understanding of IT security,’ says Dirk Hobgood, executive vice president and CFO of business consulting and executive search firm Accretive Solutions. ‘My experience has not been that the chief legal counsel is the one driving the bus on IT security and making it a hot topic.’

Similarly, US regulation focuses on rules. If there are aspects covering security implementation, then companies will spend the time and money to exactly meet those requirements. However, data security legal requirements are ‘a patchwork quilt’ according to Sotto.

‘Not only is it not comprehensive in the US, but it’s not harmonized around the world,’ she says. ‘If data exists in 16 jurisdictions, how do you deal with the laws when you’re essentially dealing with [information stored in] a single network?’

Finally, there is a misunderstanding of the nature of information security and what is necessary to achieve it. According to Patti Dock, executive vice president of secure data communications services vendor DataMotion, security compliance ‘is something many executives leave to their IT department, assuming that the right application will do the trick.’ And they often don’t consider security until something goes seriously wrong. By that time, the company may have suffered reputational damage not easily undone, or the problem could be hidden and affecting the management process.

Know what you are buying
Given the purchasing practices of corporations, the decisions about implementing security are ultimately in the hands of business line people who don’t have direct responsibility for implementing it and who don’t understand the nature of the issues. ‘Two years ago, it was the chief security officer or vice president of networks I’d have to go convince [to buy products and services],’ Dock notes. ‘Today it’s the businessperson with a business problem that includes a need for security.’

There is no easy solution for a company. Effectively and adequately dealing with data security and its connection to compliance is a responsibility that transcends roles, because security transcends departmental responsibilities.

A first step in bringing compliance and security together is to realize the cross-functional nature of both. ‘Information, the lifeblood of all modern corporations, touches every aspect of the business,’ comments Paidhrin. ‘So wherever that information is created, maintained, disseminated or destroyed, someone has to be responsible.’ The most sophisticated locks in the world can’t secure a building if people constantly leave the doors open.

And so, security personnel, executives and legal staff must learn to communicate. An open exchange to start could identify the explicit connections between security and compliance, underscoring what work must be done. The more removed the two seem to be, the more participants in any discussion must identify the specific causal chain to show that what happens in one sphere of the business affects every other area.

In this effort, all three parties – security, management and legal – must strive to understand each other’s concerns. For example, the CISO must realize that security only has a limited budget and that deciding on the proper amount of security means assessing the risks of problems, the chance of their occurrence and the cost of mitigating the danger.

‘The CISO needs to develop business skills – economic, finance and marketing,’ advises Franklin Tallah, an information security consultant who currently works at the MGM Mirage for Link Technologies. ‘They need to learn how to appraise other c-levels of why this is important.’

All parties then need to develop a common set of metrics to measure the effectiveness of security measures. This is far more difficult than it might seem. ‘I’ve yet to see anyone crack the code and come up with a set of [general] metrics that on one hand enable you to track progress from your security program, but you can extract ROI in standard business terms,’ Granado says.

If there aren’t general metrics, then every company must develop its own learning to translate everything from incursion attempts to incidents of employees ignoring basic security practices into forms of operational and compliance risk. By getting all to agree on goals and definitions, leaders of the company can hopefully keep safe the company’s data – and its profits and compliance obligations.