BreachExchange mailing list archives
The decade of the data breach – how to cope
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 20 Mar 2015 12:38:11 -0600
http://www.information-age.com/technology/security/123459205/decade-data-breach-how-cope Virtually every Fortune 5000 company, government entity and NGO has had at least one major data breach during this decade, with many having multiple ‘badges of shame’ to their credit. Each breach, whether malicious or accidental, brings all sorts of recriminations and bad press to the organisation and its leadership. Mea culpas and low-level IT managers falling on their swords has become commonplace and is now meaningless for the most part as the root cause of the issue continues to not be addressed: the lack of executive data leadership. Data, especially those classes that contain personally identifiable information (PII), is one of the most valuable assets that every organisation collects, stewards, exploits and protects. Without it, there would be no organisation in virtually all cases – and yet treating data as an asset is typically entirely off the radar of the chief executive, the board and the senior executive team. Their only concern seems to be mitigating the risk associated with this asset class in respect to compliance with applicable laws, statutes and regulations. The protection of data is always left to the CIO or CISO, who reside multiple levels down in the organisational hierarchy. This must end now or consumer trust will be lost forever in fairly short order. Data leadership must come from the top (CEO and board) and cascade down to the entire organisation in order to be pervasive and effective. It defines the strategy for managing and exploiting data over its entire lifecycle (creation, harvesting and retirement). A critical component of this management lifecycle is protecting data from unauthorised access or inadvertent disclosure. If executives could envision data being just as tangible as cash, bonds or even trade secrets, then perhaps they would be more imaginative in its protection. Every organisation, in spite of its best efforts, has a very porous network of interconnections spanning their entire enterprise. Each of these connection points is potentially a source for a breach, especially now with the influence of the BYOD movement. Once breached, these networks cannot typically detect any nefarious or negligent activity for the most part, much less PII and other critical data flowing outwards. It is a perfect storm of risk factors and yet, if top down data leadership were in place, appropriate resources, sensitivities, monitoring, rewards and punishments would be in place to detect, mitigate and ultimately prevent these data breach risks altogether as everyone would know that it is the number-one priority for the entire organisation. It would be baked into the culture of the organisation, much less part of the behavioral ethos within it. This use of leadership and an engaged culture to steward and protect critical data is much more practical than any type of ring fence that many are currently advocating. Awareness and vigilance becomes the mission for everyone to embrace and embark on each day across the entire organisation. In most cases today, data breaches go undetected for up to a year before being discovered. By then the damage has been done. This would not be the case in any organisation that is committed to the core in respect to its data. Coping with the threat and aftermath of data breaches requires top-down executive leadership and an engaged culture focused on nurturing and protecting data as an asset. Investing in more security tools, cyber insurance and endless consulting engagements will not surmount the challenge of the data breach. Embracing all of the tenants of data leadership is the only solution to this long-term challenge. Remember, 2015 is the year of data leadership – and thwarting data breaches is a good place to start your journey.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- The decade of the data breach – how to cope Audrey McNeil (Mar 30)