Talking About PrivacyHow Do You Respond When Data Breaches go Mainstream?
I'm talking maybe 10 years ago, I was moderating a roundtable discussion by a group of CIOS. The topic was security, which at the time was the dirty little secret of information technology - nobody wanted to discuss it, much less fund it.
So, I asked the question: "How do you succeed at getting security budgeted?" I'll never forget one CIO's response:
Today's conversation is about more than information security. It's also about privacy.
"Whenever a harmless virus enters our network, I make sure it gets directed to our CEO's desktop. Then he comes to me for help, and I make my case for why we need to fund security."
Well ... that's one way to get people talking.
Hard to believe, but that was at a time when it truly was difficult to hold a conversation about information security. Nobody wanted to admit that there were vulnerabilities, never mind threats. To share a bit of security awareness with customers would be to admit there were risks - that was the conventional wisdom, at least. Admitting risks was bad for business.
My, how times have changed. No longer the dirty little secret, information security today is mainstream news. Since Valentine's Day alone, we've seen the RSA SecurID hack, the Epsilon breach, Sony, Michaels and now even the maintream news media are discussing the Lockheed Martin incident (which could tie back to RSA).
The conversation is about more than mere security, though. It's also about privacy - particularly in cases such as Epsilon and Sony, where e-mail addresses and account information are cherry-picked by hackers who hope to use this data to attempt fraud. People are genuinely concerned about their loss of privacy today, and it's up to information security and privacy professionals to allay these concerns.
I've had the occasion recently to interview two noted privacy professionals, and I want to share some of their insights.
My first conversation was with Kirk Herath, chief privacy officer for Nationwide Insurance Companies. He's been a privacy officer for more than a decade now - active in the profession, too - so he's seen security and privacy come of age.
I asked Kirk how he responded from afar to the Epsilon and Sony breaches, and his gut response is what I'd expect from any privacy professional: "I'm glad it's not me."
But then we got into some of the specific lessons learned from these incidents, and he boiled it all down to a key point: The need for transparency. Especially in such a public incident as the Sony breach, organizations need to be prepared to anticipate questions from everyone - customers, law enforcement, regulators and even Congress.
As we subsequently learned, Sony didn't even have a chief information security officer at the time of its breach. But the company also appeared to lack bench strength in corporate communications. "They seemed unprepared for the public relations and political side of the breach," Herath says. "At the end of the day, the worst you can do is look like you're not transparent," Herath says.
I also had the chance to speak with J. Trevor Hughes, head of the International Association of Privacy Professionals - a global organization that has expanded exponentially in recent years. He confirms the cumulative impact of these recent incidents.
"The recent breaches tell us a lot," Hughes says. "First of all, breaches happen. There are bad people in the world, and they're always trying to find ways to get access to data because data has increasing value in the information economy."
Because of this reality, organizations today have to prepare themselves not just to protect data and privacy, but also to respond appropriately - and quickly - when that breach occurs. "Increasingly, organizations are using privacy professionals to ensure that, as part of their post-breach response plans, they're actually talking to regulators, consumers, congressmen and sometimes class-action lawyers about what went wrong, to [communicate] that they've got plans in place to mitigate the amount of harm that occurs when a breach happens."
We've come a long way from the day when the CIO had to use a virus to get the boss' attention. But as the deluge of recent incidents shows us, the conversations about information security and privacy are only beginning.