The Age of 'Involuntary Transparency'Why Organizations Must Re-Focus on Securing Sensitive Data
This is the aftermath of the WikiLeaks controversy, says Slemp, defining "involuntary transparency" and the need for data governance programs in organizations across industries.
In an exclusive interview about strategies for protecting sensitive information, Slemp discusses:
- What WikiLeaks means to public and private organizations;
- Risks to organizations and consumers;
- How organizations can protect themselves from data breaches.
Slemp is the global leader of the IT Security and Privacy practice at Protiviti, a global business consulting and internal audit firm. Slemp has more than 30 years of experience in information technology risk and strategy consulting. His expertise spans the risk management and security spectrum within the pharmaceutical, manufacturing, consumer packaged goods and retail industries, as well as financial services, government and health care sectors.
At Protiviti, Slemp counsels clients in developing and evaluating comprehensive information security strategies and programs; data privacy and compliance program design and assessments; incident response planning and execution; and security architecture services.
Prior to joining Protiviti, Slemp spent 30 years at IBM where he served in various roles with global responsibility for such areas as identity solutions, data loss prevention, intrusion detection, forensics and incident response services, and security and privacy.
TOM FIELD: Just to get us started, why don't you tell a little bit about yourself and your work at Protiviti please?
CAL SLEMP: Sure, Protiviti is an enterprise risk management organization, a global organization, and with them I am responsible for our security and privacy services throughout the world.
In the Wake of WikiLeaksFIELD: Cal, we talked up front about WikiLeaks, and I would love to get your perspective on what the developments in recent weeks mean for today's businesses. And when I say businesses, I mean public and private sector organizations, and I want to include healthcare organizations as well because we speak to a lot of those.
SLEMP: It has had an incredible impact, and I know you used the word "aftermath" earlier. I'm not sure that this is something that has had an endpoint to it. The conversations that we are seeing going on with our clients really come into five things. They are asking themselves what information do they consider sensitive -- what could impact the confidence their clients had with them, their revenue streams, or their reputation? And we're seeing a lot of refinement of that definition going on.
The second thing that we're seeing organizations go through is they are ensuring that the access or privileges to that sensitive information are being reviewed and asking themselves whether the controls that they have in place are adequately being followed.
I guess a third area that we see is that they are asking about this information and how it is stored and what applications are leveraging it, and then they are ultimately asking themselves, "Gee, if an event occurs, if something like a leak or a breach or something occurs, what sort of incident response and crisis management plans do we have in place?" You know. all the way through kind of a need to discovery or litigation support.
Ultimately, what they are asking is have they defined their risks properly, and are they proactively approaching mitigating them. This includes whether they've adequately communicated to their employees and partners what is expected of them.
This all kind of fits under an umbrella that we call data governance program, but those are the things that we're seeing our clients talk to us about and focus on independent of the industry that they are in Tom.
FIELD: Now there is a term I used upfront, and I actually borrowed it from a Protiviti report. That term is "involuntarily transparency." I would love to get your perspective on how we've arrived at this age of involuntarily transparency.
SLEMP: Yes, it is a wonderful term, we think, and the interesting part of it is that organizations are finding themselves to have to be worried and concerned, or at least focused on what information they have that they are processing that might be used in environments that they had initially expected, or did they have information get out of the organization? Everything from confidential information about product development and things like that -- sensitive information about employees or health records or things like that, or just now because of some of this re-definition of sensitivity, are there some things that could be embarrassing for one reason or another to the organization? So, the environment that I guess started with supporting whistleblowers, which is a very in a positive thing to do, is essentially morphing itself into "Gee, we as a company, as an enterprise, as an organization need to be under the assumption that we need to be completely transparent whether we want to or not," i.e. the phrase "involuntary transparency." The interesting other side of that is that the WikiLeaks approach depends completely on anonymity, and is really just obviously the opposite of transparency. So the organizations are the ones that have to be focused on what may be involuntary transparency, if you will.
FIELD: It strikes me that for organizations that were used to the world of "What happens in the boardroom stays in the boardroom," this really is a wake-up call. What I would be curious to hear from you is how organizations are and should be responding to this wake up call?
SLEMP: You are right, and frankly there has to be the ability for things to stay in the boardroom, if you will, because that is the way organizations operate. The information I'm talking about is, 'Gee, what is the next product that we're going to make, or what is our next strategy that we're going to embark on?' We need to be able to, as an enterprise, have confidence in that confidentiality.
What we have seen the organizations face themselves within the board room -- what we have seen the boards focus on -- is first the understanding that this issue is indeed a C-suite issue to be dealt with at the top of the organization for the entire organization. What they have focused on is frankly what we call the "entire data lifecycle." They need to make sure they understand what data they have, how they acquired it or how they created it, all the way through its disposal. Very few organizations take that view, Tom, and we're seeing that some firms are being embarrassed when they find out really what information they've kept, especially when it's also admissible in court. It's expensive, and it sometimes complicates management if you do not control the amount of information that you store and otherwise manage in your databases. By the complication of expense I'm suggesting that it is more expensive and more complicating when you do not take a full life cycle view of the data and dispose of it when you can and should.
Organizations are also understanding, frankly, that everybody plays here. This is not an issue that is specific to highly regulated industries. Any company that stores employee data (and frankly who doesn't?) is susceptible to privacy laws, which is great. Every employee is a citizen of some state. In the US, over forty states have some sort of privacy laws. This is obviously in addition to corporate and trade secrets that organizations have, and this confidential communication among colleagues or with business partners in the supply chain or otherwise is now being added to that list of sensitive information. Frankly, what we are seeing then is the data management, this governance is very easy to ignore. What most companies had done is focus so much on building a fence around themselves with network security etc. that they forgot about what they were trying to protect. Organizations that are working through privacy and other compliance issues have neglected to look at this issue of information holistically, and what we are working with our clients on is taking a data-centric view of that security, balancing privacy from a regulatory, technical and legal perceptive and really just working on their enterprise risk. These are the things that we call a data governance program.
Consumer ConcernsFIELD: Now we've talked about organizations. I'm curious about consumers. They've got so much information that is in the hands of government, of businesses, financial institutions, even healthcare organizations. What's the risk to the consumer with upcoming or even potential information leaks?
SLEMP: Every organization has in the US and in many other countries seen over the last several years the growth in privacy related regulations, or let's just say initiatives. This has not only highlighted the issue both commercially or at the consumer level, but what also within the governments of requiring them to take a much more proactive view as to how they handle sensitive information of their consumers.
On the other side, the consumer has an expectation that the information is being handled properly. It has provided wonderful things like personalized service and the ability to do interactive commerce especially in these holiday season that has helped a lot of people. But the foundation of this is that the consumer has an expectation that their sensitive information, their address, birth date or things like that are handled properly. And as they are seeing breaches occur, it is causing them to not only question what information they are sharing with different organizations, which I think is very healthy, but also forcing or causing them to feed back to the companies that they are dealing with, not only their expectations of how that information should be handled, but frankly letting them know if it is not handled properly, then they'll work with somebody else who does deal with that way. It is becoming quite a differentiator for organizations.
Response to Threat of ExposureFIELD: I got a question for you specific to banks. Just a couple of weeks back, just the threat that Bank of America could be exposed in a WikiLeaks revelation sent the stock price plummeting. How should banking institutions be responding to even the threat of a WikiLeaks type disclosure?
SLEMP: The banks in general have focused on the management of their information for quite a long time; regulation has done that. We've talked about the consumer perspective just a second ago. So, what we are seeing banks do is go back in reviewing the programs and controls they have in place, especially now that they are talking about a redefined definition, a reoriented definition of what is sensitive information. They are asking themselves what are the metrics and reporting procedures they have that are kind of signaling to them whether information is being used properly or adequately, and are providing them the information in the timeliness that they need? So what we are seeing the banks really spend their time on is in addition to that foundation that they have built on already for information protection, redefining what is sensitive and making sure that all the controls are working adequately from access control all the way through what information is flowing where.
How to Protect Against LeaksFIELD: Cal, a final question for you. We've spoken a lot about WikiLeaks, but there are dangers that exist beyond this one organization. My question for you if you could boil it down: How can organizations be protecting themselves against data breaches such as these?
SLEMP: The way I would summarize my view of what organizations need to do to protect themselves in this area is to ensure that they are going through what we've called a data governance program. That is, are they clear as to what information they've got in their organization? Do they know how they have classified it -- what is sensitive, what is not? Have they focused on who has access to that information, and are they controlling that properly? Are they focused on how that information is stored and where it is stored, in addition how it is being used? As we had talked earlier, this full lifecycle -- are they retaining it properly? Have they kept more than they need to, or have they got good disposal procedures in place? Ultimately, are they taking both a proactive and reactive approach to how they will respond to events, either preparing for them or indeed then reacting to them? Most important, are they communicating their expectations and training their employees and partners on what is expected of them and the information that is inside the company, and how it is being leveraged?