Protecting Data Is a Shared ResponsibilityBy Gary Loveland | Posted 2011-06-16 Email Print
CEOs and corporate boards can help the IT organization by articulating new security objectives as they pursue growth.
According to the latest “Global State of Information Security Survey” conducted by PwC, 35 percent of respondents say they don’t have an overall security strategy in place. Yet, data must be protected wherever it resides; secured network walls are no longer enough.While they benefit the bottom line, technologies such as cloud computing and social media also pose security challenges. But comprehensive data security does not have to cost a fortune. Automating management of user data and streamlining compliance can free up resources to focus on protecting critical data.
Data is increasingly moving beyond a company’s physical control, becoming more vulnerable. To safeguard that data, people are essential.
Which people are accountable for protecting critical information? Leading companies have chief information security officers, who focus on safeguarding critical data across the organization. CISOs make certain that security is a consideration at the outset of new business initiatives by lending security experts to business units.
Since 2007, CISOs are increasingly reporting to CEOs and company boards, thereby streamlining security communication and cooperation: 36 percent of CISOs reported to CEOs in 2010 versus 32 percent in 2007. In the past three years, the number of CISOs reporting to the board has increased 11 percent. CEOs and boards can help articulate new security objectives as they pursue growth.
Security should be considered at the outset of new business initiatives to mitigate risk. CEOs and boards should focus their attention on who is accountable for protecting critical information, how to define security objectives and how to evaluate those objectives. Since security-sensitive data can change as the business evolves, it should be reevaluated frequently.
Many firms don’t track metrics—such as spending on security administration—or actively monitor their logs for signs of breaches, but monitoring and evaluation are essential. A study of confirmed breach cases in 2009 found that nearly 90 percent of victims had evidence of a breach in their log files.
Leading companies that do track indicators are able to benchmark their programs against peers. The benchmarking data and internal assessments help those enterprises determine where to increase spending and where to cut it.
CEOs need to ensure that their company’s security perimeter is a hacker’s worst nightmare. Hackers were once largely motivated by ego, but they now target valuable data they can sell, including intellectual property, using sophisticated hacking techniques. Breach analysis that is proactive can find signatures of attacks, communications with external networks and other suspicious activity.
An effective breach-response plan can mean the difference between a quick recovery and a serious blemish on a company’s reputation. Yet 63 percent of respondents in our 2011 survey said their firms either don’t have a contingency plan or have one that doesn’t work.
Independent assessments of IT operations have helped companies identify specific vulnerabilities and develop a more integrated approach to maintaining information security. Since people are an integral part of security, employees who aren’t trained to think about security can disclose sensitive data on social networks or click on sites that hackers use to infiltrate corporate networks.
Cloud computing can also pose security challenges, so companies need to assess the ability of cloud providers to protect the confidentiality, availability and integrity of their data. They need to understand the risks related to how the cloud provider handles data from multiple clients and how it manages the third parties it uses. In contracts, companies need to spell out requirements, including how providers will mitigate risks and handle data when the contract ends.
CEOs should ensure that a security budget is being spent effectively, while meeting regulatory requirements. Instead of trying to lock down everything, companies should redeploy their resources to focus on protecting data that is most at risk. Management of user data, which is handled manually at many companies, can also be automated to free up resources.
How do we meet expectations regarding data privacy? Enterprises have an opportunity to go beyond compliance and gain consumers’ trust amid the growing concern about the amount of electronic data companies collect, analyze and share. They can use privacy protection to gain credibility among customers and encourage them to participate in online programs.
By identifying key aspects of security—including monitoring, spending metrics and employing CISOs who focus on securing critical data—CEOs and directors can help determine how well their companies manage information security risks in a hyperconnected world.
Gary Loveland is a principal in PwC’s advisory practice and leads PwC’s global Security practice.