Security in depth and sound data governance
August 2014 | SPECIAL REPORT: TECHNOLOGY IN BUSINESS
Financier Worldwide Magazine
It is time for a change in how data security is considered. We are not referring to the tools and tactics, but instead how it is considered within the organisation and the boardroom. We have often overheard information technology professionals complain about their nominalisation within the organisation. In reality, companies that fail to see technology as an essential component of the business, and instead treat technology as infrastructure (like facilities management), will fail in the modern economy. However, even IT professionals fail to see that information security is just as critical to a company’s success. What is the net value to the bottom line of new functionality that permits criminals to steal the identity of your valued customers and your goodwill?
It is not enough to focus on the products or services a company provides. Companies must create and implement effective procedures for information privacy and security risk management. Companies should employ a layered security approach, or what is commonly called ‘security in depth’. This can include perimeter security, intrusion detection systems, egression device monitoring and the like. With this layered approach, when one security element fails, there are several others in place to prevent, if not mitigate, the resulting harm. Many companies ignore this approach and relegate information security to an insignificant voice in any debate concerning the best use of company resources. Even for those companies that adopt security in depth, there is an overreliance on technology. The board or the business leaders may think of data security like infrastructure. “Just get my phones to work – I do not want to know how – and do so at the lowest cost.” This approach is foolish and most importantly will not protect critical assets. As we will see, a majority of the elements of sound data governance approach do not involve technology.
Any layered security program must include and account for the benefits and risks associated with technology. Use of technology to safeguard company data as part of a layered information security program should likewise balance the technology with the business model and its associated risks. Mobile devices, wireless networks, and remote company server access all play a key part to the ever-expanding virtual ‘office’ space increasing efficiency and flexibility. Companies must balance the benefits of technology with appropriate enterprise risk management to isolate and minimise security threats, as well as mitigating resulting harms. Information technology ‘doors’ should be locked and monitored the same way as those to any office suite. Centralised control is essential.
Perimeter defence and access controls (similar to a castle’s walls, draw bridge and moat) should include a barrier between the bad guys outside and the valuable data inside, but they also should provide a line of demarcation along which companies can position resources and focus their attention. Firewalls are a first line of defence. Companies should also consider implementing intrusion detection systems, routing technology, and credential controls for a robust defence.
To keep abreast of corporate enterprise risk, companies should also implement oversight and surveillance technologies. Such technologies, if implemented and maintained, can not only provide intelligence to provide short-term notice of a potential risk, but they also provide long-term systemic reporting capabilities to assess ongoing performance issues and opportunities for improvement. System and information monitoring software, audits and logging of activity, and data backup all help support a full layered approach to information security.
Even the best designed and robust technological security measures can be compromised by its users. People within a company have access to data and systems that can impact security well beyond their office space or assigned job responsibility. Edward Snowden was a civilian government contractor to the NSA, one of hundreds, maybe thousands. The Target breach may very well have begun with an HVAC service provider clicking a link in a company email and unwittingly launching malware. Indeed, a company’s greatest resource is its people and its business relationships. Conversely, they also present the company’s greatest risk.
Contractors are used extensively in meeting workforce demands. A company should have policies of varying degrees to manage the risk associated with contractors (non-employees), to include what work is reserved exclusively for employees and what can be assumed by contractors. The policies should include background checks, access permissions, policies and contractor agreements. Such agreements and policies should include clear requirements for what is acceptable and unacceptable work practice and use of information. Furthermore, a company should demand that contractor companies and independent contractors comply with the same security framework imposed within the company. The third-party also should be obligated to assist in mitigating any harms resulting from a breach or other act by the contracting company or its personnel. Lastly, where appropriate, companies should secure the right to audit their third party contractors – and then actually complete such audits.
Finally, employees can be just as much, if not more, a risk. The obvious security protocol is for companies to have clear policies and procedures for all employees. But this is not enough. A company must actually regularly train and audit compliance with those policies and procedures to make sure employees not only understand but also comply with the security measures. Companies must maintain an active employee training program with an ongoing awareness program, which includes reminders and updates on new or emerging threats to company information security. Companies must see information technology as part of their business, rather than just a resource, and information security must be fully integrated with daily employee duties to successfully address threats at all fronts.
Before employees, contractors and other third parties can help to manage a company’s risk accordingly, a company must set forth its requirements in written policies. A data governance plan is a living documented set of guidelines for ensuring the proper management of a company’s digital information. Without a written expression of a company’s expectations, to include the manner in which it will collect, store and use personally identifiable information, a company cannot reasonably expect its employees and business partners to likewise meet those expectations. Furthermore, when a breach occurs, regulators and law enforcement will have an easier time understanding a company’s efforts to properly assess and manage risks to information with written policy and supporting procedures in place. This is especially true in regulated sectors such as healthcare, financial services and with publicly-held companies. After a breach occurs, a company’s ability to demonstrate that it has current and substantial policies and procedures may help to mitigate, to some degree, potential liability if followed. However, companies must grasp the idea that written policies are not an end, but only a means to information security.
The elephant in the room
The above may seem obvious. However, 15 years ago we were asking project managers why security was not part of the functional specifications when a product was designed; today, we are asking board members why data security is not part of a company’s strategic and financial considerations. Yet many organisations still are not taking the above steps. Or if they do so, the organisation goes through the motions but with no true mitigation of risks. Why? In short, information security is a secondary thought not only in the IT department, but also in the boardroom. It is seen as a cost centre and not important to financial performance. This perspective is naïve at best and more likely driven by shortsightedness.
Indeed, data security is often left out of the conversation or heavily discounted. Information security officers report to management or to IT departments creating conflicts of interest. When a business leader decides to not invest in security or chooses functionality at the risk of security, there is not a corresponding recognition in the balance sheet. Rather, the decision maker hopes that the breach (and corresponding costs) will not happen on their watch or will occur at a later point in time after they have received their bonus.
The solution is not easy as it requires cultural changes. To start, information security personnel need to identify the risks and present practical solutions. Information security causes itself to be marginalised when it obstructs advances and is not part of the solution. However, information security must be empowered and have a voice. The most effective information security regimes have some relation with general counsel or another individual that can take concerns to the board. Finally, decisions to forgo a recommended security feature must be recognised in financial projections and models. How to do so can be tricky. Recognising the cost of cyber insurance is one solution. Another is to include some or all of the cost of the rejected measure based on a multifactor calculation. In the end, accountability is the means; the goal is assuring the best risk management decision to see the company to long term success.
Companies need to understand how internal threats and company personnel can affect data security and information privacy. Companies should implement security through a multi-layered approach, while understanding what information can be shared across different internal business sectors. A company needs to understand and communicate its information management practices, make sure employees and contractors comply with that understanding, implement and enforce policies, and communicate openly and honestly with their business partners and customers. Companies must also account for how the evolving connectivity enabled by the ‘Internet of Things’ changes and impacts privacy and security. In the end, companies must not only discuss these issues, but also include a governance structure that gives voice to these issues and implements the most effective solutions. Doing so puts a company in the best position possible to respond to a breach when (not if) if happens.
Ronald I. Raether is a partner and Scot Ganow is an associate attorney at Faruki Ireland & Cox P.L.L. Mr Raether can be contacted on +1 (937) 227 3733 or by email: firstname.lastname@example.org. Mr Ganow can be contacted on +1 (937) 227 3716 or by email: email@example.com.
© Financier Worldwide
Ronald I. Raether and Scot Ganow
Faruki Ireland & Cox