Tag Archives: Ponemon Institute
The Chief Information Security Officer (CISO) and the Chief Risk Officer (CRO) generally speak in different languages. One speaks about how to secure an organization and its assets. The other speaks about the potential of losing something of value. One area where they find common ground is in the shared conversation of the Cost versus Risk of a data breach.
A data breach costs an organization in the US on average $201 per stolen record. The risk of a data breach is a number between 1 and 10 that indicates how at risk your organization is. The cost of implementing security measures and controls ranges based on the acceptable levels of risk an organization is willing to take.
This is the conversation that needs to be mastered in order to communicate the need for more resources to Chief Financial Officers and the rest of the C-Suite.
As organizations conduct vulnerability assessments of their IT landscape, they get a sense for how at risk their environments and systems are of being breached. Yet, in many cases, these vulnerability tools have significant blind spots when users replicate data to applications and systems that are not within reach of their assessment tools. This requires the addition of a data-centric approach to classifying, categorizing and measuring the value of data and its potential risk.
In the Informatica Secure@Source launch event, Larry Ponemon of the Ponemon Institute describes during a panel session how great it would be if there were a tool that could tell you ‘ here is the risk of the data’ and ‘here is the cost of that risk to the organization’. That is exactly what Secure@Source was designed to accomplish.
If you are unable to view the video, click here.
Security teams are not surprisingly consistently under-resourced. Teams are constantly responding to alerts and intelligence feeds which causes a cry of need for more resources. Yet, if these teams had a view into where the data was most at risk and could focus their energy on prioritized assets that if secured at the source would eliminate downstream risk, they may find their world less overwhelming.
Throughout the RSA conference this week, there was a steady drumbeat calling out the need for building a security mindset in an organization. Many breaches are caused by people making mistakes in our work places. How can you stop breaches caused by the human factor? It is all about increasing awareness and actively making an effort to build security mindedness into everything we do.
During one RSA breakout session entitled, How One Smart Phone Picture Can Take Down Your Company, Dr. Larry Ponemon, Founder of the Ponemon Institute, describes how a hacker really only needs one piece of valuable information to unlock a large-scale data breach, which can be achieved by taking a snapshot of log-in credentials on a screen and other low-tech means. In his research report, Visual Hacking Experimental Study, he cites how ‘certain situations are more risky. Documents on vacant desks and data visible on computer screens are most likely to be hacked.’ This research report was sponsored by 3M – which makes sense since they sell privacy screens for computers, iPads and iPhones.
What is really needed is to make teams aware of the risk and vulnerabilities through education and training, through policy definitions and enforcement, and through constant reminders from leadership.
One startup company, Apozy, took a novel approach using gamification to incentivize employees to incorporate best practices in their day to day routines. Informatica’s own CISO, Bill Burns, is using an internal competition between departments to motivate management to incorporate best practices.
While we continue to invest in technology to automate the implementation and enforcement of policies through controls, we also need to look at who we are hiring and incorporating the security conversation into the on-boarding process.
When recruiting, look to colleges and universities that offer courses and degrees in cybersecurity. (Check out the Ponemon Institute 2014 Best Schools for Cybersecurity). Arnold Federbaum, Adjunt Professor of Cyber Security at NYU School of Engineering discusses Data Security Culture and Higher Education in a panel video recorded during the Informatica Secure@Source product launch.
If you unable to view the video, click here.
Even the IRS has great training videos and podcasts to build awareness on potential risks of identity theft.
As we continue to see more data breach related news, it will be important to emphasize a security mindedness in an organizations culture, build policies that make sense and that have the appropriate level of enforcement, and if it is critical to your business, prioritize hiring those with a formal education and background in cybersecurity.
In an RSA Conference session entitled IAPP: Engineering Privacy: Why Security Isn’t Enough, Sagi Leizerov, E&Y’s Privacy Practice leader began with a plea:
‘We need effective ways to bring together privacy and security controls in an automated way”
Privacy professionals, according to Sagi, essentially need help in determining the use of information – which is a foundational definition of data privacy. Security tools and controls can provide the information necessary to perform that type of investigation conducted by privacy officers. Yet as data proliferates, are the existing security tools truly up for the task?
In other sessions, such as A Privacy Primer for Security Officers , many speakers are claiming that Data Security projects get prioritized as a result of a need to comply with Data Privacy policies and legislation.
We are in an age where data proliferation is one of the major sources of pain for both Chief Information Security Officers and Chief Privacy and Risk Officers (CPO/CRO). Business systems that were designed to automate key business processes store sensitive and private information are primary sources of data for business analytics. As more business users want access data to understand the state of their businesses, data naturally proliferates. Data proliferates to spreadsheets and presentations, emailed in and out of a corporate network, and potentially stored in a public cloud storage offering.
Even though the original intention for using this information was likely all above board, one security violation could potentially open up a can of worms for nefarious characters to take advantage of this data for mal intent. Jeff Northrop, the CTO of the International Association of Privacy Professionals (IAPP) suggests we need to close the gap between security and privacy in a panel discussion with Larry Ponemon, founder of the Ponemon Institute.
Sagi concluded his session by stating ‘Be a voice of change in your organization. Pilot products, be courageous, give new ideas a chance.’ In the recent launch of Informatica Secure@Source, we discuss the need for more alignment between security and privacy teams and the industry seems to agree. Congratulations to the Informatica Secure@Source development team for their recent announcement of winning Gold Medal in the New Product and Service Category at the Info Security Products Guide 2015 Global Excellence Awards!
For more on the importance of Data Security Intelligence in Privacy, watch Larry Ponemon, Founder of the Ponemon Institute and Jeff Northrop, CTO IAPP discuss this topic with Arnold Federbaum, former CISO and Adjunct Professor, NYU, and Linda Hewlett, Sr Enterprise Security Architect, Santander Holdings USA.
If unable to view the video, click here.
Recently, the UK’s Parliament and the Internet conference brought together leading figures from Government, Parliament, academia and the industry to discuss and debate the most pressing policy issues facing the Internet.
As expected, data privacy and security was top of the agenda for much of the day, with a number of discussions highlighting the extent to which consumer data is being exposed to security risks and the need for the right legislation and protection to keep it safe. (more…)