Last week I was at the Computer Security Institute 33rd Annual Computer Security Conference & Exhibition where Chris Grillo and I also gave our post-conference seminar, “Effectively Partnering InfoSec and Privacy For Business Success“. It was interesting to hear the folks attending both the conference and our seminar express their concerns related to information security and privacy. I am always intrigued by the various viewpoints of folks in not only different industries, but also of those who have very little experience in dealing with information security, privacy and compliance versus those with a great amount of experience. It is very noticeable how the viewpoints shift from trying to address primarily only technical issues (overwhelmingly those with little experience) to the viewpoint of incorporating the issues throughout the entire enterprise and into all processes through procedures, awareness and responsibilities (overwhelmingly those with much experience).
I was encouraged to hear mindsets changing from focusing primarily on tools and protecting the “network” to focusing on how to effectively protect the “information.” There is a very distinct difference, and this shift in how safeguards are applied around specific types of information, as opposed to enterprise networks as a whole, has in many ways simplified practitioners’ jobs, as they themselves have indicated, as well as made their efforts more effective. Such a change in perspective has made them more aware of the need to identify and classify their data more than they did with a technology-only perspective, and they have also indicated that this shift in perspective has resulted in a nice and pleasantly surprising shift in their business leaders who understand better about the need for protecting specific types information, such as personally identifiable information (PII), than they ever did about denial of service attacks, firewalls, malware, and so on. In fact, one CISO I spoke with said he wished he had realized this years ago…that he could have saved much time beating his head against the wall to get information security initiatives approved if he had only approached information assurance from this more business-centric perspective instead of the typical network-centric perspective.
It should be, after all, “information” security and privacy, not “IT” security and privacy; IT is a subset of the total effective information assurance effort, even if the information assurance responsibility resides within the IT area.
I enjoyed speaking with many practitioners about the issue and challenge of just identifying the PII they have; how do they do it? How do they inventory and track the flow? How do they protect it in all forms? How do they help prevent user mistakes from happening that can result in PII compromise? How do they make sure their business partners, to whom they have entrusted PII, have good and effective safeguards in place? Etc…
All great conversations.
One especially important topic of discussion is holding your business partners, vendors, and other entities to whom you entrust your information, to a higher standard than your own organization for certain aspects of their information assurance programs. I wrote about this in September 2005 for the CSI Alert newsletter in an article titled, “Information Nannies: When outsourcing, hold data caretakers to a higher standard.” When I get a few moments this week I will post it to my personal website.
Encryption was another great topic of discussion. How to do it, when to do it, where to do it, who should do it and why to do it. Basically, if your information is moving, either through a network or with human legs as a result of being stored on a mobile computing device or in mobile storage media, it is prudent to encrypt the PII. Then, even if the mobile device or storage media is stolen or otherwise ends up in the hands of someone who should not have it, the unauthorized folks will not be able to actually get to it.
The bottom line is the importance of implementing information assurance activities to support and protect the business. It has been said in many different ways before, but is worth repeating, that information assurance initiatives are not activities do just for the sake of doing them. They must be done to support business and to advance business by protecting the business information assets while also protecting the business by complying with legal, regulatory and contractual information protection obligations, and supporting your business brand by avoiding incidents. When you can manage your information assurance program from this business-centric perspective you will find you will be more successful with your efforts, and you will also have noticeably more management support of your efforts.
Infusing an information assurance mindset throughout your entire enterprise practices and processes will have a noticeably positive impact on improving security, privacy and compliance. Many information assurance practitioners in attendance, from a wide range of industries, attested to this.
Tags: awareness and training, encryption, information assurance, Information Security, IT compliance, policies and procedures, privacy, privacy incident