|
FIREWALL OF SILENCE
Data security breaches are rampant and costly. So why don’t C-level executives talk about them?
By Scott Leibs
In January, when Société Générale revealed that it had lost more than US$7 billion due to fraudulent trading activity, most of the headlines focused on “rogue trader” Jérôme Kerviel, framing him either as a criminal or a reckless striver. Only later did questions emerge about the bank’s role as an enabler, and even then scant attention was paid to the exact manner in which the bank’s processes may have been at fault.
In truth, much of the blame can be traced to poor security, and in that sense the intense coverage of Société Générale joins a long parade of stories devoted to identity theft, computer hacking, and data breaches of all kinds. Despite all that attention, in many respects computer security remains the corporate risk that dares not speak its name. CFOs in particular seem loath to discuss it publicly even when they admit privately that it’s a major concern.
Your Data is in the Mail
Perhaps they are wise to stay mum. Since January 2005, the Privacy Rights Clearinghouse has chronicled nearly 1,000 breaches in the United States totaling nearly 220 million electronic records (the actual number could be much higher because in many cases the number of records lost, stolen, or otherwise at risk is unknown). Data was compromised due to vulnerabilities that range from the predictable to the ridiculous: lost or stolen laptops, hard drives, and jump drives; malicious and recreational hacking; the actions of vengeful ex-
employees; computers left unattended and subsequently used by unknown parties; even poorly glued envelopes that spilled their contents into the mail stream.
To date, the uncertainty over what exactly happens to misplaced or flagrantly misappropriated information has been the only bright spot for companies regarding computer security. Because plaintiffs have been unable to prove what, if any, damage resulted from their information falling into the wrong hands, their lawsuits have usually been tossed out of court.
That’s not to say that companies aren’t paying a price. Khalid Kark, an analyst at Forrester Research, estimates that companies pay US$90 to US$305 per record every time they must react to a breach. Given that a large company may see millions of customer records affected, the total tab could run into the millions or even billions of dollars.
Even though computer breaches now carry a much more quantifiable price tag than in years past, that seems to have done little to galvanize senior executives. A recent survey conducted by security and privacy issue specialists Ponemon Institute, although limited to one form of security, serves as a useful proxy for prevailing attitudes. Asked whether senior management regards access management—a term that describes the governance procedures surrounding which employees have access to what types of information—as important, 74 percent of the nearly 700 IT and security personnel who responded said no. A majority (57 percent) also said that collaboration across business units, audit/compliance departments, and IT departments is not being achieved.
Access management may sound arcane, but in truth it’s a simple concept that often lies at the heart of security breaches. At Société Générale, for example, “it was a classic case of an employee changing roles,” says Brian Cleary, vice president of marketing for Aveksa, which sells access-management software. “Kerviel moved from a back-office job to a front-office position, and brought all his former access rights with him.”
Access Denied
By better controlling access rights, companies can limit employee access to information. Such control takes two forms: software vendors including IBM, Sun, CA, Netegrity, and others sell security software that acts as a gatekeeper, identifying and authorizing users. Aveksa adds an additional wrinkle, layering on top of such software a governance piece that matches an employee’s role to the data or other resources he or she can access, essentially tackling the vexing problem of change management and auditability.
As critical as it can be to understand who can access data, a related matter that is now getting more attention concerns the actual data itself: Has it been changed or moved, and if so, when, to what degree—and, of course, by whom? Known as “database auditing and real-time protection products,” this class of software (from vendors including Guardium, Tizor, Symantec, IBM, Oracle, and others) is booming: Forrester Research predicts that it will grow from a US$450 million market in 2007 to US$900 million by 2010.
This software can, as Prat Moghe, founder and chief technology officer of Tizor, puts it, “tell you what’s happening to the data: Is it encrypted? Who’s looking at it? Who’s modifying it or suddenly copying a lot of it?”
The software also addresses a key related question: Should the data even exist? “Do you need credit card numbers, for example?” Moghe asks. Companies are often—indeed, almost always—more adept at capturing information than managing it once they’ve got it, and that extends to purging what they don’t need and are perhaps at risk for holding.
There are substantial technical differences between vendors, not to mention huge price differences between the data auditing utilities that a database company such as Oracle or IBM might include with its principal offerings (essentially free in some cases) and the more sophisticated products offered by specialty firms.
Parsing those differences can soon lead to the sorts of technology-intensive discussions that send C-level executives screaming from the room. Perhaps they should tough it out. “From a CFO perspective,” says Jose Segrera, CFO of Terremark Worldwide, a provider of IT infrastructure services, “there is so much attention on risk management coming from the audit committee that IT and data security have to be on your risk-management checklist.” He points to the ISO 27000 family of security standards as one place that C-level executives might look for guidance.
Christopher Wolf, a partner with U.S. law firm Proskauer Rose, suggests that companies look to current practices in the financial-services and health-care industries, where additional regulatory requirements have made them “the gold standard regarding what constitutes ‘reasonable’ protection of data.”
“Slowly,” says Moghe, “leading-edge companies are beginning to have the kind of systematic dialogue between IT, risk, compliance, and other departments that is essential to comprehensive security.” Larry Ponemon, chairman and founder of the Ponemon Institute, says that the burden tends to fall on lower-level staff, who must develop a solid value proposition for security measures in order to win funding and attention.
There is, however, a way to jump-start that process. “Experience a disastrous breach,” Ponemon says. 
Scott Leibs is a deputy editor of CFO in the U.S. |
