Blind spot

Most CEOs never see it coming.

Armed with an array of apparent solutions—firewalls, antivirus protection, intrusion-detection software—executives are lulled into a false sense of security about the safety of their information. Yet while viruses and other forms of attack by malicious strangers remain ever-present possibilities, there's a new danger that goes far less noticed.

“The threat landscape has shifted from protecting your enterprise to protecting your data,” says Mark Egan, a partner at information security consult-ant StrataFusion Group, Los Gatos, California, USA, and coauthor of The Executive Guide to Information Security: Threats, Challenges, and Solutions [Addison-Wesley Professional, 2004]. “The nature of the threat has shifted from someone seeking notoriety as a hacker to someone seeking financial gain as a criminal.”

And, more often than not, the threat originates from inside the organization. The fundamental vulnerability lies in routine, and often authorized, access to information. Despite the risk, most organizations are ill-prepared to defend against the disgruntled employee, contractor, partner, vendor or supplier looking to steal sensitive data—from confidential project plans to private customer information—and sell them in a booming global marketplace. Of course, some of that leakage may be accidental, but the underlying motivation remains less important than the end-result.

“You have to assume the worst and act accordingly,” says Vaughn Volpi, president of Columbus, Ohio, USA-based PICA Corp., a global provider of loss-prevention and risk-management services. “Oftentimes, organizations err on the side of convenience. They need to err on the side of security.”

Yet most organizations remain blind to the risks they face.

“When it comes to access to data, both in the public and private sectors, awareness of the need to keep information in a controlled domain is much too low,” says Reinhard Posch, CIO for the Federal Republic of Austria, Graz, Austria, and chairman of the management board of the European Network and Information Security Agency, created by the European Union in 2004.

Just last November, the sensitive personal details of 25 million Britons were put at risk when a government agency lost the entire unencrypted database of child-benefit recipients on disks sent in the mail.

If such nightmare scenarios aren't addressed, Mr. Posch says, the ability of public organizations to maintain the confidence of citizens could be seriously undermined. “For example, we have discussions in the medical sector about whether minimum security requirements for patient records are adequate,” he says. And whether or not the public feels comfortable with the government's ability to maintain secure records can dictate whether programs get launched.

NEED TO KNOW

The strategic solution that now trumps traditional measures such as firewalls and antivirus software is access governance. Information is compartmentalized and doled out on a “need-to-know” basis.

“The No. 1 threat to organizations today is data security. And the threat is dramatically more internal than external,” says Prasenjit Saha, vice president, enterprise security solutions group, at IT services giant Wipro, Bangalore, India.

If external security is the goal, he explains, today's standard for best practice is encryption of data and the use of two-factor authentication, a requirement for a second component in addition to a traditional user name and password.

But if internal security is the goal, most organizations remain oblivious to the risks they face.

And that's a big mistake.

For the first time, employees took over the top spot as the most likely source of an “information security event” in the fifth annual Global State of Information Security 2007. The survey of 7,200 IT, security and business executives spanning more than 119 countries across various industries was conducted by PricewaterhouseCoopers and CIO and CSO magazines. Nearly 70 percent of respondents cited current and former employees as the likeliest source of attacks, surpassing hackers at 41 percent.

It's not just employees, though. Control over sensitive information should extend to partners, vendors and suppliers, too—but that doesn't always happen. In fact, the study found only 42 percent established security baselines for third parties.

Many organizations are also too fast on the trigger when it comes to dispensing critical data to new partners and vendors before appropriate due diligence has been done. And that should include an assessment of the third-party's own information security protocols. The study found 70 percent of the respondents were only somewhat or not at all confident in their partners' and suppliers' information security. And 55 percent were only somewhat or not at all confident in their outsourced vendor's security.

This raises a larger, more challenging issue in an era of ubiquitous but often sensitive information that fuels increasingly decentralized organizations.

“The question becomes, how do you actually create a system of access control in a world where there really are no control points any more?” says Martin Abrams, executive director of the Center for Information Policy Leadership at the law firm Hunton & Williams LLP, Washington, D.C., USA. “And at what point, if you limit the flow of data, do you disadvantage the organization?”

This is where project leaders can step up, says Kimberly Van Nostern, resident information security executive at Executive Alliance, a marketing firm in Atlanta, Georgia, USA.

“Project managers have become critical to information security initiatives, because of the all-encompassing, enterprise-wide scope of such initiatives,” Ms. Van Nostern says. “Using project management enables you to analyze the needs of the organization, establish priorities and get consensus from all of the stakeholders. It also enables you to manage change around the project, which is very difficult to do, and to have the right metrics so you can measure your milestones and communicate progress to senior management more effectively.”

Of course, it may take some doing to get through to the upper echelons.

In a survey of almost 700 U.S. IT practitioners from business and governmental organizations, 74 percent of the respondents said they believed senior management does not view access governance as critical to information security. The 2008 National Survey on Access Governance was conducted by Ponemon Institute, a privacy and data protection think tank, and enterprise security provider Aveksa.

Even organizations aware of the competitive need for data security usually fail to implement a formal program of access security governance or risk management, says Mr. Egan.

“There is usually no executive group that is assessing risk and the likelihood of that risk affecting the organization,” he says.

THE TOXIC ZONE

Many CEOs are—understandably—daunted by the mere scope.

“When you start to look at information security, it is a huge thing,” says Colin Clark, head of corporate business control at Somerfield Stores Ltd., Bristol, England. “You get into data classification. You get into hierarchies. You get into all sorts of issues. But if you break it down into the components and deal with the issues that are important, everything else will take care of itself.”

Somerfield, a grocery retailer with approximately 1,000 stores in the United Kingdom, is in the midst of a three-year project aimed at bringing the chain into compliance with the global data-security standard for payment cards.

As part of that initiative, Mr. Clark is working to control access via a strict approval process administered on a case-by-case basis by Somerfield's information systems manager.

In addition to controlling access, he has worked with department heads to identify what he calls “toxic data,” information that, if compromised, could damage the company. One obvious example is the top-secret details of Somerfield's regular promotions, a staple of the brutally competitive grocery business.

But identifying what exactly needs to be kept hush-hush is a business function, not an IT function.

“Security people know what security is, but they don't know what information needs to be secured,” Mr. Clark says.

Mr. Abrams backs him up: “He is absolutely correct. The IT department can't define what the key assets are that need to be protected. It is the job of senior management to do that.”

Yet ownership is still perceived to rest with IT departments. Only 10 percent of senior IT executives at 169 financial institutions surveyed said their organizations had an information security policy led by business line leaders, according to the 2007 Global Security Survey released last September by Deloitte Touche Tohmatsu.

And it may fall to IT project leaders to make the executive suite more aware of the challenges in ways they can understand.

“When you talk to people in various departments, they do not need to understand information security,” Mr. Clark says. “They need to understand what toxic data exists in their departments. Then you can build an information security program around that data.”

So skip the jargon.

“The IT industry does itself a disservice when we sit with CEOs and CFOs, because ‘techno babble’ is often used,” says John Addeo, practice director, advanced security, at the Raleigh, North Carolina, USA, office of Dimension Data, a Johannesburg, South Africa-based IT provider.

“Senior-level execs should insist on having this information presented in a manner that is meaningful and delivers a real-world understanding of what is going on. In relation to their IT security, they should want to know ‘What are my risks and exposures?’ ‘What is being done to address them?’ and ‘Am I improving over time?’ That's what they need to focus on.”

Executives typically have a blind spot when it comes to information security, says Mr. Abrams, who consults with organizations in the United States, Asia Pacific and Europe.

“CEOs are still focused on capital as the key aspect of their business,” he says. “But the fact is that information far surpasses capital.” PM