Maksim Samasiuk - Fotolia
Studies continue to show that insider threats are a big risk to companies' data protection efforts. But despite these well-known, highly publicized threats, corporate leadership often does not do enough to set the right information protection tone in their organizations, according to Grace Buckler, founder of privacy consulting firm The Privacy Advocate LLC. During the recent ISSA International Conference in Dallas, Buckler led a session where she discussed why the attitude of business leadership will have a direct effect on company efforts to improve information privacy. In this Q&A conducted at the conference, Buckler explains why a company's privacy breach prevention efforts are heavily contingent on company culture, and the potential costly repercussions if data security is ignored at the leadership level.
Why is a security leader's attitude so important to ensure enterprise information security and privacy?
Grace Buckler: A leader's attitude is important because both internal and external partnerships, and resources of the organization, operate under the inspiration of the leader's values reflected in his or her attitude. These include their concerns, views and approaches to privacy. A leader influences and sets the tone for information privacy with the appropriate level of awareness and the type of decisions he or she makes regarding security and privacy. By decisions, I mean decisions that affect the magnitude of employee awareness, resource allocation, and budget; and also how the decisions are made.
If organizational business mission or goals and ensuring cybersecurity, enterprise information security and privacy have the same level of priority, then decisions, policies, processes and procedures will mirror the priorities. Leadership priorities are not secrets: Management priorities are shared values, hence the wrong attitude regarding overall data protection can proliferate in the organization the same way the right attitude can -- and will. For governance and operational decisions that do not align privacy with information security, cybersecurity and business, the outcome is usually very costly.
What are some of the current major threats to information privacy, and how are information security leaders' job requirements changing because of them?
Buckler: Threats to information privacy are technological, insider threats; inadequate awareness and organizational -- for example, weak policies and safeguards, improper assessment, planning and prioritization, to name a few. Big data and data analysis are commonplace in many organizations and continue to grow. Merely having an interest in information privacy is not enough. Leaders are now required to be well-informed and educated about information privacy, and in regard to both internal and external obligations.
Leaders' responsibilities and job requirements are changing commensurate with growing privacy implications specific to their unique functions and enterprise goals and obligations. Globally, immense data collection, analysis, storage and transport via the use of varied technologies, such as the cloud, IoT, mobile devices and apps, pose challenges to safeguarding privacy. With increased data breaches, cybersecurity and privacy have become boardroom topics in order to help address how threats, risks, and vulnerabilities are managed. Leaders are accountable and are required to understand these topics enough to set the direction for effective governance.
What are some of the potential consequences with taking the wrong approach to both data breach prevention and data privacy? Do companies now have some leeway because these breaches are happening so often?
Buckler: Among the consequences associated with taking the wrong approach to data breach prevention are costs: including liabilities, fines, fees, litigation, loss of trust and customers, damage to reputation and stakeholders' confidence, negative publicity and loss of assets. The right approach to data breach prevention is preparedness. That sounds broad, but my signature question is 'What are you trying to protect?' Organizations must have full knowledge of what they have, value and can't afford to lose, in addition to creating a comprehensive plan for protecting these critical assets.
Consulting external resources to scope out your preparedness is a good step in the right direction. There's no leeway in understanding real privacy threats to your business' mission and goals. Definitely, don't assume any latitude in meeting your legal, regulatory or compliance obligations, or in having a robust plan for incident response. Consider customers and stakeholders' expectations and needs, plus ethics and consumer rights.
Do you have any examples of scenarios where the wrong attitude from an infosec leader or team resulted in making a privacy/security breach worse?
Buckler: As a leader, being too quick to say 'you're fired' is the wrong attitude that can make a data breach worse. Unfortunately, this happens often. The error may have been an honest mistake, not a deliberate act. Sometimes management directly and indirectly shares responsibility for employee errors that led to breaches. The most important aspect of a security or a privacy breach is finding the root cause and ensuring the problem does not persist. It's best to focus on mitigating the risks rather than focusing on getting rid of the source of information. There are other ways to prove your organization is serious about data protection without sending anyone home. Consider electing the employee to author the lessons learned from the breach.
When discussing honest mistakes or errors, I always touch on corporate culture. Leaders must adjust how they deal with those who have made mistakes. The rest of your employees who didn't get fired might be thankful to have escaped being fired. However, the organization just took a hit on morale -- someone that your team or employees enjoyed working with is gone. Fear, security and privacy do not make a great combo. Instead, you'll get more human errors this way. High morale and high motivation do the opposite and lead to high productivity, so choose your battles and attitudes carefully. Human error is a factor in up to 95% of security incidents. The importance of having a positive and strong security and privacy attitude is so that both leaders and employees see privacy as a value that they want to experience, promote, protect and form.
More from the ISSA International Conference on enterprise information security and privacy:
Tabletop exercises prove essential to cybersecurity training
Drone, IoT popularity raise likelihood of privacy regulation
Ignorance remains among biggest cloud security risks