Townsend Security Data Privacy Blog

Managing risk is at the forefront of responsibilities that "C" level executives deal with on a daily basis.  Fire fighting--managing business risk--is part of the job description, and planning to prevent the fires is what successful companies do.  In his book Good to Great, management expert Jim Collins uses the analogy of a bus to analyze leadership of Great companies.  When you have the right people in the right seats, Collins says, the company is elevated to a new level.

However, if there is a wall between the driver of the bus (the CEO) and the rest of the passengers, then there ensues a serious lack of communication.  If the passengers know more than the driver about things such as weather conditions and the location of the destination, and there is no way to communicate effectively with the driver, then the navigators can't warn the driver of severe risks that lie ahead.

One of the areas where I continuously see this disconnect is in the area of IT Security. Because technology is an always evolving component of businesses, protecting sensitive data will always be an issue, and hackers will always be trying to find a way “in”.  Chief Information Security Officers (CISOs) are hired to manage this risk.  But when the CEO is ignorant of the risks due to a lack of understanding or an unwillingness to take the time to learn the risks, then the lines of communication between the CEO and CISO are obscured, and important decisions about data security do not get made.

In a published study by CIO magazine recently and PriceWaterhouseCoopers stated that, "only 1/3 of security policies were tightly aligned with business goals.”

Although there is a combination of factors that lead to this disconnect, two primary factors prevail: 1) The CEO, CFO, or COO isn't well informed of the risk of a data breach and what it will cost their organization in real dollars, company value, and publicly perceived value. And 2) The security professional (CISO) understands the vulnerabilities but can’t articulate them in terms of the business cost.  The result is that neither the CEO or CISO are able to effectively quantify the risk.  Risk unquantified is a risk ignored.

Fortunately, the press has provided us with significant examples over the past several months to help us educate both the CEO and the CISO of the risks associated with unprotected data.  In 2012 alone, there were multiple data breaches that cost individual companies BILLIONS of dollars in lost value and recovery cost.

These are the costs resulting from a publicly disclosed data breach:

1. Cost to fix the issues that led to the breach
2. Cost to protect the individuals data / company data that was compromised from future breaches
3. Cost of future audits that will be required to maintain compliance in the future
4. Cost of the fines that can be levied depending on the type of breach
5. Cost of customers no longer willing to trust the organization
6. Cost of the negative press / PR associated with the breach
7. Cost of combatting the negative PR with a new PR / Social Media campaign to assure customers / vendors that everything is okay

At the end of the day, we want to see CEO's succeed by increasing the value of the company in the eyes of the shareholders while reducing the risk of value erosion.  We also want to see CISOs who are confident in educating their CEO's to these risks.  As long as this issue continues to go unrecognized, the CEO has one more fear to keep him up at night.

Can you afford it?

Download our white paper "AES Encryption Strategies - A White Paper for the IT Executive" to learn more about key issues in data security, how to choose the right data security partner, and how to develope a strategy that insures early successes.

In any organization, the CEO has many jobs.  At the macro level, a CEO’s job is to instill confidence in his stakeholders, which include customers, investors, employees, suppliers and partners.  To accomplish this, a CEO must be able to establish a level of trust with these stakeholders in order to Inspire, Encourage, and Engage the stakeholders in the vision to which the entity is in pursuit of.  This trust ultimately is used to create value for the entity through the confidence that the market has in the ability of the CEO and his team to execute.

Every business has inherent risks in its execution and as part of the CEO’s ability to instill confidence that ultimately results in value, he/she must be able to identify and address each of the risks in the business.  Therefore, risk mitigation, by nature, becomes a core component of a CEO’s job.

In a pre-internet world, the risk of data loss was limited to a physical breach of the “four walls” of the entity.  Security guards, fences, and access control systems were established to keep people away for sensitive information.  However, as today’s world has become connected at virtually every level, the protection of data needs to be equally focused on the data itself rather than simply blocking someone from getting at the data.

Most CEO’s are well aware that encryption methodologies were created for their CIO’s to be able to protect data in their networks.  However, this is such a new phenomenon that few CEO’s understand the inherent risks to ALL there data and the changes in the regulatory industry that they must comply with in order to maintain the confidence and the resulting value in their entity.

As you’ve already read, the cost of a data breach isn’t just the cost to the owner of the data whose data has been compromised, it’s to the entity entrusted with the protection of the data as well and it comes in the form of fines and the time necessary to recover from the breach.  This is measured in $millions per incident in many cases.

A CEO loses confidence when he/she doesn’t adequately ensure that policies are in place to protect ALL data from breach.  Here are some examples of data that needs protection:

• Employee records – anything that includes name, address, phone number, e-mail address, SSN number, insurance information etc.
• Customer records – anything that includes name, address, phone number, e-mail address, EIN number, financial information etc.
• Supplier records – same as above
• Health information records
• Credit Card information
• Password information, even if stored separately
• Confidential information about company strategy / plans
• Confidential information about customer strategy / plans
• Confidential information about vendor strategy / plans

Many CEO’s would answer – my data is encrypted, what’s the problem?  The problem is that you’ve probably pasted the key to the encryption on the front door and don’t even know it.  “Hey hacker, come on in, here’s the key, take what you want”.

Now lets look at the cost.  If you were to have a data breach, the cost may be different depending on what’s been lost.  However, that’s a dangerous game to play.  The data that isn’t “regulated” may have the greatest impact on your value.

If someone steals confidential customer information, what is the affect on your brand?  Can you recover from the market impact of being labeled as not having the safeguards in place to protect your customer data?  DropBox is dealing with this question as you read this.  They blamed their customers.  Who are you going to blame?

The only viable solution to this risk is to ensure that you have an adequate “encryption key management” solution in place that meets ALL requirements of safe data protection methods.  You must not only protect the data, you must also protect the keys to the data.

The inability to address this issue may just cost you your company.

Download our white paper "AES Encryption Strategies - A White Paper for the IT Executive" to learn more about key issues in data security, how to choose the right data security partner, and how to develope a strategy that insures early successes.