Townsend Security Data Privacy Blog

Encrypting Data in the Cloud: How a CEO Can Manage Data Security Risk

Posted by Liz Townsend on Nov 24, 2014 2:07:00 PM

For many business leaders, the idea of moving to the cloud can be a daunting thing. Fear of the cloud still exists, and this fear is easily understood due to the inherent insecurities of the cloud. A shared, multi-tenant environment would never sound like a safe place to store sensitive business and customer data. The appeal of low-cost data storage clearly has trumped these fears, and today the cloud has become the de-facto platform for all small businesses and startups as well as larger corporations that are continually trying to mitigate costs and choose to use the cloud over buying new, expensive hardware that must be operated in-house.

encryption, key management, grc, governance, risk, compliance However, movement to the cloud has not alleviated these fears, and the biggest concern with the cloud remains security. This is largely because there isn’t a standard for securing data in the cloud, and although organizations such as the Payment Card Industry (PCI) and the Cloud Security Alliance publish recommendations around protecting data in the cloud, there are no hardened rules in place for organizations to follow to help them (or make them) secure data and prevent data breaches in the cloud.

The cloud has become a paradox for business leaders desperate to cut costs and manage risk at the same time. Using the cloud to store and process data at a lower cost is an obvious choice; however, such a quick decision often precludes due diligence around risk mitigation. It leads one to ask, if it’s the CEO’s job to govern and manage risk, why isn’t she or he more aware of the risks associated with storing sensitive data in the cloud?

The answer might be this: CEOs aren’t necessarily ignoring the risk, but simply do not know how to ask the right questions in order to adequately assess risk. If they don’t know how to assess risk in a certain area of their business, then there is little way to control that risk. When dealing in a technical landscape where data breaches are the new norm, and the cost of a breach can be millions, the inability to control the risk of a data breach is a massive problem.

For CEOs and business leaders concerned about sensitive data and data breaches in the cloud, it is important to learn the basics of assessing data security risk. A good place to start is by nailing down the answers to these topics:

  1. Find out if the customer data your company is processing or collecting must be protected under industry data security regulations and/or state laws. You may be surprised to find out that data not listed under these regulations is now considered “sensitive” in the public eye, such as email addresses, passwords and phone numbers and should also be encrypted.
  2. Choose a cloud provider that will work with your compliance needs and help you mitigate risk. If applicable, choose a cloud provider that provably demonstrates commitment to security and privacy by having undergone PCI, FEDRamp, SOC or similar certifications. You may want to have the option of storing some data in a private cloud. Does your cloud provider offer this?
  3. Work with your compliance auditor(s) to determine if your cloud solution aligns with industry compliance requirements and best practices. At the end of the day, your auditing and legal counsel should be able to determine if you are securing data to regulations, recommendations and best practices. It is important to remember that meeting compliance is often considered a low bar and that it is typically better to do more than the bare minimum requirements.
  4. Document the type of data that you will be storing or processing in the cloud and which compliance regulations apply to encrypting that data. Depending on whether you are handling credit card information, financial information, patient healthcare information, or other types of sensitive data, you may fall under one or more industry data security regulations. Each set of regulations identifies what kinds data need to be encrypted
  5. Choose a cloud provider that will allow you to bring your own encryption key management when encrypting data. When encrypting data in the cloud, it is critical to remember that your encryption keys are your keys to the kingdom. If you store your encryption keys with your encrypted data, then anyone who gains access to that data will be able to decrypt it using the encryption keys. Some cloud providers offer key management as a service, which may be an adequate method of protecting encryption keys, but may not be preferable for organizations who want complete control over their encryption keys.

For any business leader concerned with GRC, knowing how to assess risk in the cloud is critical. Download our podcast "Encryption, Key Management, and GRC" to learn about what technologies you can implement to help mitigate a data breach or prevent one from happening altogether.

encryption, key, management, grc

Topics: Risk Management, Executive Leadership, GRC

Are You Turning a Blind Eye to Data Security in Your Business?

Posted by Michelle Larson on Oct 3, 2014 9:58:00 AM

It seems like everyday there is a new data breach in the news.

eBook Turning a Blind Eye to Data Security From malicious hackers to unintentional employee mistakes, loss of sensitive data is skyrocketing. Risk management has brought the data breach issue out of the IT department, and into the offices of Enterprise executives. Data loss is considered such a critical issue that encryption and encryption key management is mandated not only by many industry compliance regulations, but also by most state and governmental laws.

Here are a few key thoughts to consider:

5 Misconceptions About Data Security That Put You At Risk

1   If we have a breach, we’ll just pay the fine.

In many cases there will be fines for a data breach, but it is only a small part of the total cost. The cost of a breach also typically includes a forensics investigation, credit monitoring for customers, lost sales due to brand damage, and litigation costs.

2   We’ve never had a problem, so things are probably OK.

This type of thinking is not a form of risk assessment. Since data breaches often take months to discover, you may not know that a breach has already occurred. Wishful thinking won’t help you prevent a breach.

3   My software vendors and consultants say they have everything under control.

Today, many software vendors have not moved quickly enough to add encryption to their core products. It is not wise to rely on vague statements about data security from vendors and consultants. Make sure their solutions have been through a NIST FIPS 140-2 validation, using best practices, and based on industry standards such as AES.

4   My IT staff says we’ve done everything we can.

IT departments may not have the resources or management directives they need to accurately assess and address data security issues. Meeting management’s goals and objectives within a set of operational and budgetary constraints is not the same as meeting security best practices.

5   We are encrypting our data, we are doing everything we should.

If you are encrypting your sensitive data, you’ve already made a good step forward. Do you know how and where your encryption keys are stored? Making sure your keys are not stored with your data is only the first step.  Good key management practices will truly protect your data.

5 Steps to Take to Reduce Security Risk

1   Talk About It

Discuss the importance of data security as it relates to risk management with all members of the organization’s leadership team. Data security is an ongoing process that involves every member of the organization, and will extend beyond your organization’s boundaries to vendors and service providers. Responsibility for data security belongs to everyone.

2   Assess Your Current Data Security Posture

If you have not had an external audit and assessment of your organization’s data security practices by a qualified security professional, now is the time to start. First, perform a data security assessment with an in-house consultant, security audit firm, or platform vendor to evaluate your current security posture. Find the location of all sensitive data. Lastly, evaluate the security of your backup tapes. The right security assessor will help you identify the most urgent problems, and help you prioritize your efforts.    

3   Invest in Encryption and Key Management

When you have located sensitive data that is not encrypted, start a project to encrypt it now. Don’t forget to invest in the necessary encryption key management devices to protect the encryption keys. If your risk assessment warrants, provide budgetary exceptions to address the problem. Invest where you need to, as soon as you can. When choosing an encryption and key management solution make sure it uses industry standard NIST compliant encryption and FIPS 140-2 compliant key management.

4   Strengthen your technology acquisition processes

Every organization relies on off-the-shelf software solutions to manage and run their business operations. If your core applications do not provide encryption and key management to protect data, put your vendors on notice that they must address this issue immediately, and ask for updates. All new technology acquisitions should incorporate data security requirements into the RFP process.

5   Create ongoing review processes and procedural controls

Performing one security assessment or passing one compliance audit will not provide the focus and attention needed to protect you from a data breach over time. You must conduct routine vulnerability scans, create new processes, and review points within the organization to ensure that you continue to monitor your security stance. Use good procedural controls to minimize the chances of fraud. Implement Dual Control and Separation of Duties to achieve a defensible data security stance.

To learn more, download the eBook, "Turning a Blind Eye to Data Security: Mending the Breakdown of Communication Between CEOs and CIOs", and authors Kevin Beaver, CISSP, Patrick Townsend, and Todd Ostrander will teach you about:

  • Business risks associated with unprotected sensitive data 
  • Tools and resources to begin the discussion about data security in your company 
  • Actionable steps YOU can take

Download the ebook today!  

Turning a Blind Eye to Data Security eBook

Topics: Alliance Key Manager, Data Security, Encryption, eBook, Encryption Key Management, Executive Leadership

Want to Get Bigger Clients? Give Them Encryption & They Will Come

Posted by Liz Townsend on Sep 26, 2014 8:55:00 AM

Businesses leaders are becoming more and more scared of an impending data breach. Most IT security professionals agree that a data breach is no longer a matter of “if” but “when”. While major enterprises are now scrambling to implement strong encryption and encryption key management to protect customer data, for many companies, like Target and Home Depot, these efforts are too little too late.

Drupal Developer Program These medium to large enterprise-sized businesses are now holding their vendors and partners to a higher security standard. As a B2B organization that would like to onboard these larger clients, you should consider learning how to implement strong data security into your hardware, software, and cloud applications.

Encryption is one of the best-kept secrets of companies that have prevented or mitigated the consequences of a data breach. Because encryption renders data unreadable, any unauthorized access to that data is useless to the person who sees it. If the encryption key is adequately protected and not discovered by the intruder, then there is no way to decrypt the data and the breach has been secured. Encryption and encryption key management are the most defensible technologies for data breach protection.

Today encryption and encryption key management is as easy as launching an AMI in Amazon Web Services (AWS) in just a few minutes. Developers can now launch Townsend Security’s key manager, Alliance Key Manager (AKM), in AWS, Microsoft Azure, or VMware and receive up to two free licenses to develop and test encryption and key management in their applications. Alliance Key Manager is FIPS 140-2 compliant and provides NIST compliant AES encryption services so that encryption keys never leave the key server.

Businesses are not only concerned with risk management. Meeting compliance using standards-based solutions is also a critical piece to building defensible data security. Especially for government organizations that must comply with FISMA, many CIOs and CTOs won’t even consider an encryption or key management solution that hasn’t undergone NIST certification.

The importance of NIST compliance is far-reaching. Implementing a solution that meets an industry standard means that your solution will stand up to scrutiny in the event of a breach. NIST compliant encryption and key management have been tested against accepted standards for cryptographic modules and are routinely tested for weaknesses. Can meeting compliance regulations still be a low bar? Of course, but following standards and then implementing accepted best practices is the only way to meet compliance and achieve the highest levels of security.

With the Townsend Security Developer Program, you can develop applications that not only meet compliance but exceed them to give your clients the highest levels of security, you can win enterprise clients that you haven’t been able to work with before, and gain access to a host of Townsend Security APIs that have been designed for easy integration into new development projects.

Language libraries we provide for Alliance Key Manager include: Java, C/C++, Windows .NET application source code, Perl, and Python. Also available are client side applications for SQL Server and Drupal CMS.

To learn more and to join our Developer Program, click here.

Developer Program Encryption

Topics: Developer Program, Data Breach, Business Risk, Executive Leadership

The Benefits of Encryption and Key Management Done Right!

Posted by Michelle Larson on Oct 31, 2013 3:41:00 PM

Make sure you don't turn a blind eye to data security!

The basic concept of converting sensitive data into a form that could not be easily understood if it was to be seen by the wrong audience goes back as far as 500 BC (Atbash Cipher), some would even argue that in 1900 BC a simple hieroglyphic substitution was the first form of cryptography. Dictionary descriptionsWhile technology has made great advancements in recent years, it has also created an even greater need for privacy of sensitive information. Whether you are the Chief Security Officer, IT personnel, or database administrator; you should know how your company is handling sensitive data. In fact, security is the responsibility of every business owner and employee. Not using secure passwords can lead to a data breach just as not following key management best practices can provide access to people with malicious intent. When awareness around data security reaches every department and individual, then the company can not only meet compliance regulations, but can benefit from effective data security. Compliance regulations require (or strongly recommend) all industries following best practices for encryption and key management . Do you know which of these apply to you and your company? For example, if you take credit cards for any reason, you fall under Payment Card Industry - Data Security Standards (PCI-DSS). Other common regulations are:

  • HIPAA/HITECH ACT requires security of Protected Health Information (PHI) in the medical sector.
  • GLBA/FFIEC sets regulations for banks, credit unions, credit reporting agencies, and anyone in the financial industry.
  • FISMA is for Federal US Government Agencies.
  • The Federal Trade Commission (FTC) also gets involved with anyone who issues a privacy statement.
  • More than 45 states also have their own privacy rules, in addition to the ones listed above, that strongly recommend encryption of any personally identifiable information (PII).

So, beyond compliance with regulations, why should you care about encryption… First of all, your customers, clients, and suppliers all expect you to protect their sensitive data. Effective encryption and key management can provide your company with a number of other benefits as well. Here are just a few basic benefits of effective encryption key management:

  • Peace of Mind - While hackers and identity thieves are getting smarter and regulations are getting more complex, data protection technology is also improving at a rapid rate. Encryption and key management options are now available in virtual machines and cloud environments as well as hardware security modules(HSMs). How well would you sleep at night if you kept your house key under your welcome mat?
  • Reputation - Whether information is lost due to a hacker or a hurricane, if a company loses all of it’s important data, the whole business could be ruined. However if sensitive data is lost because mechanisms for protecting it are not in place, then an organization has even bigger problems. The most effective way to secure data and ensure the integrity of a company is to deploy encryption and properly manage the encryption keys.
  • Credibility - Beyond audit requirements, organizations need to consider the security of their customers Personally Identifiable Information (PII). Being able to protect your clients with strong key management practices can add a level of trust and confidence that will help grow your business.

Mobility is also great benefit! As more people move their data to the cloud or virtualized environments the need for encryption increases, and the importance of key management becomes even more evident. In order to maintain control over your data, and the privacy of your customers, information must not only be encrypted but kept secure while in motion, in use, or at rest. By properly managing your encryption keys, you are still in control of your data no matter who is sharing your infrastructure.

In this complimentary eBook, "Turning a Blind Eye to Data Security”, authors Kevin Beaver, CISSP; Patrick Townsend, and Todd Ostrander will teach you about:

  • Tools and resources to begin the discussion about data security in your company
  • 5 Common misconceptions about data security
  • 6 Questions to ask your CIO

Turning a Blind Eye to Data Security eBook

Topics: Compliance, Data Security, eBook, PCI DSS, Encryption Key Management, Business Risk, Executive Leadership

Encryption Key Management Best Practices for Executives

Posted by Liz Townsend on Sep 20, 2013 11:42:00 AM

What do business executives need to know about encryption key management best practices? As it turns out, CEOs don’t need to know every tiny detail about encryption and the tools used to protect encryption keys, but they do need to know enough to protect their business and mitigate major risks.

Just like financial and legal best practices that business executives are tuned in to and monitor weekly, if not daily, business leaders need to have a heightened awareness of how their IT departments are handling both their own and their customers’ sensitive data. Sensitive data such as credit card information, social security numbers, protected health information (PHI), and other personally identifiable information (PII) such as names, addresses, email addresses, and passwords needs to be protected as mandated by industry regulations and many state laws. Unencrypted data or encrypted data with poorly protected encryption keys is a ticking time bomb that could lead to a major data breach.

I recently sat down with Patrick Townsend, Founder and CEO, to discuss the critical security risks executives face, how to start a conversation on data security with your IT team, and the encryption and key management best practices that will save your company from a data breach.

Patrick Townsend explains the importance of protecting encryption keys:

“Executives need to know that A.) they might not be encrypting the data that they need to, and B.) if they are encrypting that data, they might not be protecting their encryption keys, which are the core secret that have to be protected the right way. When you leave the house in the morning and you lock your door, you don’t tape the key right next to the lock. Your house key would be easy to find when you come home, but we all know that’s a bad practice. In a similar way, a lot of organizations are not implementing best practices around protecting encryption keys and are putting their business at risk.”

The major risks associated with unencrypted or poorly encrypted data are these:

  • A data breach is no longer a matter of “if,” but, “when”
  • The average cost of a data breach is $5.4 million, according to the Ponemon Institute
  • This cost typically is a culmination of fines, lost customers, brand damage, credit monitoring, and litigation

How does an organization properly encrypt their sensitive data?  They need to follow best practices such as deploying AES encryption and NIST FIPS 140-2 compliant key management, as well as important practices such as separation of duties, split knowledge, and dual control.

Encryption key management best practices will:

  • Provide you with strong encryption
  • Provide you with powerful, defensible encryption key management
  • Protect your business in the event of a data breach
  • Put you in compliance with industry and state regulations
  • Give you peace of mind

To learn more about the business risks of data security, download our free eBook "Turning a Blind Eye to Data Security: Mending the Breakdown of Communication Between CEOs and CIOs" and learn about the business risks associated with unprotected sensitive data, tools and resources to begin the discussion about data security in your company, and actionable steps you can take today.

DOWNLOAD eBOOK Turning a Blind Eye to Data Security

Topics: Best Practices, Encryption Key Management, Business Risk, Executive Leadership

Top 3 POS Security Issues Executives Should Be An Expert On

Posted by Michelle Larson on Jun 7, 2013 2:26:00 PM

Are you providing your customers with the very best in point of sale (POS) data security?

Data-Privacy-Ebook On an almost daily basis, the news media reminds us of the risks associated with unprotected data as they report on each massive data breach that cost companies billions of dollars in lost value and remediation costs.  Data breaches are not a matter of “if”, but more a matter of “when” as hackers get more and more creative.  Many CEO’s think that meeting the basic requirements of the Payment Card Industry (PCI) for data protection will keep their point-of-sale (POS) systems from being compromised. Truth is, hacking into retailer POS payment applications is a recurring problem worldwide, even for retailers who meet compliance standards.

1.     Know Your Data Breach Risks – Ask the Right Questions!

As CEO, security and risk management is your bottom line. You need to know if and how your product development team is following best practices to protect your company and your customers from a data breach.  Most payment application vendors offer encryption and key management, however not all of them are following best practices by using an encryption key management hardware security module (HSM). An HSM keeps the encryption key physically separate from the encrypted data, making sure that the data a hacker retrieves from a compromised system is functionally unusable.

With tighter security standards for data encryption, encryption key management, and constantly evolving regulations, you have an opportunity to go beyond basic compliance and gain consumers’ trust amid growing concern about the amount of electronic data companies collect, analyze, and share. 

So, what can you do as a CEO to ensure your products are fully protecting your customers’ data? One important thing to do is start asking more specific questions of your product managers. Asking the right question can quickly expose data protection risks that you didn’t know you have.

Here are some sample questions:

  • Where in our systems does sensitive data reside, even briefly, in unencrypted form? Could I get a list?
  • What type of encryption do we use in our payment application for data at rest?
  • How are we protecting encryption keys?
  • Are any of the encryption keys stored on the same server with the protected data?
  • Are we protecting our encryption keys with an HSM?
  • Are we using industry standard encryption and key management?
  • Are our encryption and key management solutions NIST certified?

There are really straight-forward answers to these questions. The lack of clear and unambiguous answers should raise an immediate red flag in your mind, and provide the beginning of a deeper discussion about data protection with your product development team.

2.     Know What Your Customers Fear– Think Like a Hacker!

Awareness is the first step toward point-of-sale security. Retail payment systems are frequently hacked by criminals who are employed seasonally or temporarily, and given access to a system with insufficient security measures in place.

Help gain your customers trust by training them on the importance of good password management and system log monitoring as a part of their overall POS security efforts.

  • A surprising number of retailers never change the factory passwords on their POS systems and this is a huge security risk. Not only should factory passwords be changed, subsequent passwords should be changed regularly. Often, cracking a payment application system relies on the merchant being lazy about password implementation and changes.  Make sure your customers know best practices and you’ll be their hero!
  • Hackers’ techniques have gotten more sophisticated and they can hide evidence of attacks; going undetected for months or even years. Yet, a study of confirmed breach cases in 2009 found that nearly 90 percent of victims had evidence of the breach in their system log files.  Do you train your customers in the importance of monitoring their system logs in real time?

3.     Proactive Security Planning - Use Best Practices To Start With!

Keeping on top of point-of-sale security is essential for every business.  Good encryption and key management is the cornerstone of good security. It can’t be an afterthought at the executive level; data security has to be a critical element in every risk management plan and conveyed well to your customers.

An effective data breach plan can mean the difference between a quick recovery and a serious blow to a company’s reputation. The steady pace of data breaches reinforces the need for encryption as a first line of defense. Firewalls and VPNs can provide some protection against data breaches and theft, but there is no substitute for strong encryption and effective encryption key management, especially in customer data and cloud environments. There’s no longer an excuse not to properly protect your POS payment application system and educate your POS system customers in security best practices.

In this complimentary eBook, "Turning a Blind Eye to Data Security: Mending the Breakdown of Communication CEOs and CIOs", authors Kevin Beaver, CISSP, Patrick Townsend, and Todd Ostrander will teach you about:

  • Business risks associated with unprotected sensitive data
  • Tools and resources to begin the discussion about data security in your company
  • 5 Common misconceptions
  • Actionable steps YOU can take
DOWNLOAD eBOOK Turning a Blind Eye to Data Security

Topics: Best Practices, Point of Sale (POS), Executive Leadership

Data Protection - Who Knows Where Your Keys Are Hidden?

Posted by Michelle Larson on May 31, 2013 3:49:00 PM

When protecting your data in SQL Server, you need to be as informed as the hackers!

Whether you are the CEO or the database administrator of your company, you need to be aware of what data you are storing and the different compliance regulations that require encryption and key management.

encrytion key manageament simplified ebook Having a data breach can often go undetected for quite some time, but when it happens (and these days it is “when” not “if”) it can cause some serious issues for your company and your customers!

While “the bad guys” get more creative every day, being aware of their tactics and following security best practices can slow them down and hopefully thwart their attempts from being successful.  Research and “post-data breach” studies have shown that 80% of data breaches happen with a fairly low-tech “old school” type of attack known as SQL injection.  In fact, Injection is #1 on the “2013 Top 10 List” of simple security problems from OWASP (the Open Web Application Security Project).

While not the only method, SQL injections are still one of the most common ways of attacking web services by sending malicious SQL code in parameter fields, with the intent that the server will execute the code. When designing web applications or internal applications you need to remain aware of SQL injection opportunities beyond just the systems securing credit card data. So many people think “we don’t have that problem.” However, if your application is on the internet… you do. Features such as login pages, support or product request forms, shopping carts are all examples of web applications that can make your databases vulnerable. Hackers can gain entry through these other areas of your company website and navigate their way to more valuable data. Once inside your database, they can retrieve or delete sensitive information such as credit card numbers, clients personal information, or company records.  Safeguards such as encryption and key management can help prevent those losses only if they are in place.

Good practices to prevent or mitigate attacks like SQL injection and the loss of unencrypted data :

  • Analyze your website and web applications for vulnerabilities.
  • Look for it in your system logs, make monitoring a priority.
  • and remember,  internal apps are just as susceptible as public apps.

From a best practice point of view, as well as a regulatory compliance view, encrypting your data is a fundamental security step for any system. So even if the information is “retrieved”, it isn’t in a readable format and the hackers won’t be able to use it! While data encryption used to seem like a daunting task, that is no longer the case.  SQL Server 2008/2012 Enterprise Edition and above includes TDE offerings that allows for encryption without application changes.  You can now deploy key management that is easy to use and affordable with Alliance Key Manager, our FIPS 140-2 certified encryption key management HSM. 

Just keep in mind that the single biggest data security issue is failure to protect the encryption key. Always keep your keys off the server and out of the system that holds your encrypted data.  Think of it like the lock on your front door…  you wouldn’t lock up your house and then tape the key next to the handle… would you?

We would like to offer you a complimentary copy of our eBook: “Encryption Key Management Simplified”, which is a fundamentals guide for both IT administrators and business executives alike.  

Download eBooK: "Encryption Key Management Simplified"

As always, your comments and questions are welcome!


Topics: Data Privacy, Encryption Key Management, SQL Server, Executive Leadership

(The Cost of) the CEO/CISO Disconnect

Posted by Todd Ostrander on Apr 5, 2013 8:50:00 AM

AES Encryption Strategies - For the IT Executive

aes encryption strategies

Download the white paper "AES Encryption Strategies - For the IT Executive"

Click Here to Download Now

Managing risk is at the forefront of responsibilities that "C" level executives deal with on a daily basis.  Fire fighting--managing business risk--is part of the job description, and planning to prevent the fires is what successful companies do.  In his book Good to Great, management expert Jim Collins uses the analogy of a bus to analyze leadership of Great companies.  When you have the right people in the right seats, Collins says, the company is elevated to a new level.

However, if there is a wall between the driver of the bus (the CEO) and the rest of the passengers, then there ensues a serious lack of communication.  If the passengers know more than the driver about things such as weather conditions and the location of the destination, and there is no way to communicate effectively with the driver, then the navigators can't warn the driver of severe risks that lie ahead.

One of the areas where I continuously see this disconnect is in the area of IT Security. Because technology is an always evolving component of businesses, protecting sensitive data will always be an issue, and hackers will always be trying to find a way “in”.  Chief Information Security Officers (CISOs) are hired to manage this risk.  But when the CEO is ignorant of the risks due to a lack of understanding or an unwillingness to take the time to learn the risks, then the lines of communication between the CEO and CISO are obscured, and important decisions about data security do not get made.

In a published study by CIO magazine recently and PriceWaterhouseCoopers stated that, "only 1/3 of security policies were tightly aligned with business goals.”

Although there is a combination of factors that lead to this disconnect, two primary factors prevail: 1) The CEO, CFO, or COO isn't well informed of the risk of a data breach and what it will cost their organization in real dollars, company value, and publicly perceived value. And 2) The security professional (CISO) understands the vulnerabilities but can’t articulate them in terms of the business cost.  The result is that neither the CEO or CISO are able to effectively quantify the risk.  Risk unquantified is a risk ignored.

Fortunately, the press has provided us with significant examples over the past several months to help us educate both the CEO and the CISO of the risks associated with unprotected data.  In 2012 alone, there were multiple data breaches that cost individual companies BILLIONS of dollars in lost value and recovery cost.

These are the costs resulting from a publicly disclosed data breach:

  1. Cost to fix the issues that led to the breach
  2. Cost to protect the individuals data / company data that was compromised from future breaches
  3. Cost of future audits that will be required to maintain compliance in the future
  4. Cost of the fines that can be levied depending on the type of breach
  5. Cost of customers no longer willing to trust the organization
  6. Cost of the negative press / PR associated with the breach
  7. Cost of combatting the negative PR with a new PR / Social Media campaign to assure customers / vendors that everything is okay

At the end of the day, we want to see CEO's succeed by increasing the value of the company in the eyes of the shareholders while reducing the risk of value erosion.  We also want to see CISOs who are confident in educating their CEO's to these risks.  As long as this issue continues to go unrecognized, the CEO has one more fear to keep him up at night.

Can you afford it?

Download our white paper "AES Encryption Strategies - A White Paper for the IT Executive" to learn more about key issues in data security, how to choose the right data security partner, and how to develope a strategy that insures early successes.

Click me

Topics: Data Privacy, Executive Leadership

Information Security is Up to You

Posted by Liz Townsend on Mar 27, 2013 3:20:00 PM

Townsend Security recently asked data security expert Kevin Beaver, CISSP, to contribute his extensive knowledge and expertise about the current climate of data security to our most recently published eBook, Turning a Blind Eye to Data Security (Mending the Breakdown of Communication Between CEOs and CIOs).

Read his entire article, "Information Security is Up to You," in your free copy of the eBook now.


In his article, Kevin inspires CEOs to ask some critical questions about data security such as:

  • Who is in charge of data security at your organization?
  • Is there transparency and communication across your organization when it comes to data security?
  • Who will be held responsible in the event of a data breach?
  • Why do we keep talking about the need for better data security but nothing seems to be getting done?

With these questions in mind Kevin Beaver leads us into a discussion on how both IT administrators and business executives avoid critical conversations about data security and why this poses a huge business risk to organizations.

“When it comes to information security, many people within a business – from executives to end users – often assume that security is a technical issue that falls under the umbrella of duties performed by the IT department. These IT administrators manage network firewalls, clean up virus outbreaks, and manage the IT infrastructure. These tasks are often so far removed from the actual goings-on of the business, that few people in the company—including the CEO—truly understand the ever-evolving complexities of IT infrastructure and security.

With little understanding of these systems, networks with sensitive data are left unsecured and at risk to hackers, network failures, and employee mistakes. Today, an average data breach costs a company $5.5 million. At this price, information security is not an IT problem. It’s so much more.

The Ponemon Institute surveyed 1,894 people in 12 countries in its 2012 State of Global IT Security study and found the main reasons why the appropriate steps are not being taken to improve information security are 1) insufficient resources, 2) it’s not a priority issue and 3) lack of clear leadership.

However, in most situations, good information security is achieved with easily accessible and simple solutions.  In fact, in a 2012 study on data breaches, Verizon found that 96% of security attacks were not highly difficult, and were easily preventable. If security attacks are preventable, why are so many breaches occurring every year...”

Download the eBook to read more!

kevin beaverKevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with over 24 years of experience in IT - the last 18 of which he’s dedicated to information security. Before starting Principle Logic in 2001, he served in various information technology and security roles for several healthcare, e-commerce, financial firms, educational institutions, and consulting organizations. Kevin Beaver has written 32 whitepapers, over 600 articles, and authored/co-authored 10 books on information security. Visit Kevin’s blog to learn more about information security, and his website to learn more about his business, Principal Logic.

Topics: Data Privacy, Executive Leadership

Data Security – Why Should the CEO Care?

Posted by Todd Ostrander on Jan 31, 2013 1:22:00 PM

AES Encryption Strategies - For the IT Executive

aes encryption strategies

Download the white paper "AES Encryption Strategies - For the IT Executive"

Click Here to Download Now

In any organization, the CEO has many jobs.  At the macro level, a CEO’s job is to instill confidence in his stakeholders, which include customers, investors, employees, suppliers and partners.  To accomplish this, a CEO must be able to establish a level of trust with these stakeholders in order to Inspire, Encourage, and Engage the stakeholders in the vision to which the entity is in pursuit of.  This trust ultimately is used to create value for the entity through the confidence that the market has in the ability of the CEO and his team to execute.

Every business has inherent risks in its execution and as part of the CEO’s ability to instill confidence that ultimately results in value, he/she must be able to identify and address each of the risks in the business.  Therefore, risk mitigation, by nature, becomes a core component of a CEO’s job.

In a pre-internet world, the risk of data loss was limited to a physical breach of the “four walls” of the entity.  Security guards, fences, and access control systems were established to keep people away for sensitive information.  However, as today’s world has become connected at virtually every level, the protection of data needs to be equally focused on the data itself rather than simply blocking someone from getting at the data.

Most CEO’s are well aware that encryption methodologies were created for their CIO’s to be able to protect data in their networks.  However, this is such a new phenomenon that few CEO’s understand the inherent risks to ALL there data and the changes in the regulatory industry that they must comply with in order to maintain the confidence and the resulting value in their entity.

As you’ve already read, the cost of a data breach isn’t just the cost to the owner of the data whose data has been compromised, it’s to the entity entrusted with the protection of the data as well and it comes in the form of fines and the time necessary to recover from the breach.  This is measured in $millions per incident in many cases.

A CEO loses confidence when he/she doesn’t adequately ensure that policies are in place to protect ALL data from breach.  Here are some examples of data that needs protection:

  • Employee records – anything that includes name, address, phone number, e-mail address, SSN number, insurance information etc.
  • Customer records – anything that includes name, address, phone number, e-mail address, EIN number, financial information etc.
  • Supplier records – same as above
  • Health information records
  • Credit Card information
  • Password information, even if stored separately
  • Confidential information about company strategy / plans
  • Confidential information about customer strategy / plans
  • Confidential information about vendor strategy / plans

Many CEO’s would answer – my data is encrypted, what’s the problem?  The problem is that you’ve probably pasted the key to the encryption on the front door and don’t even know it.  “Hey hacker, come on in, here’s the key, take what you want”.

Now lets look at the cost.  If you were to have a data breach, the cost may be different depending on what’s been lost.  However, that’s a dangerous game to play.  The data that isn’t “regulated” may have the greatest impact on your value.

If someone steals confidential customer information, what is the affect on your brand?  Can you recover from the market impact of being labeled as not having the safeguards in place to protect your customer data?  DropBox is dealing with this question as you read this.  They blamed their customers.  Who are you going to blame?

The only viable solution to this risk is to ensure that you have an adequate “encryption key management” solution in place that meets ALL requirements of safe data protection methods.  You must not only protect the data, you must also protect the keys to the data.

The inability to address this issue may just cost you your company.

Download our white paper "AES Encryption Strategies - A White Paper for the IT Executive" to learn more about key issues in data security, how to choose the right data security partner, and how to develope a strategy that insures early successes.

Click me

Topics: Data Privacy, Executive Leadership