On 28th May 2018, the European Union (EU) General Data Protection Regulation (GDPR) will come into force with harsh fines and onerous implications. The primary goal of GDPR is to harmonize the protection of personal data across all EU member states. It will have an impact in the EU and around the world, affecting any organization that handles the personal data of EU residents. Don’t let that seemingly distant date delay you from starting to prepare.
Archive for ‘Information Spillage’
Recently, a colleague of mine attended the 2016 CISO Leadership Forum in San Francisco where he had the opportunity to listen to Steve Zalewski, Chief Security Architect for Levi Strauss & Co., discuss the state of his cybersecurity resources. “I don’t need more hammers,” Mr. Zalewski stated, “I need more people to swing them.” The current shortage of cybersecurity experts is creating a “perfect storm” that could spell data disaster for a lot of organizations, both public and private. While cyber threats are growing more sophisticated and dangerous, a recent Cisco report highlights that there are 1 million open cybersecurity positions globally. This is a significant talent gap that is not going to be remedied quickly and is already causing significant difficulties.
So where can a data security team find more people to swing the data security hammers?
As a Brit who thinks our country is great, but also a European who spends a large part of his time travelling around the continent, I was shocked to find that the UK electorate voted to leave the European Union! If I’m honest with myself, I didn’t see it coming. My general impression of the British public is that, on the whole, we are conservative with a small “c” and typically vote to maintain the status quo. – the grass is very rarely greener…
What would happen within your organization if it was faced with the unenviable process of e-discovery? Calm, quick assembly of relevant information, or pure chaos? My guess is that it would lean heavily towards the latter; in fact, many companies are opting to settle out of court rather than deal with the resourcing and financial hardships which come from the process of e-discovery.
Why? Because companies are sitting on huge piles of data; sure, much of it is relevant business information, but I’d wager that a large percentage is ROT (redundant, outdated, and trivial). This type of data comes from the many versions of files created but never deleted, documents from employees who have long since left the company and are no longer useful, and the myriad of files which were once useful but have long since passed their shelf life (marketing campaigns from 6 years ago, anyone?).
I think that I communicate with my colleagues almost as much via email as through verbal communications – even those I share an office with. In fact, probably about a third of the verbal communications are social interaction rather than direct business discussion. In email, however, most of the communication with my colleagues contains business information, sometimes including large attachments containing sensitive strategic plans. And unlike a verbal conversation which is lost to the ether, email endures. So, while talking about business plans outside the office where someone might overhear has some risk to the company, sending an email to the wrong recipient can be significantly more damaging. Yet, organizations are still not protecting themselves from these accidental breaches.
As a case in point I offer you this example from the National Football League (NFL). It is reported that on July 1st, the New Orleans Saints intended to send an email to the NFL head office regarding their plans to pick up a player who was just put on waivers (released) by the Cleveland Browns. The email, however, was accidentally addressed to the entire league. In other words, they broadcast their plan to all of their competition.
We’ve all been there; heart racing, palms sweating, and gasps of remorse while frantically pressing the email recall button and praying you haven’t done what you think you have just done. You guessed it, I’m talking about the “oops” email – the email that you should not have just sent. The email that could cost you your job, your reputation and a sizable amount of regret!
Suggesting that IT is responsible for protecting today’s data is like suggesting a car dealership is responsible for the safety of drivers. Ultimately, you can buy a car from a dealership, but it’s your responsibility to be safe and avoid accidents. IT alone can’t cover the “oops” email or any other user blunders. As we move forward in a world where users are responsible for creating and handling an organization’s most important asset – data – it’s imperative to make users aware of their responsibility. After all, users are often much more aware of the sensitivity of a file than a machine can be.
I hear you asking: “Why is it my responsibility when we have all these great security systems?”
Each year, International Privacy Day reminds us how important it is to question where sensitive data resides, who has access to it, and how to best value and protect private information. As large enterprises hire the next generation of social media savvy employees, it is also a good time to question whether these millennials understand the value of data. Do they know what information should stay private vs. what can be shared?
Working with a generation that readily connects, collaborates and shares information online, companies are faced with educating employees on balancing the need to share with the need to protect. In an era of digital business, company brand and customer loyalty and retention depend on it.
This will be the rarest of posts. I am going to begin my post about why Data Classification is important to a content and context aware security program by telling you all of the reasons why I was originally skeptical of its value. I do so in hopes that people who share the same concerns I did will have an opportunity to experience the magic of the Titus approach vicariously through me. I am also going to do something that few people who are in my position are willing to do, while simultaneously do something no author should ever do. I am going to admit I was wrong and I am going to quote myself.
“I was wrong” – Me
With so many metrics focused on the “cost of a data breach” as well as how much money is spent on data security, is it crazy to think that boards of directors will begin asking for financial statements around data value in the next couple of years?
The concept of placing value on your data is not new – analysts have been talking about infonomics and information valuation for a while now. In fact, it just appeared on a recent Gartner hype cycle which suggested infonomics will take 5 to 10 years to plateau. However, with the pressure on organizations to build a strong culture around data security, I would argue we are going to see the need for data value statements within the next 2-3 years.