Compelling Evidence Shows That We Are Now in an Information Security and Privacy Crisis...
The current state of information security and privacy includes rapid change and serious management crisis. Although President Trump has largely ignored the issue, President Obama has in 2015 declared a national emergency intended to deal with “the increased prevalence and severity of malicious cyber-enabled activities.” Clearly what top management has been doing to address this area is not working.
A 2017 study, which interviewed 184 Chief Information Security Officers (CISOs) around the world, a study performed by Ponemon Institute, indicated that some 60% now believe that cybersecurity is a business priority. Finding the right talent was a significant hurdle cited by some 56% of those CISOs, while some 50% branded their staffing efforts as inadequate. Closing this staffing gap is where an experienced consultant can make a big difference, especially when there is a need for an independent evaluation of the adequacy of internal efforts.
What many firms urgently need is a re-envisioning and a re-conceptualization of the whole area of information security and privacy. They need to up-level this area, so that it gets much more attention from the Board of Directors, from top management, and from other business decision makers. A good place to start re-envisioning and re-conceptualizing, is to ask yourself how exactly does your organization know that it's approach is working?
“I hereby report that I have issued an Executive Order declaring a national emergency with respect to the unusual and extraordinary threat to the national security, foreign policy, and economy of the United States posed by the increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States”-Executive Order 13694
— BARACK OBAMA, President of the united states of america
Top management urgently needs to reinvigorate the process of risk management to tailor information security and privacy to their specific organization’s needs, and stop placing so much reliance on compliance (which inherently relies upon a one-size-fits-all model). Top management also needs to expressly acknowledge and consider the influential disincentives that cause people to act in ways that are unsupportive of, even detrimental to, information security and privacy. How do you know that your organization’s staff is in fact working in support of information security and privacy?
Many traditional management tools adopted to deal with information systems related problems -- like a help-desk trouble ticket system -- are woefully inadequate to meet today’s security and privacy threats. These traditional tools are deficient not just because they are only responsive and reactive, but also because they are applied manually. Modern attacks can and increasingly do employ artificial intelligence, neural networks, botnets, malware, machine learning, big data analytics, and other automated attack approaches. To be adequately protected, organizations must now have evaluated, planned, tested, rehearsed, and scripted a variety of automated contingency plans. How do you know that your controls are adequate to protect your organization against these new and sophisticated attacks?
The involvement of legislators, regulators, judges, and lawyers in this area is rapidly expanding. For example, the Federal Trade Commission (FTC) has been stepping in and attempting to defend the rights of consumers. In just one of many actions it brought, in 2016, the FTC reached a $950,000 settlement with a mobile phone company that was tracking the physical location consumers without their knowledge or consent. Also in 2016, the FTC reached a settlement with a widely-known Canadian on-line dating service that had been hacked. That settlement was $1.6 million, and that particular action was brought was in response to the service's public release of personal details about the sex lives of 36 million individuals.
Civil suits are also increasing. For example, the controls found in the Health Insurance Portability and Accountability Act (HIPAA) were recently used as a reference point to bring a civil action alleging negligence (Byrne v. Avery Center for Obstetrics and Gynecology, P.C. (Connecticut Supreme Court 18904 slip opinion, 2014)).
Is your organization prepared to defend itself against legal challenges such as these?
A 2015 study done by Veracode and NYSE revealed that cyber-related corporate liability is now top of mind for both boards of directors and top managers. Nine out of ten of those surveyed believed that the Federal Trade Commission (FTC) should hold businesses liable for cyber breaches if due care has not been followed. More than 50% of those surveyed expect investors to demand more transparency as a result of increased public focus on cyber-security liability. How will your organizastion demonstrate -- to regulators, investors, customers, and the general public -- that it operates in compliance with all relevant laws and regulations?