Compelling Evidence Shows That We Are Now in an Information Security and Privacy Crisis.
The current state of information security and privacy is clearly in serious crisis. President Obama has in 2015 declared a national emergency intended to deal with “the increased prevalence and severity of malicious cyber-enabled activities.” Clearly what top management has been doing to address this area is not working. What we urgently need is a re-envisioning and a re-conceptualization of the whole area of information security and privacy. How do you know that your organization’s approach is working?
“I hereby report that I have issued an Executive Order declaring a national emergency with respect to the unusual and extraordinary threat to the national security, foreign policy, and economy of the United States posed by the increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States”-Executive Order 13694
— BARACK OBAMA, President of the united states of america
Top management urgently needs to reinvigorate the process of risk management to tailor information security and privacy to their specific organization’s needs, and stop placing so much reliance on compliance (which inherently relies upon a one-size-fits-all model). Top management needs to expressly acknowledge and consider the influential disincentives that cause people to act in ways that are unsupportive of, even detrimental to, information security and privacy. How do you know that your organization’s staff is in fact working in support of information security and privacy?
Many traditional management tools adopted to deal with information systems related problems -- like a help-desk trouble ticket system -- are woefully inadequate to meet today’s security and privacy threats. These traditional tools are deficient not just because they are only responsive and reactive, but also because they are applied manually. Modern attacks can and increasingly do employ artificial intelligence, neural networks, botnets, malware, machine learning, big data analytics, and other automated attack approaches. To be adequately protected, organizations must now have evaluated, planned, tested, rehearsed, and scripted a variety of automated contingency plans. How do you know that your controls are adequate to protect your organization against these new and sophisticated attacks?
Increasing regulatory actions by the Federal Trade Commission, and increasing civil suits, are making reference to the notion that there is an industry specific standard of due care, when it comes to information security and privacy -- a duty to which all firms must subscribe. So it is possible to now define such a standard, and that means that legal and regulatory actions can be based on failure to meet that standard of due care. For example, the controls found in the Health Insurance Portability and Accountability Act (HIPAA) were recently used to define such a standard of care in a civil action alleging negligence (Byrne v. Avery Center for Obstetrics and Gynecology, P.C. (Connecticut Supreme Court 18904 slip opinion, 2014)). What exactly goes into your organization's standard of due care, and how do you know that your organization is -- at the very least -- meeting the minimum requirements of that same standard of due care?
STANDARD OF DUE CARE
A 2015 study done by Veracode and NYSE revealed that cyber-related corporate liability is now top of mind for both boards of directors and top managers. Nine out of ten of those surveyed believed that the Federal Trade Commission (FTC) should hold businesses liable for cyber breaches if due care has not been followed. More than 50% of those surveyed expect investors to demand more transparency as a result of increased public focus on cyber-security liability. Is your organization ready to convincingly demonstrate -- to regulators, investors, customers, and the general public -- that it operates in compliance with the relevant standard of due care?