By Danny Lieberman, Software Associates
It's almost a cliche to say that the security and compliance industry has done a poor job in preventing data breaches of over 245 million personal records in the past 5 years. It is apparent that government regulation is ineffective in preventing identity theft and major data loss events.
It's a given that direct data security countermeasures go a long way; data loss prevention and network surveillance work well inside a feedback loop to improve security of systems, increase employee awareness and support management accountability.
However, I believe that even if every business deployed the Fidelis XPS Extrusion Prevention system or Verdasys Digital Guardian or Websense Data Security suite, we would still have major data loss events.
This is because a major data loss event has three characteristics:
- Appears as a complete surprise to the organization;
- Has a major impact, to the point of maiming or destroying the company;
- The event, after it has appeared, is "explained" by human hindsight.
The cause of the surprise is, in most cases, a lack of knowledge -- not knowing what is the current range of data security threat scenarios in the wild or not even knowing what are the top ten in your type of business. The root cause of this lack of knowledge is the fragmentation of knowledge itself.
Every business, from SME to Global 2000, deals with security issues and amasses their own best practices and knowledge base of how to protect their information. But the knowledge is fragmented, since business organizations don't share their loss data, and the dozens or maybe hundreds of vendor Web sites that do disclose and categorize attacks don't provide the business context of a loss event.
Fragmentation leads to waste and duplication, as well as frustrating, expensive and sometimes dangerous experiences for companies facing a data loss event.
So what's the solution? With our clients, we see growing evidence that the more organized a company is with their security operation -- having a single security organization responsible for digital assets, physical security, permissions management and compliance -- the better security they deliver. What's more, they may be able to reduce value at risk at lower costs due to higher levels of competence, knowledge and economy of scale.
The concept of sharing best practices and aggregating support so that companies of all sizes can access knowledge and support resources is not new, it's a common theme in industrial safety and free open source worlds -- to name two. I imagine that there are a few more examples I am not familiar with.
But what's in it for security professionals? In addition to the satisfaction and prestige in helping colleagues, how about learning from the biggest and best practitioners in the world; having access to resources to improve your own systems and procedures; and having the ability to analyze the history of a data loss event from disclosure to analysis to remediation?
How about having peers with a common goal of providing the best security for customers?
It's time for policymakers and large commercial organizations to support organized security knowledge sharing systems, starting with compensation to employees and independent consultants that rewards high-quality, coordinated, customer-centric security across the full continuum of security, not just point technology solutions or professional regulatory services.
And it's time for firms to recognize that sharing some data may be worth the benefits to them and their customers.
Copyright © 2008 To Present · Information-Security-Resources.com
Danny Lieberman's data security business, Software Associates, provides enterprise information protection to clients in Europe and the Middle East. His latest venture is MedRep, a professional network for medical representatives and doctors
Only registered users can write comments.
Please login or register.