Headwall Security
  • Home
  • Thought and comments
  • Security Awareness Survey
  • Resources
  • PCI
  • webmail

Responsibility of InfoSec and Privacy

6/28/2018

0 Comments

 
​Historically, information security and privacy have been treated as two separate roles in an organization. Jeimy Cano of the IAPP refers to information security and privacy as belonging to two separate domains. (https://iapp.org/news/a/privacy-and-information-security-the-territorial-challenges1/) Perhaps this is a relevant argument, however, their interdependency and their mutual obligation to the protection of the customer's and the corporation's sensitive data is inexplicably intertwined.

The Privacy Rights Clearing House reports over 212 million records having been breached for the year by April of 2018. This is a clear indicator that both privacy and information security are failing at protection through traditional practices. With over 109 reported breaches impacting every possible industry sector, the adage of 'when not if your firm will be breached' becomes increasingly poignant. So the question remains, "how can privacy and information security work together to stop the damage of these breached records?" Perhaps the answer is no longer about stopping the breach but rather in working with our customers in addressing their concerns.

Fatemeh Khatibloo, in his article "Marketers, Here's How Your Customers Feel About Privacy" from Forbes.com (https://www.forbes.com/sites/forrester/2016/12/16/marketers-heres-how-your-customers-feel-about-privacy/#4625b79318e4), discussed how different generations of consumers all were concerned about their privacy and personal identity but beyond that they were concerned about how the businesses they worked with treated them and their data. This raises the question of whether we are addressing the customers true concerns around their data requirements. Contrast two laws aimed and data privacy: GDPR and HIPAA. These laws, while from different populations, were aimed at addressing consumer concern over data privacy. GDPR places extensive regulations on an organization with the intent of providing control over the data into the hands of a consumer. HIPAA places extensive regulations on an organization with the intent of providing safeguards around how firms handle the data. In either case, are the needs of a consumer addressed if the data is breached? In either case, are the regulations and safeguards reasonable and achievable in a manner that achieves true improved security for the consumer across the average business without undue hardship for the business?

As we look at these two regulatory statutes, both have extensive information security requirements. Both have extensive privacy requirements. Neither one has a statement around the obligation to the consumer expectation or around "doing what is right".

In 2018, an on-line health and fitness company had a breach of their customers' usernames, email addresses and hashed versions of the respective passwords. The scope of this breach, in respect to the type of data exposed, is limited in that the passwords were hashed and no direct sensitive data, such as payment card data or health information, was exposed. Consumers are likely to look at the actions taken by this firm and judge them not on the exposure but rather on their response; which was extensive and appropriate. This company exemplified the responsibilities of information security and privacy in their response to this event. They leveraged their security team to identify and contain the event and to help their customers gain a sense of control and privacy as they were notified of the event and the actions that they could take.

This response supports the expectations illustrated by a poll conducted by RSA in 2017. (https://www.rsa.com/en-us/blog/2017-05/2017-consumer-cybersecurity-confidence-index) RSA surveyed 2,100 consumers on their interest around control of how their personal data was secured. Over 90% of the respondents agreed on two points: they wanted a visible reassurance of security of their data and they wanted to be involved in the security of their data. The following Infographic is from RSA illustrates the results of their survey. (https://www.rsa.com/content/dam/pdfs/5-2017/RSA-consumercybersecurity-infographic.pdf) 

In 2016 the security firm Gemalto produced a report on security and consumer loyalty. (http://www6.gemalto.com/l/51442/2017-01-10/84bqhl/51442/141507/global_research_customer_loyalty_report_2017.pdf) This report showed that the majority of consumers believe it is the responsibility of a company to protect the consumers data. Yet, most of the respondents to the Gemalto survey felt that few firms were doing an adequate job with the security of consumer data.

Despite these clear findings, many privacy and information security professionals fail to see the importance of securing to the customer expectation and "doing what is right". Scot Finnie, in his article "Corporate Executives, Customers at Odds on cybersecurity" (https://securityboulevard.com/2017/11/corporate-consumer-views-diverge-securing-customer-data/) discusses results from a Ponemon Institute report where only about half of the IT/security professionals polled felt it was their companies' obligation to secure personal information. Additionally, he reports that approximately 45% of IT/security professionals believe that corporate executives do not understand the importance of protecting the company brand or reputation.

This stark contrast between the consumers' confidence and expectations around their data's security and the service that is being provided by the companies entrusted with the consumer data, is a clear indicator that the information security and privacy industry must re-evaluate how it approaches its responsibility to data protection. It is clear we are not meeting the needs of the consumer. What service are we providing our corporate leadership if we are not helping them to understand the demands of their customer base? Our job, as security and privacy professionals, is not to secure the data. It is not to implement regulations, compliance standards or cool security technology. Our job is to help the leadership of our respective firms better understand the risk facing our corporate brand and the potential impact of those risks. Among those risks is the loss of consumer trust and confidence. As privacy and security practitioners we are obligated to help our leadership understand the impact of losing consumer confidence and trust in how our respective firms manage customer data.
0 Comments

InfoSec and a new model

2/19/2013

0 Comments

 
I have been working with a new model for InfoSec. As I spell it out more I will surely post something out here. It boils down to Education, Architecture, Technology and Governance (EATGood) and the cornerstones of InfoSec. Watch for a more full fledged model as a paper on the main page.
0 Comments

Security in EDU

5/1/2012

1 Comment

 
I don't do many posts out here and perhaps I should do more but I thought it time to comment on my transition from corporate to EDU. Many state that EDU is so different from the corporate world and I will tell you having been here for a year now that it is not. From a security perspective the concerns are all the same; PCI, HIPAA, data loss, and data integrity are still the concerns. What is different between Higher Ed and corporate is the emphasis that is put on security. Much like Healthcare, EDU is new to security. It is just just figuring out that security is a serious thing that needs resources, time and commitment.beyond that there are still internal and external threats, architectural issues and policy issues and all of the other concerns. On benefit to EDU that corporate does not have is the benefit of well established collaboration strategies. The world of Higher Ed has been practicing collaboration for years and has extended this into the world of security. Business is just now starting to figure this practice out.
1 Comment

economics

8/2/2011

1 Comment

 
I have been talking with others and doing a lot of thinking about infosec and economics as of late. When you read reports such as the Verizon Breach report or talk to security professionals they will tell you that the motivators behind attacks today is largely economic. They will tell you we are no longer are seeing the script kiddie out trying to make a name for himself but that the world of hackers is dominated by cyber gangs and nation states motivated by economics and politics. My question today is focused around this very point. If they can see the economic value in security why can't industry? 

I understand that it may be an inverse correlation. For the attacker they are working with a business model where they may be selling a product such as compromised systems or stolen assets. For industry that inverse value should compute to a significant tangible value. How do you show the CFO's of the world that there is a definable value to recovered CPU cycles or to data that does not walk out the front door. These may be abstract values but placing a value to these abstract tangibles is an important challenge for the security professional. The attackers have been able to accomplish this task. They have been able to take the CPU cycles that they are stealing and find a way to sell them. We need to find a way to sell the CPU cycles that we are recovering and sell them back to the CFO's of our companies.

When we can stop working to compliance and stop relying on regulations to set the values of these items and find a way to correlate dollar values to the data and assets that we protect then we will be more effective at motivating our senior administrators to back security.
1 Comment

Why are we worried

7/27/2011

0 Comments

 
So our economy is going to hell in a hand basket. I think we are missing the big picture. You tell me, what is the bigger threat, the dept ceiling or a cyber attack on our financial systems when we hit the debt ceiling. I know, I am talking about an act of war, but think about it. If we were unable to pay our debt. Our financial systems were in turmoil and our credit ratting was shot to hell, would that not be the perfect time for a cyber attack on our financial systems and or our national resources and military? We know the capabilities are out there. We saw it with Stuxnet. We saw it with Sony and we know Lulzsec and Anonymous have the brain power to launch such an attack. What about China or Russia?

I will be honest. I don't give a damn about the balanced budget at this point. I think both the democrats and republicans are missing the big picture. We are playing a dangerous game right now and it is not about the inability to pay our dept it is about the inability to defend our country. Yes, we need to get the budget balanced. Yes we need to stop spending. Yes we need to bring our boys home from over seas. Right now they need to raise the debt ceiling and stop playing stupid politics. I am ready to fire all of them. I did not vote for any of the
0 Comments

Is Hacking political or economic - Do we have it all wrong?

7/21/2011

0 Comments

 
It looks like we have a new wave of Lulzsec and Anonymous activity hitting the scene. This raises the question again about what concerns the CISO. With these super hacker organizations launching massive attacks against big name organizations do we need to focus our efforts on this type of threat or should we continue our efforts on the econmoic threat that has been driving us for so long.

I would argue that as CISO's we are looking at it all wrong. Our focus should not be on defense any more. These super hackers can not be stopped. We need to focus on how to motivate business through security. If NATO or the CIA can not stop these attacks why should a college X or Mid-sized company Y sink massive amounts of resources into trying? The answer needs to be that it is good for business. If you can show that through segmentation you can:

1. Increase performance,
2. Decrease data loss.
3. Reduce errors.
4. Improve efficiency.
5. Mitigate risk.

You know that there will be backing for your security efforts and that you will hav
0 Comments

future of cyber warfare

6/24/2011

0 Comments

 
Have we reached a new age? With the onset of hacktavism bringing down government agencies and major corporations are we looking at a new world order where governments are no longer the controlling force in the world. Who will monitor these new influences in world politics that reign across cyber space. It is my contention that it will not be governments but rather the cyber community. As we see in the press today hacker communities such as LulzSec are beginning to lose the support of the greater cyber community. As they step on the toes of gamers and other hackers, ethical or otherwise, cyberspace is growing tired of LulzSec's antics. Has this group pushed the envelope too far. Have they reached the threshold where the cyber community will start to police itself? 

We have seen time and time again that, while some of the best theologists  and researchers in the industry may be in the military or in business and education, the best practitioners seem to be the freelancers and hackers. These individuals repeatedly show us that they are one step ahead of common practice or even best practice. It is here that we now turn to watch as these individuals join together with the researchers and the community as a whole to work to police itself. This organic process seems to now be forming a new virtual order where the cyber community finds its balance along side of the the physical world which drives it.
0 Comments

Post Title.

5/3/2011

0 Comments

 
I have spent a lot of time, as of late, working on policy. This has helped me to realize two things. First and foremost that poor policy, or lack of policy really will undermine all of the other work that can be put into an information assurance program. Second is that behind every policy there needs to be adequate education. 

This second point I can not emphasis enough. I am finding that it is not simply a matter of educating people about the new policies that are being passed but that there is a level of education that needs to happen before the policies are passed so that the policies are written properly and to the correct audience. I come from healthcare and industry. Now, working in academia I find that the change controls that were appropriate for industry are different than the change controls we would use here at the school. That said, I also am finding that I need to educate the people I work with about the value of ITIL so that we may find a happy medium. 


On a separate note I wanted to mention the business that has been going on in Washington. and around the world. First the most obvious world news. With the death of Binladen I think that we in the security space need to keep an eye on the horizon for the potential of a cyber backlash. As they say, for every action there is an equal and opposite reaction. It the past this could have been assumed to have been a physical attack but since 9/11 we have clearly seen an increase in cyber warfare and it would not be unheard of for the response to this action to be a cyber attack. While I applaud our Military for this success I wonder what the response might be.

In other news I look to Capitol Hill and welcome the bill proposed by Kerry and McCain on Commercial Privacy Bill of Rights. I think this type of legislation, while it certainly will make the work we as security professionals much harder, is the right step for the consumer and for the industry. The more standardization we can get in this type of legislation the better off we will all be. It would be nice if Congress would work to unify some of these laws and to repeal some of the out dated laws so that we could consolidate some of our compliance efforts. I know this will never happen but the ideal is a nice one.
0 Comments

Post Title.

4/5/2011

0 Comments

 
So what will come of the Epsilon breach? One of the largest clearing houses for email was compromised on March 30th and lost control of massive numbers of email records. Sure they did not loose any PCI or PII information, but how critical our our in boxes today? Are we going to see a flood of spam and phishing attacks? As security professionals we need to be vigilant in training our user base on how to spot a phishing attack so that they do not fall victim. Mail administrators also need to monitor their filters to ensure they are tuned for the inevitable influx of spam that we are sure to see.
0 Comments

Post Title.

3/29/2011

0 Comments

 
Two thoughts for today. I found a resource that is a free Google App that looks great. for those that do much web conferencing, or need to do some but can't justify the cost of the big commercial products, check out Vyew in the Google App Store. Very Cool.

Second Thought: Where do we sacrifice security for social involvement? Some organizations, whether schools, non-profits, or other agencies, often feel a certain pressure to provide resources to the community around them. Where do you draw the line between offering those resources to the community and sacrificing your network security? Is there a way to offer the desired services and still maintain the integrity of the organization? this question is one that encourages InfoSec to push their businesses to look at their community involvement from new angles and to see new ways to offer services that once came from a different space. Not only can this be an opportunity to tighten security for the organization but may also be an opportunity to enhance the serv
0 Comments
<<Previous

    Ian Burke

    I have been doing information assurance and security work for many years with a focus on network security monitoring and incident handling. I have been working in IT for more than fifteen years with a focus on architecture and systems.

    My lovely wife and I spend time with our five kids at our home in the North East.

    Archives

    June 2018
    February 2013
    May 2012
    August 2011
    July 2011
    June 2011
    May 2011
    April 2011
    March 2011
    February 2011

    Categories

    All

    RSS Feed

Powered by Create your own unique website with customizable templates.