Data security isn't just the responsibility of the IT department. Instead, it should be a "top-down, across the...
silos," enterprise issue, according to Gerard Leone, a partner at the law firm Nixon Peabody LLP.
Leone was the moderator of a panel of financial, security and legal experts at the recent MIT Sloan CFO Summit on "the dangers and the demands of digital data." While tools such as rapid intrusion detection are important, the best offense starts with a solid strategy.
In part one of this two-part story on enterprise security, Massachusetts U.S. Attorney Carmen Ortiz and other panelists explain why making friends with local and federal government authorities before a breach happens should be an integral part of a breach response plan.
Enterprises should create a strategy that includes the "full life cycle" of security, according to panelist Cynthia Izzo, managing director of information protection and business resiliency at KPMG. The lifecycle includes four elements: prevention, detection, monitoring and reporting. Combined, they provide the backbone for deterring breaches as well as knowing how to respond when a breach does happen, Izzo said.
Case in point: One of Izzo's clients believed it was cybersecurity ready; it was cognizant of system vulnerabilities and tested those vulnerabilities regularly. But when the company was breached, its breach response plan turned out to be flimsy. Just figuring out how deep the breach went and who to report the incident to took "a good five hours," Izzo said.
The lack of clarity is part and parcel for the complex regulatory compliance world, which CIOs know all too well. In the U.S. alone, who to report a security breach to can differ from one state to the next. "Because Congress has not passed a piece of legislation, which could cover us nationally in this space, you are consistently having to determine if you have an incident or breach, what agency you have to deal with," Leone said. "You don't know who is going to come calling and every state AG's office has its own enforcement approach."
Mitigate breach damage
Delays in reporting incidents can be costly to an organization, in more ways than one. Not only can it impact a company's reputation, but "you have to report in a certain amount of time or risk getting fined," Izzo said.
That's why panelists recommended developing relationships not only with the media, but also with legal and government officials in advance of a breach. This is advice that can ultimately prove to be advantageous in ways businesses may not expect. "We can do certain things to protect your company, your information, your assets in ways you can't," Ortiz said.
She said that when disgruntled employee Biswamohan Pani left Intel in 2008 for a competitor, he took sensitive documents with him, "including blueprints to a chip worth $200 million dollars." Intel contacted the government, which obtained a search warrant for Pani's home. "We were able to get to this individual before he had a chance to transfer the thumb drive," Ortiz said. "And we were able to retrieve it for the company." Pani is now serving a three-year sentence.
For LevelUp, a mobile payments platform in Boston, the list of proactive relationships with government and regulatory organizations is "far longer than I could share," according to Lang Leonard, LevelUp CFO. It includes the Consumer Financial Protection Bureau, Federal Trade Commission, Financial Crimes Enforcement Network, state departments of financial services, state attorney generals and various industry associations.
"The investment or the tax -- depending on what way you want to look at that -- to make sure you're proactively connecting with the right people is very significant," he said.
The next installment of this two-part story provides a high-level overview of LevelUp's approach to keeping data safe.