This article by Mahmood Sher-Jan, CCHPC, CEO and founder of RADAR, Inc., was originally published on the Compliance & Ethics Blog. Click here to view the original version of this article.
Threats to the privacy and security of sensitive data are unavoidable. 2017 is proving to be no different.
In its 2016 Internet Security Threat Report, Symantec estimates that more than half a billion personal records were lost or stolen in 2015. This is no surprise, since the company also discovered more than 430 million unique pieces of malware that year. Cyber threats aren’t the only problem—not by a long shot. Survey after survey also cite employees or other insiders as a major cause of data breaches.
Dangers from the outside and from the inside create an ideal breeding ground for privacy and security incidents—Verizon’s 2016 Data Breach Investigations Report examined more than 100,000 incidents, including 2,260 confirmed data breaches across many industries in 82 countries. The data indicates that for every confirmed breach there are almost 98 more incidents that also require investigation and risk assessment to ensure compliance with federal and state data breach laws. A key point to keep in mind is that the report pertains to electronic incidents only, but paper incidents and breaches shouldn’t be ignored, as they require the same regulatory risk assessment and notification obligations.
Incident Response: The Cornerstone for Risk Management
Since it’s impossible to prevent all data incidents and breaches, incident response management has become a focal point for a risk-based approach to data security and privacy. Privacy and security professionals know that awareness, layered security, and automation are foundational to the success of any data privacy and security program given the escalating volume of incidents—malicious and accidental.
“Companies need a good layered defense strategy, but that by itself is not sufficient,” Ken Athanasiou, CISO of AutoNation, said in the whitepaper, Incident Response Management Software: The CISO’s Secret Weapon for Reducing Enterprise Risk. “They must also have great detection and response capabilities. If the bad guys want you bad enough then you will be breached, and if you don’t detect and respond fast enough you will be another victim in the headlines.”
United We Stand, Divided We’re Breached
Chief privacy officers (CPOs) and CISOs often come from different backgrounds and interests. But as designated enterprise risk managers, they must collaborate to ensure efficient handling of all incidents for compliance with complex regulatory and contractual notice obligations. It is also understood that without buy-in from the board and C-level, security and privacy programs are marginalized, if not doomed.
“To best protect their data assets and consumer privacy, companies must look through the lens of enterprise risk,” said another CISO. “When I first arrived here, security and risk were focused on credit cards and PCI. We settled on a broader set of security standards to protect all information—not just credit card data. We also discussed risk management, privacy, and data protection with senior executives, and adopted a top-down approach to risk management.”
Fostering a Risk-Based Approach to Data Security and Privacy
In most organizations, security owns the budget for incident response because historically security incidents have been viewed as technical matters rather than enterprise risk concerns. To overcome old habits, privacy needs strong leadership in the face of this bias to effectively push for better integration of privacy and security functions, tools, and accountability. The integration can help foster a risk-based approach to data security and privacy rather than a check-the-box approach. The encouraging news is that I have seen a positive trend where CPOs of major corporations are leading the charge from the front with growing success.
“Forward-thinking companies are using governance as the masthead for risk management across privacy, risk, security, IT, and compliance,” Jason Taule, CSO/CPO of FEi Systems, said. “Allocation of resources is considered on an enterprise level, not just within a particular domain. In this way, multiple business problems can be solved with one investment.”
A Strong Case for Automation and Agility
According to the 2016 Black Hat Attendee Survey, nearly three quarters (72 percent) of top security professionals think it is likely that they’ll have to respond to a major data breach in the next 12 months. On the regulatory front, 2016 was a hype-hectic year for updates to breach notification laws—making them more stringent and/or clarifying notification obligations and the definition of PII. And don’t discount the complexity of dealing with contractual notice requirements for any entity that acts as a 3rd party service provider or business associate in regulated industries.
These two factors—the inevitability of incidents and data breaches and the regulatory complexities around them—can overwhelm an organization’s ability to be proactive about data privacy and security. Security may be forced to spend its time resolving incident after incident without giving privacy the opportunity to assess risks based on current breach notification laws. Further, without a system to track root causes and analyze incident trends, the organization may not spend their dollars where they will have the most impact.
In its turn, privacy may not have the resources to monitor and analyze all contracts, regulatory amendments, and new breach laws. Any updates must be made to internal systems and processes as these laws become effective to ensure compliance. This is a real test for the agility and flexibility of any organization and its incident response system.
To meet the needs of both groups, organizations need an automated incident response system that allows security (and other departments) to efficiently report incidents that can be escalated to privacy or compliance for risk assessment. While traditional GRC systems serve many valuable functions, they lack the purpose-built workflow and multi-factor risk assessment engine required to provide decision support and consistency for managing incident response in an ever-changing regulatory environment.
To truly succeed in their joint mission to protect data, privacy and security teams need an incident response management system that can be adapted to their organization’s security standards, stay updated with the latest laws, and provide the insight needed for organizations to fully manage incident-related risk. Only then will they be prepared to address the rising tide of internal and external threats to sensitive data.