I’ve been involved in various ways with information security topics and issues since around 1980. I even spent a year as the acting head of information security for one of the global credit reporting agencies. In that job, I looked after the security of 500 million identities, securing a network with more than 100,000 connections to the providers and consumers of credit data.
Over the years I’ve also parsed a lot of the rhetoric surrounding the challenges related to information security as well as developed some pragmatic approaches to what’s become a very difficult operational issue for any organization that transacts any part of its business digitally. B2B, B2C, B2M — it doesn’t matter. If you move anything of value (yours or others) over the wire, you’re exposed to some degree of risk.
The recent incidents reported at Target and Snapchat (and with 2013 reportedly the worst year yet for overall consumer-data security breaches) it’s worth reviewing where we are with information security and what the CFO should be asking the chief information officer (and chief information security officer, if the business has one) regarding their plans for 2014 and beyond.
Let’s start with the bad news first: there is not and never will be a completely secure public (and in most cases private) network. As soon as data leaves your perimeter (and inside if you have a wireless network), it’s visible to others, both necessarily (to make sure it gets to where it’s supposed to go) and inadvertently. Unless you own the end-to-end transport medium (such as private optical fiber), your traffic is mixed in with everyone else’s.
Just as you can stand on the side of the freeway and see every vehicle that goes past, data traffic is visible to anyone with the technical capability to monitor the network. Just as your vehicle is covered with information (make, model, license, other windshield stickers), so is your data. And just as your vehicle is increasingly able to respond to electronic inquiries about where it’s been and where it’s going, your data may be too.
Second, certification of adherence to standards is no guarantee of safety. Most breaches have occurred at organizations that were certified as “compliant” by organizations such as the Payment Card Industry (I make few friends by pointing this out). However, that’s not an excuse for avoiding compliance wherever you need it.
Third, people (and their habits, abilities and level of awareness) are a bigger security problem than technology. That’s no excuse for ignoring what technology can and should be doing to help. It does, however, mean that you and all of your service partners will have to have clear human-resource policies related to hiring checks and periodic checks on current employees. Trust but verify needs to be the approach.