The attention to People and Process is lagging far behind
In reviewing the recent plethora of data breach stories, I am beginning to see a pattern here. While many companies answer to breaches with more and more technology, it appears that they are ignoring what may be the real root cause…….People and Process.
Case in point. In the article, How Physicians’ SSN’s Were Exposed, reported by HealthInfo Security (HIS), “Several Blue Shield of California spreadsheet reports inadvertently containing the Social Security numbers of 18,000 physicians and other healthcare providers were released 10 times by the state’s Department of Managed Health Care” . (( (McGee, 2014) McGee, M. K. (2014, July). How Physicians’ SSNs Were Exposed. Healthcare Info Security, p. 1.))
In another story, PHI Exposed in Mailing Error, from HIS, it was reported that “St. Vincent Breast Center in Indianapolis has notified 63,000 individuals that a clerical error led to the mailing of letters containing personal health information to the wrong recipients” (( (Roman, 2014)Roman, J. (2014, July). PHI Exposed in Mailing Error. Healthinfo Security, p. 1.))
And the big one for me was reported through TechTarget. Report finds poor security communication among executives. It appears that the Ponemon Institute LLC just released results of a survey of nearly 5,000 IT security practitioners. That report was very enlightening. “Just under one-third of respondents indicated that their organizations’ respective IT security teams never discuss security with executives. Of those surveyed; the report goes on, “only 1% said security teams spoke with executives weekly and 11% quarterly, though 15% specified that they could meet with executives on an on-demand basis”. (( (Blevins, 2014) Blevins, B. (2014, July). Report finds poor security communication among executives. Search Security Tech Target, p. 1.))
I think we found the possible problem why breaches in the first two cases happen and possibly why breaches happen at all. Lack of top management involvement.
You see, it is people and process failures that cause the most breaches. Sure technology has its place and a huge part of the security posture, but what every security and IT professional learned way back in the day, still holds……..”Garbage in, Garbage out”.
If we are not training our people properly and installing the necessary checks and balances needed to ensure competency of our people and effectiveness of the processes, breaches will continue to happen. Sure, hackers enter our systems through the technology, but it is the people who install it and the processes we implement that guide that technology. No such thing as turnkey technology.
In December of last year the U.S. Department of Energy reported on a July breach that exposed the personal information of more than 104,000 individuals. They noted IT and agency management failures around vulnerability management, access controls and a general lack of communication between decision makers. The story notes that “DOE failed to live up to industry standards and government mandates around not only encryption of sensitive data, but using Social Security numbers as identifiers, running IT systems with unpatched critical vulnerabilities and outdated software”. (( (Mimoso, 2013) Mimoso, M. (2013, December). POOR PATCHING, COMMUNICATION FACILITATED JULY DEPT. OF ENERGY BREACH. Threat post, p. 1.))
Convinced yet?
Luis Aguilar, Commissioner, U. S. Securities and Exchange Commission “stated that “Boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril” during a speech at the “Cyber Risks and the Boardroom” conference held at the New York Stock Exchange on June 10th. (( Aguilar, C. L. (2014). Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus. United States Securities and Exchange Commission.(Aguilar, 2014) ))
A board’s failure to manage cyber risks can create threats of litigation, fines, increased insurance costs and, perhaps most importantly, loss of consumer confidence.
Best practices like ISO/IEC 27001, Shared Assessments, CSA STAR Certification for the cloud and the NIST Cybersecurity Framework are all there as holistic road maps that provide you with guidance for driving security from the top down. Using one of these as a foundation or integrating them is an excellent way to show standard of care and that you do in fact care.
Information and cyber security like it or not is a board level issue. Like most things in our lives it is people and process that drives what tools we use and how we use them. It drives the culture of our organizations and ultimately how we safeguard our company, employees, customers and society around us.
Shared Assessments Steering Committee member, John DiMaria, BSI Group America, Inc., is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner (HISP), and Master HISP with over 28 years of successful experience in Management Systems and international standards. Connect with John on LinkedIn.
Notice: The statements within this article are the independent views and opinions of the author and not necessarily those of the management of BSI Group America, Inc.
