I spend much of my time as a mediator, a translator and a scout trying to find a path that will satisfy everyone. The regulators mandate that we respect customer, employee and financial data. Our business needs confidentiality and the use of data in a value-added fashion. The marketing team lives to invent compelling products and interactions. To balance these requirements, I work with IT and business teams to match the language of law with the landscape of technology.
IT and IT security leaders must learn to speak the language of business leaders in order to understand, enable, and protect the interests of the business.
A significant disconnect I encounter is the gap between what C-level executives are thinking and driving the business to do, and what the IT team is thinking and deploying its resources to protect. C-level executives are charting a course for the next year and beyond on the basis of assets to be employed and risks to be avoided, while the IT security team often must spend all of its limited resources dealing with the near term, navigating the obstacles of regulators, attackers and inept or malevolent insiders.
Legitimate tension exists between strategy, tactics and scarce resources. But we need to get aligned. IT and IT security leaders must learn to speak the language of business leaders to understand, enable and protect the interests of the business. With alignment comes support in terms of project priorities, head count and budget.
Reputation Is Number One
A recent Ponemon Institute survey demonstrated this dichotomy between executives and IT. The survey of 718 IT and IT security practitioners in the United States—more than half of whom report directly to the CIO—determined that the number one reason senior management funded data protection efforts was “the need to comply with regulations, laws, and other mandates” followed closely by “response to a recent data breach” (a response likely necessitated by a regulation). At the very bottom of the justification list is “protect the company’s good reputation.”
Source: Best Practices in Data Protection, October 2011, Ponemon Institute
This survey reflects the business’s priorities as interpreted by IT. It may, however, just be a perfect inversion of the priorities of C-level executives. Your CEO is most concerned with the company’s reputation. Why? A regulatory violation, while costly, time-consuming and painful, is relatively rare. By contrast, reputation—the perception of customers and investors—is expensive to establish and maintain, is fragile and is nearly impossible to regain if lost. A behavioral marketing campaign may not violate today’s regulations, but it can cause a groundswell of indignation and an avalanche of bad press.
What Takes Priority in IT: PII or IP?
I detect a similar disconnect in a second survey question: “What type of data if lost or stolen presents the highest level of risk to your organization?” Here, IT’s top answer is intellectual property (IP). Customer, employee and consumer information (PII) occupy the bottom of the list.
Source: Best Practices in Data Protection, October 2011, Ponemon Institute
This result makes sense at a tactical level. IT has been grappling with the regulation of employee and customer data for more than a decade. Many organizations have adopted content filtering and laptop encryption. IT may consider the regulated-data problem solved or mitigated.
My guess is that, compared with PII protection, the IP protection process today seems more difficult and takes more effort and time from IT. Where regulated data is reasonably generic and well defined (credit card numbers, addresses and account numbers), IP is business specific. To protect IP, IT must decide what data constitutes intellectual property, locate it and then establish rules and enforcement procedures around it. That takes a good understanding of the business and legitimate business uses, which in turn takes research and lots of meetings, or smart DLP technology. Once you know what to protect, good DLP technology can enforce controls that match the location and usage of IP. This can be a lengthy process, depending on the business and on the technologies in use.
I expect most IT organizations do not feel they have yet fully solved the IP problem, which means they worry most about it and rank IP at the top of their list of concerns.
As a lawyer, I remain more concerned about PII than IP. IP laws around copyrights, patents and trademarks are well defined and well understood. We can go to court if we need to. But PII is a moving target. Sure, we have invested in filtering and encryption for the problem as we understood it when the regulations were rolled out, but the data risks change. The regulations change. The business changes. That means we can never really say we have “solved” the regulated data problem.
This perpetual upheaval is why the executives I counsel would invert the “risks” bar chart and put consumer, customer and employee data at the top of the list, in that order. I can hear a few “best practice” organizations out there objecting. Yes, IP is definitely on my risk list, and it tops the list in certain industries. For optimized organizations that have flexible DLP technology, perhaps IP really is the hardest problem left to solve. Still, from a risk basis, I think regulated data remains more immediately dangerous, and it demands continuing attention from IT leaders.
The absence of stability is a familiar situation for IT security. You don’t know where the next attack will come from, which application will reveal a vulnerability, or who will lose the next laptop or smartphone carrying privileged data. You plan for the unknown by understanding your risks and mitigating them using layers of defenses and compensating controls.
Here’s a chance, however, to dig into things that are known: where your business is heading and what your executives consider to be its risks. With this understanding, you can both support the business and minimize risks through wise IT investments.
Precious Insights from the 10-K Report
Many employees get their understanding of business strategy through employee communications—a newsletter, an all hands meeting or a staff meeting. I believe, however, your most underused resource is a publicly available document—the 10-K report. This annual filing with the Securities and Exchange Commission documents the experiences and plans of the business. It is well vetted by the company and fairly unbiased, especially compared with analyst reports and media interpretations. Section 1 of the 10-K describes the business and its planned activities; section 1A documents risks and uncertainties. Your executives approve this document before its publication.
Although it should not reveal any trade secrets or intellectual property, it should reveal the likely direction of a company for a year or more. If your company doesn’t publish a 10-K, look at the reports of publicly traded competitors. Or take a marketing person to lunch.
With an understanding of what your executives hope to accomplish and the concerns that they feel must be acknowledged, you can think through the effects these initiatives will have on IT, as well as what effects IT can have on these initiatives. This is “business first” thinking.
Case Study: A Major Retailer
Here is an example to walk through this “business first” risk mitigation approach: a major retailer had essentially exhausted the expansion possible through “Big Box” suburban discount stores. In its 10-K report, the company noted that it would be developing a new boutique store concept in urban areas to appeal to a more affluent demographic. It would be implementing new value-added services, including pharmacies and health-care offerings.
Let’s work through the risks and technology mitigation options for these business changes.
- Same data, new customers—Compared with budget shoppers, a more upscale clientele will be more concerned about the privacy of personal data. This choosy and fickle community is already shopping elsewhere and will go back to that other store—or just shop online—if they decide they cannot count on your respect for their personal data. You must assure customers that their data is secure (perhaps this could be part of the marketing message), and a breach must be avoided to preserve a sterling reputation during the delicate first years of the expansion. A data security review is in order, perhaps including an external audit.
◦ Refresh encryption, archival and retention management practices. There may be ways to fill coverage holes, reduce the data captured or reduce the length of time it stays in your storage, all with an eye toward minimizing the opportunity for data loss.
◦ Privacy regulations are different for stores in different states and countries, and they keep evolving. Make sure that you have checked for changing rules. Audit and proclaim your compliance.
◦ Network segmentation and stronger access controls might help reduce the potential risk of inadvertent data exposure
◦ Stronger perimeter protection for your data center could help to ensure high availability and confidentiality for demanding customers
- New data—Expanding into health-care markets in the U.S. requires compliance with the Health Insurance Portability and Accountability Act (HIPAA). These regulations are intended to protect patient health information (PHI).
◦ The HITECH Act expanded and revised HIPAA rules and included a ripple effect to third parties with whom you exchange PHI. You need to secure these connections, and you may need to educate each third party to prevent a breach. If you fail to prevent a breach, your business will bear the brunt of customer blame, not the third party.
- New uses of data—Collection of prescription data could enable a new range of in-store, mobile and online marketing to patients.
◦ This marketing would require careful data mining and possibly consolidation or upgrades to data centers for rapid and accurate data analysis and access
◦ Anonymization of customer data could help protect privacy, but it would change the availability of integrated, personalized product offerings and marketing campaigns. Cross-department service examples might include personal shopping assistance after significant weight loss or healthy menu plans and shopping lists for fitness-savvy customers who opt in to personalization services.
- Operational implications—There may be ways to adjust what you are doing or planning to do to better serve the business. You could reprioritize your plans to support different investments, add requirements to the controls you already have in place or have planned, or negotiate different features and terms with your vendors.
◦ Some existing, but mature or non-core, IT services could shift to the cloud to allow better focus on new and core services.
◦ Virtualization might allow you to redeploy compute resources to free up systems for service development and testing.
◦ You may need to nurture or acquire different skills in your organization.
◦ Exception handling of alerts and incidents might be reduced through stronger change control systems.
Which Data Matters?
In this example, consumer and customer data have the highest value to the company. This sensitive data merits investment in protection. The company’s IP—how it implements and operates its stores—is much less likely to be lost and is much less of a problem if someone else steals it. The company has a leadership position that would be hard to replicate quickly.
Risks, Rewards and Resources
With this list in hand, you would be prepared to sit down with executives and business unit partners and discuss risks, rewards and resources: where are the risks, what are the business rewards and how much of which resources are appropriate to mitigate the risk? Executives will be able to understand the simple security risk management formula: you don’t want to invest more in mitigation than the asset is worth.
If you have followed the customer requirements, business needs (and hoped-for outcomes) and regulatory patterns to attach value to data, you have reached what I call “data value,” or DV. The value is purely derived from the real leverage that can be gained from obtaining, managing and eventually deleting data within your networks and those of your partner resources. You have also determined where real risk applies, from the customer “ick” factor to the potential loss of time, cash and reputation where data is misused or fails to be used to protect or grow the business—this is what I call “data risk,” or DR. To the extent that DV and DR can be quantified, DV>DR is your “business first” formula for success.
The sooner you have this risks, rewards and resources discussion, the better you can help shape the product investment plan and adjust your infrastructure to support it. In some cases, product ideas may need to be scrapped altogether. Or perhaps you can come up with a different idea, where IT and security technologies enhance and enable new service options. Plus, your collaboration with the business teams this year will make it easier for your efforts next year, giving you insights that you should still validate using the 10-K report.
My experience and the Ponemon survey both show that IT and IT security leaders can do more to understand and connect with the language and goals of C-level executives. For those that report to the CIO, this effort in understanding and translation will help you manage your boss. It will equip your CIO to negotiate with the other C-level executives to go after appropriate resources, using language each audience will understand.
If you don’t work for the CIO, this “business first” thinking will help you make better decisions and have fewer fire drills and false starts as you plan for and navigate changing risks, regulations and business requirements. You will also be better prepared to work with your IT partners.
About the Author
Michelle Finneran Dennedy serves as vice president and chief privacy officer at McAfee. She is responsible for the development and implementation of McAfee data privacy policies and practices. Before joining McAfee, Michelle founded The iDennedy Project, a public service organization to address privacy needs in sensitive populations, such as children and the elderly, and emerging technology paradigms. Michelle is also founder and editor-in-chief of TheIdentityProject.com, an advocacy and education site focused on child identity theft.
Michelle was formerly vice president for security and privacy solutions for Oracle Corporation. Before that, she was chief data governance officer with the cloud computing division at Sun Microsystems, Inc. Michelle worked closely with business, technical, and legal teams to create the best data governance policies and processes possible for cloud computing. Michelle also served as Sun Microsystem’s chief privacy officer. Michelle is a sought-after public speaker, evangelizing new approaches and business justifications for soundly defined, transparent security and privacy policies and systems.
Michelle has a Juris Doctor (JD) degree from Fordham University School of Law and a Bachelor of Science degree from Ohio State University. In 2009, she was awarded the Goodwin Procter-IAPP Vanguard award for lifetime achievement and the Executive Women’s Forum–CSO Magazine Woman of Influence award for work in the privacy and security fields.