Time to face the truth about data security

At Bank of America, lost backup tapes led to a big breach, while password compromises figured in the one at LexisNexis. A lost laptop was the culprit at Fidelity Investments, and a hacker attack penetrated security at CardSystems.

With confidential data at stake, the worries are real. Customer credit card numbers may be created in a secure database, but pretty soon that data winds up all over the place--multiple applications, backup tapes, employee laptops, e-mail attachments and so on.

Ask a room full of IT professionals where their private data resides, and they'll burst into laughter. They have no idea.

The typical knee-jerk reaction is to blame the problem on the lack of adequate security technologies. For years, business executives just didn't know--or care--about IT risk management and information security. So they underinvested and now are left unprotected.

Most security professionals would passionately concur that security defenses are lacking, but that's only part of the story. Technology finger-pointing ignores the fact that many companies do a lousy job at monitoring, communicating and enforcing security policies and procedures.

Here's a real-world analogy. Every day I drive to my office on Route 495 in Massachusetts. There is a speed limit (65 mph) and traffic laws (pass on the left, do not cross multiple lanes at once, and so on), yet no one seems to comply. The police can't possibly catch all of the violations, so it is up to drivers to follow the rules. Some do, some have no idea that they are breaking the law, and most simply ignore the rules.

This is exactly where we are with confidential data security. Most organizations also have "rules of the road" but few proactively enforce the law.

The Enterprise Security Group, where I work, recently surveyed 227 North American-based security professionals who work at organizations with 1,000 employees or more. Respondents were asked to rate their organization on a number of policies and procedures related to confidential data security. More than half of these folks said that their organization was fair or poor at "classifying and tracking the movement of confidential data" and "communicating and training employees on confidential data security policies."

Forty-three percent said that their organization was fair or poor at monitoring and auditing confidential data security policies, while just over one-third claimed that their organization was either fair or poor at "implementing access controls for private data." I could go on and on, but you get the picture.

So that is where we stand. Private data resides on devices all over the enterprise, and IT has no idea where it is. People with access to this data have not received the appropriate training on data protection, and the security team does not have adequate tools to monitor or enforce user behavior. Is it any wonder why we have a problem?

Blaming security staff and IT managers is a copout. Executives haven't spent enough or integrated security into the corporate culture. Developers haven't been trained on secure coding. Human resources and legal staff don't understand technology vulnerabilities or security device limitations. CIOs have limited dollars and infinite tasks. Everyone is involved here.

It's time we faced facts. Confidential data security is a big, ugly problem that touches everyone and every system. You simply can't address this with the security widget du jour; rather it will take a coordinated and complicated enterprise effort.

When it comes to confidential and private data security, the tired tech industry buzz phrase of "people, process and technology" is truly in play. Each of the three areas is badly broken and in dire need of repair.