Ensuring information security

Viewpoints Data and identity theft

Image: Ensuring information security Data has become the new currency of business. It moves across organizational
and international boundaries and is exchanged for value. Imagine this data landing in the wrong hands and the massive information security breach that would occur in your company if it did. In overhauling the company’s data protection strategy, many managers ask the question, Should I invest information security dollars in buying new technology, in hiring a chief information security officer (CISO), or in administering awareness training for employees? According to a new report on information security, the answer is a balance of all of the above.1

After surveying C-suite, information technology, and security executives from around the world, the study found that companies too often don’t have solid controls for their intellectual property, their employee information, or their customer data. The result? A security approach based more on hope than on fact.

Knowing what you have and where it’s located is the starting point for protecting customer and employee information and company intellectual property. The results of the research show that the majority of companies don’t have access to this knowledge. Less than half of all survey respondents say their organizations have established security baselines for external partners, customers, suppliers, and vendors or require third parties to comply with internal privacy policies. And less than a third (1) have an inventory of third parties handling the sensitive personal data of customers and suppliers or (2) conduct due diligence of those third parties.

Investing in your employees may help counter these security setbacks. Should technology solutions fail, the human dimension of information security, which can be a form of insurance, is more often an Achilles’ heel. Providing ongoing security awareness programs can condition employees to be more aware of their surroundings and the information they are sharing electronically.

But no information security program is effective if it’s not part of a C-level strategy. A correlation exists between levels of breaches and the lack of a comprehensive security strategy overseen by a C-level executive. Yet only 59 percent of those surveyed stated that they had an overall information security strategy in place. And only 52 percent of US companies employ
a CISO or a chief security officer (CSO).

The bottom line is that many companies are vulnerable to data and identity threats. The repercussions of a security breach are serious and often include financial loss, damaged reputation, and/or business disruption. By undertaking a risk-based, comprehensive approach, organizations have a better chance of preventing and recovering from an information security attack.

How secure is a company’s data? Chart: How hard is it to find skilled board members
Source: PwC, 2008 Global state of information security survey

1PwC, 2008 Global state of information security survey, October 2008.