Tuesday, December 10, 2013

Mark Combs
Any CISO worth his salt could easily sit down with a top executive and discuss the issues surrounding today's complex regulatory landscape when it comes to protecting critical information. Our world is fraught with government rules like HIPAA/HITECH, SOX, PCI, FERPA, etc. Fines, penalties, loss of reputation, and loss of business–these are all real threats that we face, but what impact are they having? If government enforced penalties are really effective, then why are we still seeing breaches of sensitive information? Breaches are not declining–they are on the rise at an alarming rate.

Everyday my inbox fills with stories of horror where thousands upon thousands of customer records are disclosed. When will organizations start to realize the true impact to the lives of those people whose information we carelessly took for granted? In many of these cases, the breach could have been easily prevented by some of the most common security controls, encryption at the top of the list.

Let's take the financial industry, for example–every day I go to work to provide for my family. The company I work for pays me for my time that I spend providing valuable output to grow the organization. That money represents a part of my life that I can never regain. When an employee walks out of the building with my information on a laptop or USB drive that is not encrypted and loses it–they lose more than just that information; they lose part of my life.

Here's another example - If a healthcare organization discloses a large amount of patient data and loses patient confidence it can have a much farther reaching effect. Studies have shown that patients who do not believe their healthcare organization protects their information are much less likely to disclose sensitive information about their condition. Let's say a patient presents to their physician with a lump in a sensitive area of the body. In this case, the patient has lost confidence in this particular healthcare provider because of a recent breach that was just all over the news. Due to this lack of confidence, the patient doesn’t fully disclose about the lump–time passes, the lump grows and turns out to be cancer. In a lot of cases, cancer can be more easily treated with early detection; however, since the organization didn’t take, in most cases, the most basic of precautions, the patient now has a terminal illness and it costs the organization many times more to treat than it would have to begin with.

Oftentimes I sit with providers, business executives and other leaders and try to explain the importance of information security; yet I see the glossed over look when I talk about the fines, the penalties, the policies and the harm to the organization. That look becomes intense interest when I change the subject to how it affects our customers, our patients–the people.

CISO's have got to start speaking the language of their executives. In most cases, C-levels really don’t understand or care too much about the technical jargon. How many viruses did you stop? How much SPAM or phishing did you thwart? Not important–how many lives did we change today? That's the real question.

If you are serious about building an effect information security program, change the tenor of the conversation. Help them to understand you’re not just protecting data; you’re protecting their most precious asset–your customers.