Friday, March 7, 2008

Outsourcing: Data Security’s new untamed frontier

March 7, 2008

By Frank Teruel, CFO, Vormetric Inc.

Lost to the almost unanimous enthusiasm over the economic benefits of outsourcing and off shoring, is the harsh reality that sensitive data is leaving the trusted confines of your paternalistic and protective IT environments and embarking on a journey fraught with peril. Your sensitive data may well travel to environments where loyalty to your data and customers is not certain, where data is a soft target, and where recourse is sadly often nothing more than marketing spin by jurisdictions or companies anxious to solicit your business. Yet, it is impossible to ignore the economic reality of outsourcing. Accordingly, prudent executives must factor in the hidden costs associated with potential data breaches. After all, what good is realizing economic benefit which may be more than offset by significant data breach costs, diminished customer loyalty, and the lasting digital taint prominently displayed to any affected or potential customer astute enough to do a Google search? Candidly, any benefit may pale in comparison to the hidden costs resulting from cavalier data practices by your chosen outsourcer. The answer to this data security/outsourcing conundrum is actually quite simple – make sure that your data security policies and solutions travel with your data and that you factor in the potential cost of a breach into your deliberations.

Paper Contracts and Empty Promises

Many outsourcers that recognize the impact of data breaches and are reluctant to make the salient investments in true data security solutions, have instead sought to calm executive’s anxiety with lofty contractual promises dressed in the form of impressive indemnity provisions and guarantees. “We ensure that our employees sign confidentiality arrangements” and “our employees are monitored daily to ensure the integrity of your data” is the common mantra of many outsources. Some even tout the fact that their employees are bonded. Regretfully, such grandiose gestures and contractual promises are often not worth the paper on which they are written. The rub is that enforcing these protections is no small matter. Moreover, even if you can enforce them your data has already leaked and the damage to your company may be incalculable and insurmountable. How do you compensate for the loss of critical intellectual property which is the lynchpin for your next product line or the foundation on which you have built your competitive differentiation? How do you console a customer whose medical records have been compromised? How do you explain to a level-one merchant that their payment card industry data security standards (PCI-DSS) efforts have fallen short because the outsourced call center that was recording their customer support calls lost media files rich with personally identifiable information including credit card numbers? The harsh reality is that the damages often far exceed the amount of compensation available through the contract. Equally daunting is the consternation that you will face as the steward of your customers’ data in the event that it is mishandled in faraway places. As an executive intent on realizing the outsourcing boon, you must insist on more than paper promises to ensure the security of sensitive data…you must have complete confidence that your data is as secure abroad as it is at home.

Trust but verify

Such confidence cannot be borne through paper alone. Rather, executives must insist that their outsourcers adhere to a consistent and robust set of data security practices. Moreover, outsourcer data security policies must be tested and validated ensuring the appropriate level of accountability and governance in the relationship. In a very real sense, trust the contractual promise but verify its implementation and insist on congruent data practices both at home and abroad. At a minimum, your contract should specify that any Payment Card Industry (PCI) data, Personally Identifiable Information (PII), patient records, intellectual property in digital form, or any other data that you or your customers deem sensitive must be encrypted and subject to robust access control. The salient point here is that only those individuals with a need to access and work on your data should be allowed to do so. Further, insist that the outsourcer deploy the same data security infrastructure that you have at home. Any outsourcer serious about developing a long term relationship with you will not baulk at protecting your data with equal, if not more rigorous, diligence. Finally, ensure that appropriate governance procedures are incorporated into your contract including, quarterly reporting of the state of your data, who and what accessed it, and whether any data leakage occurred.

Data Security Ecosystem

In so doing, you are taking the first important steps in creating a consistent data security ecosystem so that your data remains secure irrespective of where it travels. Bolstering the contract is a critical step. However, creating a congruent data security environment is integral to ensuring that data security is a consistent and persistent attribute of all of your data and thus protected irrespective of how it’s used and where it lives. Your ecosystem must contain the following elements:

· Ongoing Data Sensitivity Analysis to ensure that the all data that is sensitive to the organization is designated as such and subject to appropriate use rules.

· Data Security Policies that are authored and managed at home while enforced in the outsourcers environment and on their host machines. This step is critical in ensuring appropriate separation of duties with respect to data security policies and instilling appropriate data governance into the relationship. Authoring the policies at home ensures that your security administrator is creating the rules by which your chosen outsourcer can access and use your data.

· Strong Access Control enforced with high-performance encryption. The data policies will determine which users can access data. All other users or unauthorized applications are prohibited access and data is never in the clear so that in the unlikely event of unauthorized access or even loss of archived data, the data remains encrypted and unreadable.

· Scalable Nonintrusive Solutions that can function irrespective of data and application type. Few outsourcers will agree to solutions that will necessitate customization of applications or significant changes in how they do their work. Creating an ecosystem standard that is application and data type agnostic will ensure that your data rules are transparent and not an impediment to productivity.

· Timely Unalterable Reporting that captures all attempts to access the data and reports those attempts to your governance team. Ensuring that the logs are recorded in an encrypted fashion away from the outsourcer’s environment will mitigate the tamper risk associated with logs that are in the clear.

· Auditing to intermittently challenge the integrity of your data security ecosystem to ensure that the policies in place continue to satisfy the use case and the security needs.

Data Security – Don’t leave home without it

Unquestionably, the challenges associated with data security are magnified in an outsourcing environment where data is no longer within the trusted confines of your organizations. The risks of unauthorized access and use of data are real enough at home and only greater abroad. Yet, combining strong contractual mandates with an extension of your security ecosystem to the outsourcer will help mitigate the heightened data breach risk in any geography. The bottom line is that if your sensitive data is important to you and your customers, you must protect it. Before jumping into any outsourcing relationships, consider the potential cost of a data breach, wordsmith the outsourcing contract to ensure requisite protection, and extend your data security ecosystem to ensure congruity both at home and abroad. Your data is important…don’t allow it to leave home without its personal security.

Thursday, July 26, 2007

Chief Financial Officer: The Ultimate Data Chaperone

By Frank Teruel, CFO, Vormetric, Inc.

The year 2006 earned an infamous distinction: The Year of the Breach, aptly stated, considering the incessant data attacks suffered by businesses and consumers alike throughout the year.

Yet, the growing data security problem that left an indelible mark on 2006 is not an anomaly. In fact, the issue of data security has quickly moved “from the server room to the boardroom,” as one of my colleagues often quips.

Once the sole purview of corporate IT and security personnel, keeping vital corporate and personal information safe is now an executive imperative that is capable of leaving a lasting taint on those who ignore it. More fundamentally, data security is an integral component of an organization’s internal control structure and a requisite risk management activity.

Who’s on First? What’s on Second? I Don’t Know!

Remarkably, despite the clear proliferation of data security breaches, many organizations still ask themselves: “Who is responsible for data security?” Or “What data should be secured?” Regretfully, more often than not the honest reply to both queries is: “I don’t know.”

All too often, it’s been technical professionals determining what constitutes sensitive data and bearing the responsibility for securing it. Despite their valiant efforts, the technical folks often lack a clear appreciation for the value of the data they are being asked to secure. Moreover, sensitive, valuable corporate data is often created in locations and on systems far from the paternalistic eyes of IT personnel. However, with the rising magnitude and frequency of reported and unreported breaches, the data security imperative targets a geometrically increasing business risk. Remediating that risk should consume thought cycles and deliberate attention in every C-suite.

The Privacy Rights Clearinghouse touts over 158 million reported breaches from January 2005 through July 2007...158 million! Bear in mind that these are reported breaches, the exposure of data records of U.S. citizens. Their impact may well pale in comparison to the lost value associated with unreported compromises or thefts of intellectual property.

The size and frequency of the data breaches are a testament to the increasing sophistication of data pirates. But the breaches also show that most of the affected organizations have been much too lethargic. Many of them have resorted to playing the “I am a victim too” card rather than focusing personnel and budget on mitigating their risk. The victim card has been overplayed; candidly, organizational constituents have had enough.

Organizations that are stewards of sensitive information would do well to step up their protection efforts or face the wrath and ire of disenfranchised stakeholders and a media ravenous in its pursuit of breaches. It is inconsequential whether the data is intellectual property, credit card information, social security numbers, patient drug studies, or corporate financials. If it’s important to its owner, protect it!

Ignorance is Not Bliss

Mid way through 2007, the consequences of data security inaction loomed even greater than they did in 2006. Thanks largely to the folks at TJX, an organization which may now hold the dubious distinction as the largest corporate data breach on record – some 45 million affected TJX customers by some accounts – the breach count may now exceed 200 million in the last two years!

Shortly after the TJX story broke, I heard from my credit card-issuing bank. They advised me to cancel my card and recruited me to the chorus of customers who have had enough. Ignorance with respect to data security and the associated risks is not bliss. It’s sheer negligence.

James W. Blake, chairman of the Massachusetts Credit Union League and chief executive of HarborOne Credit Union, stated in a much-publicized letter to TJX’s CEO that it is beyond comprehension that TJX’s management team would make a decision not to provide the proper level of security for their sensitive customer information. Mr. Blake is absolutely correct.

Regretfully, TJX is not an exception. In a recent chastisement of UK CEOs, Richard Thomas, the UK’s Information Commissioner stated that, “over the last year, we have seen far too many careless and inexcusable breaches of people's personal information. The roll call of banks, retailers, government departments, public bodies and other organisations that have admitted serious security lapses is frankly horrifying."

Too many companies have taken an “ignorance is bliss” approach; they have gambled on nothing happening to the sensitive data in their care. Astonishing, considering that many of these same companies certified both their financial statements and their internal control environments in SEC filings.

Question: How can you vouch for the integrity of your internal controls and then suffer a monumental data breach? Answer: You can’t!

It appears inevitable. There will be a tsunami of litigation rolling over organizations that continue to ignore data security. It will come from shareholders forced to endure market cap hits, from partners tainted by their association with breached organizations, and from customers tired of cavalier data practices.

No, ignorance is not bliss…it is very expensive!

Get Ahead of the Curve

Management teams must wake up to the immense risks posed by unsecured data. It is no longer acceptable to hope the problem away. CFOs who are serious about mitigating organizational risks and preserving the value of corporate assets must make data security a key competency and an essential job requirement.

No other executive is better positioned than the CFO to qualify and quantify the inherent value of data, determine where the sensitive data lives, calculate potential costs associated with breaches, and strengthen the internal control environment to ensure that all vital information remains secure. The CFO is the perfect data chaperone.

Before you make any assertions about your internal control environment, ask yourself: How secure is my data? If you don’t know, then that environment is vulnerable. So too are the value of your brand and the loyalty of your customers.

Its eleven o’clock…do you know where your data is?