Thursday, July 26, 2007

Chief Financial Officer: The Ultimate Data Chaperone

By Frank Teruel, CFO, Vormetric, Inc.

The year 2006 earned an infamous distinction: The Year of the Breach, aptly stated, considering the incessant data attacks suffered by businesses and consumers alike throughout the year.

Yet, the growing data security problem that left an indelible mark on 2006 is not an anomaly. In fact, the issue of data security has quickly moved “from the server room to the boardroom,” as one of my colleagues often quips.

Once the sole purview of corporate IT and security personnel, keeping vital corporate and personal information safe is now an executive imperative that is capable of leaving a lasting taint on those who ignore it. More fundamentally, data security is an integral component of an organization’s internal control structure and a requisite risk management activity.

Who’s on First? What’s on Second? I Don’t Know!

Remarkably, despite the clear proliferation of data security breaches, many organizations still ask themselves: “Who is responsible for data security?” Or “What data should be secured?” Regretfully, more often than not the honest reply to both queries is: “I don’t know.”

All too often, it’s been technical professionals determining what constitutes sensitive data and bearing the responsibility for securing it. Despite their valiant efforts, the technical folks often lack a clear appreciation for the value of the data they are being asked to secure. Moreover, sensitive, valuable corporate data is often created in locations and on systems far from the paternalistic eyes of IT personnel. However, with the rising magnitude and frequency of reported and unreported breaches, the data security imperative targets a geometrically increasing business risk. Remediating that risk should consume thought cycles and deliberate attention in every C-suite.

The Privacy Rights Clearinghouse touts over 158 million reported breaches from January 2005 through July 2007...158 million! Bear in mind that these are reported breaches, the exposure of data records of U.S. citizens. Their impact may well pale in comparison to the lost value associated with unreported compromises or thefts of intellectual property.

The size and frequency of the data breaches are a testament to the increasing sophistication of data pirates. But the breaches also show that most of the affected organizations have been much too lethargic. Many of them have resorted to playing the “I am a victim too” card rather than focusing personnel and budget on mitigating their risk. The victim card has been overplayed; candidly, organizational constituents have had enough.

Organizations that are stewards of sensitive information would do well to step up their protection efforts or face the wrath and ire of disenfranchised stakeholders and a media ravenous in its pursuit of breaches. It is inconsequential whether the data is intellectual property, credit card information, social security numbers, patient drug studies, or corporate financials. If it’s important to its owner, protect it!

Ignorance is Not Bliss

Mid way through 2007, the consequences of data security inaction loomed even greater than they did in 2006. Thanks largely to the folks at TJX, an organization which may now hold the dubious distinction as the largest corporate data breach on record – some 45 million affected TJX customers by some accounts – the breach count may now exceed 200 million in the last two years!

Shortly after the TJX story broke, I heard from my credit card-issuing bank. They advised me to cancel my card and recruited me to the chorus of customers who have had enough. Ignorance with respect to data security and the associated risks is not bliss. It’s sheer negligence.

James W. Blake, chairman of the Massachusetts Credit Union League and chief executive of HarborOne Credit Union, stated in a much-publicized letter to TJX’s CEO that it is beyond comprehension that TJX’s management team would make a decision not to provide the proper level of security for their sensitive customer information. Mr. Blake is absolutely correct.

Regretfully, TJX is not an exception. In a recent chastisement of UK CEOs, Richard Thomas, the UK’s Information Commissioner stated that, “over the last year, we have seen far too many careless and inexcusable breaches of people's personal information. The roll call of banks, retailers, government departments, public bodies and other organisations that have admitted serious security lapses is frankly horrifying."

Too many companies have taken an “ignorance is bliss” approach; they have gambled on nothing happening to the sensitive data in their care. Astonishing, considering that many of these same companies certified both their financial statements and their internal control environments in SEC filings.

Question: How can you vouch for the integrity of your internal controls and then suffer a monumental data breach? Answer: You can’t!

It appears inevitable. There will be a tsunami of litigation rolling over organizations that continue to ignore data security. It will come from shareholders forced to endure market cap hits, from partners tainted by their association with breached organizations, and from customers tired of cavalier data practices.

No, ignorance is not bliss…it is very expensive!

Get Ahead of the Curve

Management teams must wake up to the immense risks posed by unsecured data. It is no longer acceptable to hope the problem away. CFOs who are serious about mitigating organizational risks and preserving the value of corporate assets must make data security a key competency and an essential job requirement.

No other executive is better positioned than the CFO to qualify and quantify the inherent value of data, determine where the sensitive data lives, calculate potential costs associated with breaches, and strengthen the internal control environment to ensure that all vital information remains secure. The CFO is the perfect data chaperone.

Before you make any assertions about your internal control environment, ask yourself: How secure is my data? If you don’t know, then that environment is vulnerable. So too are the value of your brand and the loyalty of your customers.

Its eleven o’clock…do you know where your data is?

1 comment:

wordsmith said...

Agree - CFO should be in charge of data security. Remember also that the CFO is (or should be) well schooled in matters of a fiduciary nature. This indicates to me that the CFO is more likely than other executives to take very seriously the responsibility to safeguard the important customer information that may be in company files - information such as credit card numbers, addresses and phone numbers, bank account numbers and so on. While one could argue that this information is not strictly a corporate asset, the company has a fiduciary responsiblity to protect it, and should do so with even more care than it exercises in safeguarding its own data.