SAN FRANCISCO – Experts gathered for the ongoing InfoWorld Enterprise Data Protection Forum in New York Tuesday said that companies need to get a better handle on all the factors that make their sensitive information susceptible to attack and become more proactive with their overall defensive strategies if they are to improve on their current security status.
In a panel presentation featuring leading security executives and consultants, experts highlighted a need for businesses to study all the elements that contribute to classifying their most valuable information as truly sensitive.
Protecting records whose value is immediately apparent — such as social security and credit card numbers — isn’t enough as companies must also shroud any related data that can be used to create an individual profile that could be used to carry out identity theft or other forms of fraud, the speakers said.
By defending all the contextual data that can be used to create such a picture, enterprises can greatly reduce their risk and move beyond more obvious strategizing, said C. Warren Axelrod, chief privacy officer at financial services giant U.S. Trust.
“What’s interesting in financial services is that it is the combination of data that becomes valuable information when it comes together to create an identity,” Axelrod said. “If you are just going to file away social security numbers with no way to tie them to identity, they’re actually pretty innocuous; but even if you just have a way to associate that information to a phone number or other data, someone can put things together.”
Axelrod said for the record that “data protection is a contradiction in terms,” and that the process will never be perfected, based on the nature of IT systems and the need for businesses to easy retain access to important information.
The only way to effectively improve data security is to create a governance hierarchy that allows IT workers to better classify all types of information and to elevate protection of anything that can be used to create an individual portrait, he said.
IT consultants agreed, saying that they are advising their customers to use contextual data to help carry out their regulatory compliance projects with greater efficacy.
“It’s the context that data is used in that qualifies it for regulatory oversight,” said Peter Robinson, senior manager for financial services information security at BearingPoint. “You have to protect both the data and all this other information.”
Perhaps the biggest challenge facing enterprises today in improving their overall data security strategy is becoming more proactive about trying to expect attempted misuse or theft of information, and putting more intelligent tools in place to defend themselves before those situations arise, said Pamela Fusco, chief security strategist at consultancy FishNet.
Fusco, who chaired the panel, is also a former chief security officer at financial services bellwether Citigroup.
“We don’t write a law unless something happens first, as with seat belt laws. We write regulations because something happens, but those are reactive,” Fusco said. “Most consultants feel as if we’re in reactive versus proactive mode for data protection and integrity.”
Regulations like the Sarbanes-Oxley Act have proven less effective than legislators might have initially hoped they would be at improving overall data security because businesses have focused on meeting the terms of the guidelines versus boosting their overarching protection schemes, Fusco and other panelists agreed.
However, some industry-driven security requirements, such as the PCI (payment card industry) standard forwarded by credit card issuers, have had the desired effect, experts said.
Well-written guidelines can help make the difficult task of convincing senior executives to increase their IT security budgets easier, alleviating one of the most significant challenges of the entire data protection process, according to Steve Peltzman, chief information officer at the Museum of Modern Art in New York.
“We had to spend a lot of time and money on [PCI], but now I’m thankful for it because I don’t have to go through the same routine of convincing everyone that this effort is important,” Peltzman said. “The credit card companies got together and made it more expensive for us not to deal with [data protection], which is a good example of industry coming together to create a standard that’s actually good.”
In a seemingly-rare occurrence, the security experts agreed that the creation of an additional, worldwide data protection standard — as proposed to the assembled group by FishNet’s Fusco — could prove useful in furthering their efforts to secure attention and funding for their data protection strategies.
For global companies in particular, establishing such a global guideline could be effective, they said.
“The international difference in data protection priorities is an issue. If it could be resolved to where we could get universal classification and more people building innovative solutions, that could be a big benefit,” said Erich Mueller, security analyst for Allstate Insurance.
BearingPoint’s Robinson agreed that such a standard could provide much needed support for security pros.
“Anything that can advance the understanding and foster the culture of security in the executive suite is a positive. We’ve all been trying to do things like this for ourselves for years,” Robinson said. “A standard that can help shorten the education cycle and get us where we need to be is something that I would support.”