Discuss data security before disaster arises

«What do you mean, you’re shutting down the network for an hour?,” shouts the frustrated Sales Director.   “Do you have any idea how that will affect our customer service? Don’t you know what an hour is worth to us in our busiest season?   After all, we have to make money somehow to pay for your endless system upgrades!”

«And how would your precious customers feel if we didn’t protect their data properly?” the IT Director spits back.  “Do you have a clue what we’re risking if we don’t perform the maintenance? Sure, hold it up again, but don’t blame me if client data mysteriously gets corrupted or compromised.»

Ever hear a conversation like this one? They happen every day in companies of all sizes. Businesses today rely on computers for every aspect of their operations. They count on their IT departments to keep everything running smoothly. But those making the business decisions and those supporting the technology often speak completely different languages.

The typical business executive considers his IT department a necessary (but often excessive) administrative expense. He never calls anyone in that department unless he’s having problems with his email or Blackberry. In that case, he wants the problem solved immediately, preferably while he is out of the room.

The average IT specialist considers her business colleague a Luddite who refuses to learn how to properly use technology, fails to understand the importance of security measures, and stubbornly resists essential expenditures and maintenance.

In most cases, they dedicate little or no time to talking at all.

This failure to communicate can result in major business risks, whether from fraud, theft or just simple error. The more than two dozen security breaches logged in just October 2006 by Privacy Rights Clearinghouse (www.privacyrights.org) cross the country and touch all industries. For example:

§         names and social security numbers of 4,624 Floridians who had registered for with Florida’s Agency for Workforce Innovation were accessible on the internet for about 18 days

§         CDs containing personal information on 6,939 Seattle-Tacoma airport workers were stolen

§         a laptop containing the names and social security numbers of approximately 14,000 households participating in the Allina Hospitals and Clinics Obstetrics home-care program in Minnesota was stolen.

§         a hacker broke into the Congressional Budget Office’s mailing list

§         the Republican National Committee emailed a list of donors names, social security numbers and races to a New York Sun reporter, and

§         the non-profit Illinois Ballot Integrity Project hacker into Chicago’s voter database, compromising the names social security numbers and birthdates of 1.35 million residents, making an important statement about the affect of poor security on more than just financial data.

Improving communication and instituting proper procedures can lessen any organization’s exposure – plus improve productivity and profit.

Here’s a step-by-step guide to resolving these problems.

1.      Designate an Information Security Officer (ISO). This should be someone who has a solid understanding of both the business needs and the technology considerations. He or she has likely been with the organization or industry for some time, and may have observed or participated in the introduction of new technologies over the years.

The individual must have the ability to communicate the potential impacts to the business if security risks are not addressed.  The key to success in this role is a global perspective – this person must be able to understand how technology serves the business, have a strong grasp of the organization’s long and short-term strategies and have the independence to escalate information security issues.

2.      Open regular communication lines. The ISO should begin by setting regular meetings with all executives to address risks with current operations and future projects.

The ISO should take up immediate issues first. This could include conflicts between various business users and the IT staff in general, or just the general “they don’t understand me” issues. The ISO should help address these openly. Tactics should include developing a common framework to understand for the true nature of the problems, aligning technology and security measures with business risks, and translating technology constraints into business terms

3.      Establish rules and enforce them.  The next step is to formalize an IT governance process with documented policies and controls.  Representatives from different departments, including IT, should develop this manual together as a task force led by the ISO. The manual should include procedures for hiring, training and terminating employees, system back-up, data retention and disposal policies, incident management, software development, IT operations, disaster recovery procedures and more.

This security document will formalize procedures, specify steps to be taken and identify who is accountable for implementing each step. The ISO will enforce all policies.

Establishing metrics for the procedures may be valuable at this point: a regular snapshot on their activities will help executives understand what needs to be done to align operations with company wide objectives.

4.      Harness the two teams’ innovative energy.   In addition to the regular meetings to address issues and performance, an annual review may be a useful tool in many organizations.

At this event, IT staff and users will participate together in facilitated exercises to review past performance and identify improvement opportunities, key business challenges and determine where technology might help resolve them. This exercise has two objectives:

§         team building across the departments, and

§         generation of valuable business improvement ideas.

5.      Review and update the manual regularly. The introduction of new and more sophisticated technologies is certain to create new security risks. The wise ISO, with help of the business users, will regularly update the IT governance framework to meet changing circumstances.

While no system is infallible, improving communications and instituting a reliable program of policies and procedures will help businesses manage risks and develop the most cost-effective ways to protect their information assets.

Jorge Rey is an Information Technology Manager at Kaufman, Rossin & Co, one of Florida’s largest independent accounting firms. He consults  with businesses of all types and sizes, performing information risk assessments, designing business process improvements and implementing security programs.