2015 Observations Regarding Security and Organizational Blindness (still applies today)

The Problem - Lack of Resiliency

The state of Privacy and (in)Security initiatives are fragmented and insulated by organization silos and lack fully integrated thought processes that address issues and affect brand reputation. Significant exposures exist for costly litigation, continued organizational ineffectiveness and a reluctance to fully minimize the potential for an embarrassing and costly business event.

US businesses can be categorized into two major types, each having their own challenges in the privacy and security spaces. These are, quite simply, large enterprise entities, and the SMB (Small Medium Business) sector.

AT&T recently published a study revealing a 458% increase (over 2014) in attempted security incursions and documented that 78% of employees do not follow the security policies set forth by their employers.

Enterprise Space

Enterprises are most responsible for the large numbers of records compromised. The Privacy Rights Clearinghouse reports for the period of 2014-mid 2015, 216,670,652 records were compromised in 426 separate breaches.

Governance (Board oversight) is remiss in not creating positions to shepherd and oversee security and business resilience. Privacy and Security oversight currently exists in the domain of Information Technology, and looking at the results, one could opine that it is in the best interests of business to change Board composition and Leadership to more fully enhance shareholder value by moving security and privacy responsibilities as another, independent peer-level position.

SMB Space

Comprising 85% of American business, SMB can be considered the Wild West of Privacy and Security.  Almost all have an electronic presence and in house automated ERP system. Leadership is reluctant to invest in non-revenue producing positions, and when something bad happens, they tend to ignore or cover up the event. It is simply a fact of life that protecting a paycheck may be more important than identifying and reporting the theft of financial or personal information. Beset by other problems deemed more important such as fraud, inventory shrinkage or cash flows, these issues consume ownership / leadership attention, relegating the important issues of privacy / security and resiliency, not to a back burner, but totally off any planning horizon.

Federal

Federal oversight is an oxymoron. Track records have been abysmal and documented by various breach reports. New legislative frameworks providing specific guidance are taking forever to formulate, may not be a priority to new leadership after the elections and are only adding additional layers of government oversight, fortifying some of the reasons to ignore than to fully report.

Summary

The mantle of Information Technology, as the gatekeeper to all that is private, has been wrongly assigned. IT attempts to surround and protect all sensitive information, but does not consistently monitor the changing threat landscape. This requires multi-disciplined skills. Without leadership mandates from the very top, the organization will wander aimlessly making the same breach-prone mistakes.

Existing security / privacy practitioners are not effective when permanently embedded within an enterprise.

A)    Knowledge becomes obsolete quickly in a static place while the threat environment constantly shifts.

B)     The only security view is that of their own enterprise.

C)     Limited experience in looking outward at the security / privacy horizon.

D)    Technologically stale.

E)     Information technology silo, educated and driven by vendor products and services.

F)     CIO’s, CISO’s and IT managers protect their turf and budgets.

G)    Recent breaches have been large and sudden indicating new methods were found to breach the turf and gain access to protected information.

The Solution and Value Proposition

Thousands of former IT programmers are now “Social Media Consultants” and “Security Consultants”. The knowledge they have is of a specific environment and a certain industry. Do they make good consultants? Maybe.

The key to providing a solid value proposition is 1) provide multiple skill sets without the need to hire multiple SMEs, 2) experience with ownership and leadership teams, and 3) building teams by educating others in understanding business objectives, challenges and performance criteria relating to business resiliency.

Resiliency practices start at the very top of an organization. Well-defined corporate policies and procedures, clearly communicated and enforced practices and, mandatory periodic updates keep management and the workforce informed about new potential hazards.

Security and Privacy require buy-ins from everyone. People don’t buy into something they don’t fully understand.

Multi-dimensional business acumen guards the bottom line by driving and executing financial processes, technology initiatives and business strategies in SMB and Enterprise spaces. By providing:

·        Interim executive services (CxO)

·        Acquisition and merger support for information technology consolidations and financial reporting

·        Revenue reconstruction, projections and pro-forma models

·        Creation of corporate policies and procedures consistent with business objectives addressing privacy and security

·        Compliance oversight and implementation of standards / controls across an enterprise

·        Technology and management gap assessments, change and transition management

·        Disaster recovery, business continuity, loss mitigation and return to normal operations

·        GRC and Corporate Audit / Compliance Committee composition

·        External audits, certifications and annual assessments, results in

successfully adding value to existing enterprises.

Our industry involvement and experience covers accounting / finance, corporate governance and operations, information technology, staffing, business development, startups, funding, investor relations and management assessments:

·        Credit and Collection ($30M-$59M)

·        Medical ($30M-$59M)

·        Manufacturing ($300M-$399M)

·        Transportation ($3M-$9M)

·        Consumer Services and Packages Goods ($300-$399M)

·        Building Materials ($10M-$29M)

·        Wholesale Distribution ($10M-$29M)

·        Constructions ($3M-$9M)

·        Banking ($60M-$99M)

·        Food Industry ($3M-$9M)

·        Telecommunications ($300M-$399M)

·        Hospitality ($30M-$59M)

·        Accounting Firms ($10M-$29M)

·        Mining ($30M-$59M)

·        Radio Broadcast ($3M-$10M)

·        Technology Developers ($30M-$59M)

·        Legal Firms ($3M-$9M)

·        Non-for Profits ($200M-$299M)

Change is the norm. New business conditions bring about change through acquisition or merger, risks in the economic environment or shifts in landscapes, shaking the foundations of your business. Can you address the threats and capture the intelligence you need to avoid, adapt to and benefit from these changes while minimizing business risk? If not, you’re at a disadvantage. You need to have a greater insight to seize business opportunities or greater market share, doing it profitably and securely.