Fragmentation of Knowledge Spurs Breaches
By Danny Lieberman, Security Expert and Founder of Software Associates
Fragmentation of Knowledge is a root cause of data breaches.
It’s almost a cliche to say that the security and compliance industry has done a poor job in preventing data breaches of over 245 million personal records in the past 5 years.
It is apparent that government regulation is ineffective in preventing identity theft and major data loss events.
Given: direct data security countermeasures go a long way; data loss prevention and network surveillance work well inside a feedback loop to improve security of systems, increase employee awareness and support management accountability.
However: I believe that even if every business deployed Fidelis XPS Extrusion Prevention system or Verdays Digital Guardian or Websense Data Security suite – we would still have major data loss events.
This is because a major data loss event has three characteristics:
- Appears as a complete surprise to the organization
- Has a major impact to the point of maiming or destroying the company
- Event, after it has appeared, is ‘explained’ by human hindsight.
The cause of the surprise is, in most cases, is a lack of knowledge – not knowing what is the current range of data security threat scenarios in the wild or not even knowing what are the top 10 in your type of business.
The root cause of this lack of knowledge is the fragmentation of knowledge itself.
Every business from SME to Global 2000 deals with security issues and amass their own best practices and knowledge base of how to protect their information.
But, the knowledge is fragmented, since business organizations don’t share their loss data, and the dozens or maybe hundreds of vendor web sites that do disclose and categorize attacks don’t provide the business context of a loss event.
Fragmentation leads to waste and duplication, as well as frustrating, expensive and sometimes dangerous experiences for companies facing a data loss event.
So what’s the solution?
With our clients, we see growing evidence that the more organized a company is with their security operation – having a single security organization responsible for digital assets, physical security, permissions management and compliance – the better security they deliver.
What’s more, they may be able to reduce value at risk at lower costs due to higher levels of competence, knowledge and economy of scale.
The concept of sharing best practices and aggregating support so that companies of all sizes can access knowledge and support resources is not new, it’s a common theme in industrial safety and Free Open Source worlds – to name two.
I imagine that there are a few more examples I am not familiar with. But what’s in it for security professionals?
In addition to the satisfaction and prestige in helping colleagues, how about learning from the biggest and best practioners in the world; having access to resources to improve your own systems and procedures and having the ability to analyze the history of a data loss event from disclosure to analysis to remediation?
How about having peers with a common goal of providing the best security for customers?
It’s time for policymakers and large commercial organizations to support organized security knowledge sharing systems, starting with compensation to employees and independent consultants that rewards high-quality, coordinated, customer-centric security across the full continuum of security, not just point technology solutions or professional regulatory services.
And it’s time for firms to recognize that sharing some data may be worth the benefits to them and their customers.
Danny Lieberman is a serial technology innovator and leader – implementing ideas from brain to business. Danny has a graduate degree in solid state physics and has spent most of his adult life developing software. Since 2003 – Danny has been doing data security consulting and data protection/information assurance projects using data loss prevention /extrusion prevention technology.
Danny’s data security business, Software Associates provides enterprise information protection to clients in Europe and the Middle East. His latest venture is MedRep, a professional network for medical representatives and doctors. Feel free to text Danny at any time of day at: +972 54 447 1114 - he is always looking for interesting projects and ideas.
* * *
Stay Informed With ISR News Feeds and Email Alerts Here:
The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com
Filed under: Breach, D&O Liability, Danny Lieberman, FEATURE ARTICLE, Financial, Government, ISR News, Insider Threat, Military, PCI, Sarbanes-Oxley, Software Associates, Uncategorized, due diligence, hackers, healthcare, identity-theft, malware, national security, privacy
Comments
One Comment on Fragmentation of Knowledge Spurs Breaches
-
Brenda on
Wed, 16th Sep 2009 10:06 pm
Well written.
But you failed to factor in the high level of apathy and a higher “I don’t really care” mentality replete within the business environment WRT protecting data. And this starts at the top. Based on my firms experience, these two considerations are more detrimental than the fragmentation of knowledge.
The problem is “over delegation” driven by the temptation to make security someone else’s responsibility. And as long as regulatory compliances are met (the bare minimum) security doesn’t move from the cost center column to the security priority column sadly until there’s a breach.
Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!
