Strategic CIO // Executive Insights & Innovation
Commentary
6/15/2011
05:10 PM
Chris Murphy
Chris Murphy
Commentary
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Global CIO: We Need A Better Breach Disclosure Playbook

Every data breach feels like an ad hoc disclosure exercise. The risks? Heavy-handed government regs and eroding public confidence.

Cybersecurity is the most complicated and high-stakes problem in IT today, and the good guys look flummoxed. When companies from Sony to RSA to Epsilon to Lockheed Martin struggle with the best public response to an attack, it sends the message that businesses don't have a good handle on how to react to an IT security crisis.

And when businesses are seen as not dealing with a major problem effectively, the next step is predictable: Send in the regulators.

RSA, as one of the most respected companies in IT security, had a chance to write the playbook for reacting to a breach, after it was hacked in March. As documented by my colleague Kelly Jackson Higgins at Dark Reading, RSA was tight-lipped about the attack, working behind the scenes with customers on remediation but offering scant public information. No doubt RSA had the best intentions in disclosing very little in chairman Art Coviello's initial public letter about the breach. The token technology crooks targeted is used by companies to protect data, so it was likely wary of giving information that attackers could use.

Once Lockheed Martin revealed in June it had been (unsuccessfully) attacked, in part using RSA token data compromised in the March breach, RSA offered a few more glimpses. RSA had considered the threat limited to companies using tokens to protect intellectual property, Coviello said, so it prioritized efforts around defense contractors and government agencies. It then offered to replace tokens for certain groups of customers. Perhaps, given the risks, RSA felt in March like a need-to-know approach was its only option. Still, it feels like an opportunity missed, as other companies won't learn much from this security expert's experience.

I'm not an information security expert, and that's part of my point. Looking from the outside, it feels like every data breach is an ad hoc exercise. Every company must learn its lessons from scratch, and the public doesn't know what information it should expect.

Paul Ducklin, head of technology in Asia-Pacific for security software firm Sophos, suggests four things every company should explain when disclosing a breach:

>> How the problem arose.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

>> What holes the breach introduced (and what it did not).

>> How those holes can be closed.

>> What is being done to prevent breaches from happening again.

It's a no-nonsense starting point for a public discussion on disclosure. For companies to have any hope of avoiding onerous regulations on handling personal data, they must show they're serious. (President Obama has proposed national standards for breach notification.)

More important than avoiding onerous regulations is maintaining public confidence.

Data security isn't one industry, though. It's an equal opportunity disaster--who would've put Sony among the highest-risk targets? A drugmaker or automaker knows at some point it will have a recall or safety problem, so those industries have developed some norms and expectations for dealing with and disclosing problems. Companies need a similar common road map for data, and those with the most at stake--banks, security firms, the Web data giants, big federal agencies--should lead the discussion. This will never be easy. There will always be judgment calls. But companies need to create a better playbook than they have today. If they don't, they can count on getting a bigger rulebook from lawmakers.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek - September 2, 2014
Avoiding audits and vendor fines isn't enough. Take control of licensing to exact deeper software discounts and match purchasing to actual employee needs.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Howard Marks talks about steps to take in choosing the right cloud storage solutions for your IT problems
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.