2011 Data Protection AgendaLessons Leaders Have Learned from WikiLeaks
Specifically, security leaders say they now need to assess the content of their written communications - and probably the way they think and operate - out of fear of public disclosure of confidential information.
"Reputation damage" is the operative term, and among the action items on leaders' agendas:
The issue is much more than preventing a breach or data loss, it is how leadership roles need to change.
Re-Evaluate Access. "IT leaders should reassess how their organizations are addressing need-to-know requirements relative to access to sensitive data," says Patrick Howard, chief information security officer at the Nuclear Regulatory Commission. Security leaders need to be able to prove to other organizations that they are appropriately protecting information shared with them, and provide assurance that access to sensitive information is based on need-to-know, and also that the need is continually assessed using sound management procedures.
An action item in this area is to initiate effective personal evaluation processes to ensure that the behavior of trusted users is monitored regularly to reassure they deserve the trust granted to them, says Howard. Leaders will now spend more time gauging and understanding their employees' intent and motives.
Risk Assessment. This is a good time for IT security leaders to review their current practices, risk posture and to validate that solid controls are in place. Security leadership should focus on their own information, what the associated risks are of how it is used, how it is accessed and by whom, says Robert Stroud, vice president at CA Technologies. "It is important for those in security to understand the information that their enterprise has and what its risk level and classification are."
Incident Response. Also on the radar for 2011 is focus on effective business continuity and incident response planning to combat such events as the WikiLeaks disclosures. "Senior security leaders should already be prepared to handle security breaches," says Stroud. "Diligence is critical, and security leaders cannot become complacent once they have established their security program."
The 2011 data protection agenda for security leaders, therefore, goes beyond establishing appropriate controls; managing the flow of corporate-wide information; granting rightful employee access; and monitoring trusted users. It involves taking up complete ownership of building and protecting a reputation.
The issue is much more than preventing a breach or data loss; it is how leadership roles need to change going forward in terms of protecting reputational risk. The agenda ultimately comes down to how leaders grasp the significance of the threat and steps they take to anticipate and respond to such events.
Given this new climate, what is on your 2011 leadership agenda for data protection?