CIO and CISO

Privacy Leader

Marketer and Brand Manager

Blog

Legislating Social Privacy
July 30, 2010
There’s a great deal of talk these days about privacy and social media. Specifically, services like Google, Facebook, Twitter, and other popular social networking platforms are coming under increased scrutiny over their privacy policies and data sharing practices. Permalink

When Privileged Access is no longer a Privilege
July 19, 2010
I just read an interesting multi-part investigative report in the Washington Post about how intelligence gathering – and the bureaucracy that has risen since September 11, 2001 to facilitate the harvest and analysis of that information – has spun beyond the federal government’s control, not to mention its ability to make use of the sheer abundance of information. Permalink

Information Governance in the Cloud
July 15, 2010
Just a brief note to bring our recent webinar to your attention.  I presented Information Governance in the Cloud along with the good people at Symantec. Permalink

Home » Blog » Dr. Ponemon's blog » 

RSS Feed

RSS Feed RSS Feed

Dr. Ponemon's blog

Information Governance in the Cloud

July 15, 2010

Just a brief note to bring our recent webinar to your attention.  I presented Information Governance in the Cloud along with the good people at Symantec.  The presentation is based in part on results from our earlier report, Flying Blind in the Cloud.

If you want to view the webinar, presented on the Windows Live Meeting platform, please click here.

If you have any questions or comments about this issue, our report, or the webinar, we'd love to hear from you.

Thanks!

Posted by Dr. Larry Ponemon at 11:08 am
Permalink Add Comment (0 Comments)

Integrated, Holistic Security Strategies

July 12, 2010

Holistic is a popular word these days. Often applied to food and medicine, the word conjures images of natural, healthy living, but the word holistic refers to the function of an entity as a whole, including the interdependence of all its parts. Given this broader meaning, holistic can (and should) be applied when thinking strategically about the way a business organization operates. Successful, well-functioning organizations most adapt to change, be flexible in their relationships, and innovative in their approach to business. They must not only have the capacity to react to change, but to anticipate change and act innovatively.

The tendency for businesses to regard different functions based on a department’s purpose or a division’s mission can result in segmentation, causing strategies to be developed independent of each other. However, when you think about the many ways sensitive, proprietary, and private information is distributed throughout an enterprise – and between partners – the term holistic begins to make more sense in an information security context.
The Ponemon Institute has been working closely with Unisys Corporation to better understand the ways organizations use and manage data, and to think about new ways to approach applying integrated, holistic information security for today’s data-intensive business challenges. As a foundational step, we designed a new study that would allow us to benchmark current security strategies in use by 59 companies that are recognized information security leaders in their industries. By focusing on strategy rather than tactics, we believe we’ve identified a number of characteristics that can be used by any organization to evaluate and create a new approach to information security.
I’ll outline some of what we learned here, but understand that the results of this study cannot be adequately conveyed in a brief blog posting.
·         Ninety percent of study participants agreed or strongly agreed that aligning security with explicitly defined business objectives is the single most important purpose of a security strategy;
·         The most important priorities for a successful security strategy are to focus on people (42%), technology (39%), processes (14%), and policies (5%);
·         In order to adapt to both changing business needs and a changing threat environment, 71 percent of study participants agreed or strongly agreed that security objectives must be flexible, and that rigid objectives may stymie operations; and,
·         Seventy five percent of participants agreed or strongly agreed that collaboration between departments and business units is essential to achieving security objectives.
Overall we measured 16 characteristics of a successful security strategy and, through our research, feel we’ve been able to reach a number of important conclusions about what the results of our study mean as you work to design and implement the best possible strategy for your organization.
Of course we are excited about what we’ve learned and would love to share that knowledge with you in greater detail. If you’d like to have a copy of the benchmark report, Security Integrated & Holistic: Benchmark Study of IT Security Leaders, let us know. If you would like to have a discussion about what these findings mean for your organization, please give us a call.
And if you have any thoughts you’d like to share, please add your comments to this blog. We’d love to hear from you.

Posted by Dr. Larry Ponemon at 8:30 am
Permalink Add Comment (0 Comments)

Benchmarking Information Security Efficiency

July 1, 2010

Recently the Ponemon Institute completed a new project, the Security Efficiency Benchmark Study, the purpose of which was to learn what IT security leaders in the UK and European think are the key components to having an efficient and effective security operation. In other words, we wanted to know what is necessary for achieving data security goals and protect information assets and infrastructure.

As more and more organizations appoint chief information security officers and increase investments in IT security, there is a reasonable expectation that threats will be addressed – but how can the success of a security program be measured? To help answer this critical question we were commissioned by Vistorm and Check Point to create what we call the Security Efficiency Framework as a methodology to help organizations understand the most operationally efficient route to their desired security posture. We presented the results of our benchmark study and Framework in a recent webinar, the archive of which can be heard here.

The first step in developing the Framework was to interview the security leaders of 101 UK and European in order to empirically validate the key components of an effective and efficient security operation. We learned that there is a general consistency in the way IT security leaders frame operational efficiency in the domain of information security and data protection. The key drivers to better efficiency are technologies, control practices and overall program oversight. They also see the importance of organizational culture and budget in driving improvements in operational efficiency.

In addition, our research finds general agreement among IT security leaders about the underlying factors that give rise to better operational efficiency and include the following:

·         Appoint a CISO or organizational leader for information security
·         Initiate training and awareness programs on data protection and security for end-users
·         Achieve an organizational culture that respects privacy and data protection
·         Obtain executive-level support for security.
·         Deploy strong endpoint controls
 
Our research also revealed the characteristics of an organization that is not operationally efficient:  
·         Do not achieve a high security posture
·         Do not have ample budget or resources
·         Do not deploy strong perimeter controls
·         Do not have credentialed or experienced staff
·         Do not have an enterprise security strategy.
 
We hope you find this information worthwhile. Please contact the Institute if you have any questions related to this study, our Framework, or other related questions.
 

 

Posted by Dr. Larry Ponemon at 4:07 pm
Permalink Add Comment (0 Comments)

Think Before you Cloud

May 13, 2010

A few years ago, when wireless networking was still relatively new, there were numerous reports of enterprising employees who, frustrated with the pace of new technology integration in their workplace, took it upon themselves to deploy rogue access points – often hidden behind furniture or above drop-down ceiling panels – in order to provide convenient mobility around the office.

 
Problem was these clandestine devices, while providing a benefit to the user, were not industrial strength and lacked the necessary security features to ensure the integrity of network and data security. Access to corporate networks and data was not only convenient for those aware of the jerry-rigged system, but for anyone snooping for a signal.
 
The measured pace of adoption was not because IT departments were ignorant of the advantages of wireless networking, but because IT departments knew the risks involved and needed to take a strategic approach to integration; they needed to make sure the introduction of new technology would not be at odds with security.
 
We see this same scenario play out every time there is a significant innovation in technology that has clear upside potential for business: adoption runs ahead of evaluation. Today, it’s happening with cloud computing as our recent study, made possible through the generous support of our friends at CA, reveals. For example:
·         Only 47 percent of the 642 IT and IT security practitioners we surveyed said their organizations were being evaluated for security before deployment; and,
·         Just over half of those we surveyed said they were unaware of all the cloud computing applications being used by their organizations.
 
We are well aware of the advantages companies can derive from cloud computing, but we cannot endorse the adoption of any new product or technology without adequate evaluation. Information security and data privacy are at greater risk anytime these assets are stored with a third-party. Policies must be developed, used, and enforced to ensure all cloud computing applications meet an organization’s standard for security and are in keeping with both departmental and corporate strategic goals.
 
Are you aware of what cloud applications your organization has adopted?

Posted by Dr. Larry Ponemon at 9:02 am
Permalink Add Comment (1 Comments)

Fear and Loathing in Online Advertising

May 3, 2010

Have you ever seen an interactive advertisement while browsing around on the Web and, even though it was from a brand that you recognized promoting a product, service or event that you found interesting, you simply refused to click on the image because of a nagging sense of trepidation? What really lies beyond that alluring digital veil? Is the offer worth the risk? What of my digital privacy might I be giving up by responding to that message?

Me too… and according to our latest study, those fears are not lost on industry.

We talked to senior marketing executives – decision makers and check signers – with 90 organizations from a broad spectrum of industries that are actively engaged in online marketing. In total these firms account for more than $3 billion in annual revenue, and they believe wholeheartedly in the efficacy of the medium. According to our research, 63 percent of those we surveyed said behavioral advertising generated their greatest return on investment.

Yet 98 percent told us that, because of consumers’ privacy fears, their companies are curtailing investments in online behavioral targeting. These companies are willing to sacrifice the revenue they believe they can generate through an online campaign rather than risk the potential hit to brand reputation for being as aggressive as they would like to be.  Overall that curtailment has kept more than $600 million out of the behavioral targeting industry.

Looking beyond the financial impact, the results of this study strongly suggest that, contrary to what some might say, self-regulation works. I don’t mean to suggest that consumer and privacy advocates are acting like Chicken Little when they lobby regulators with dire messages and thinly veiled accusations of treachery directed at the behavioral targeting industry. To the contrary; in order for self regulation to work effectively there needs to be a rigorous and active dialog that includes industry and consumer advocates as well as the engagement of an objective regulatory body.
The goal of that dialog should not be to force the unconditional surrender of the so-called opposition, but the development of true solutions to the very real potential for misuse or unintended abuse of personal information. Consumers have long benefitted from advertising in its many forms. Radio, television, print, and a great deal of online content is made freely available because of the revenue generated by the sale of advertising space.
As we conclude in our report, “the Internet advertising community should work closely with the privacy community and regulators to find ways that substantially reduce the public’s fears about actual and perceived privacy risks when responding to behaviorally targeted ads. To this end, better disclosure models, consumer education, effective consent mechanisms and enabling technologies will help advance the cause of safe and effective Internet advertising.”
 
Has your company spent less online because of these fears?  Do you think behavioral advertising self-regulation is working in favor of the consumer?  Do you want to see more or less regulation of this industry?  Let us know what you think.

Posted by Dr. Larry Ponemon at 2:21 pm
Permalink Add Comment (2 Comments)

The Road to Data Breach is Paved with Good Intentions

April 19, 2010

We recently completed some new research with Accenture in which we were surprised to find that, in spite of all the attention being paid to data protection, and in spite of new and updated data protection regulations, complacency is beginning to settle in among many companies.

 
Yes, I said complacency.
 
Oh, don’t get me wrong: most organizations have good intentions with regard to data protection, but we all know where the road paved with good intentions leads.
 
Here are two key findings we learned through the new study:
 
·         Although 70 percent of both organizations and individual respondents agreed that organizations should secure individuals’ personal information, disclose how they use it and deal with the ramifications of losing it, nearly half were ambivalent about granting individuals control over their personal information, did not place a high priority on several critical aspects of consumer privacy and did not believe typical privacy practices were important.
 
·         While 58 percent of organizations experienced at least one security breach in the past two years, 31 percent did not. The group that had no breaches displayed some substantial differences in attitudes and policies regarding data privacy and protection. In particular, they demonstrated the belief that individuals have substantial rights to manage, correct and control their personal information and to understand how such information is being used. They also were more likely to feel a stronger obligation to uphold data privacy and protection, and to have policies that make the protection of sensitive data a high priority. Furthermore, organizations with no breaches tend to take a stricter view of appropriate uses of personal information—for instance, being far less likely to believe it is appropriate to sell personal data for profit.
 
This suggests a strong correlation between an organization’s level of respect for an individual’s personal data and the likelihood that the organization will suffer a data breach.
 
By establishing an environment within an organization that encourages employees to see data as an extension of the customer and not merely something owned by the company, thereby fostering the development of a “culture of caring,” data privacy and information security programs become more effective.
 
To download a copy of the report, please visit the Accenture website.

Posted by Dr. Larry Ponemon at 12:25 pm
Permalink Add Comment (3 Comments)

Security in the Trenches

April 14, 2010

We just completed a survey of federal IT security professionals to examine the data protection posture of government agencies. Through the survey, sponsored by CA, we wanted to see whether or not there is consistency in the perception of rank-and-file employees and executive management as it pertains to the safeguarding of sensitive information, regulatory compliance, and the day-to-day management and execution of a security program.

 
What we found was interesting, and in keeping with what we’ve seen in the private sector: executives tend to view the information security programs they manage more positively than do the employees who actually carry out the plans.
 
That might not seem like a surprising result, but any time we can quantify what may appear to be an intuitive conclusion, it’s a helpful outcome. Progress in addressing operational challenges should be based on fact, and while trusting one’s gut may sometimes be helpful, our data suggest that the gut may not always be reliable. As the old saying goes, “trust, but verify.”
 
What we did find surprising as a result of our report, Security in the Trenches: Comparative Study of IT practitioners and Executives in the U.S. Federal Government, (available at CA’s web site) was how big some of the gaps were. Some examples:
 
·         While 62 percent of rank-and-file staff believed password management to be important, only 31 percent of executives agreed. That’s a 31 percent gap.
·         The importance of training and awareness for end-users and for privacy and security professionals showed gaps of 21 percent and 20 percent respectively. Sixty-two percent and 63 percent of IT staff see training of end users and security experts as very important, while only 41 percent and 43 percent of executives agree.
·         Confidence in organizational compliance with regulations such as FISMA is low among federal agencies, but rank and file employees believe a lack of leadership is to blame, while executives see the problem as poor enforcement.
 
The takeaway for federal agencies – but a lesson for all organizations struggling with information security challenges – is in recognizing that these discrepancies could impact an agency’s ability to properly secure their IT environment and manage risk.
 
Rather than trusting your gut, why not sit down with the folks in the trenches and listen to what they have to say about their experiences executing against the mandates they’ve been given? Understanding the challenges they face each day may help to better identify some of the ways you can make significant improvements in your organization’s risk management and security readiness strategy.
 
Let us know what you think about this report, and let us know what you've learned by talking to the pros in your trenches.

Posted by Dr. Larry Ponemon at 10:23 am
Permalink Add Comment (1 Comments)

RSA Keynote Address by PGP CEO Phil Dunkelberger

March 23, 2010

 Phil Dunkelberger RSA Keynote - Abridged

“Those that cannot remember the past are doomed to repeat it.”
-George Santayana
The history of the information technology sector is one of constant transformation and reinvention. Whether it’s hardware platforms migrating from mainframes to mini-computers, to personal computers to smart phones or proprietary application interfaces being recreated for web browsers, the IT sector has distinguished itself by its rate of innovation and the ability to transition from one computing model to another with ever increasing speed.
 
The other thing at which the IT industry has proven itself adept is layering on information security solutions in the wake of the widespread adoption of each successive computing architecture. What the security approaches of each of these eras had in common is that they were designed and deployed well after the architecture (and its inherent vulnerabilities) had been deployed. We’ve literally spent generations attempting to lock the barn door days after the cows escaped. Unless we want to repeat this particular piece of our industry’s history, we will need to take a fundamentally different approach as we migrate data and applications into the cloud. 
 
The difference with this transition is that we have the opportunity and obligation to build security in from the start. With the average cost of a data breach now at $204 per record or about $6.75 million per incident, this is an issue worthy of very special focus from IT and security professionals globally.
 
As many of you know we lost my old friend, and former Chairman of the Board at PGP Corporation, Max Hopper, earlier this year. Max was responsible for many of the most innovative consumer facing IT systems ever developed including American Airline’s AAdvantage mileage program and Bank of America’s Versateler network. Max taught me a long time ago that the secret to successful information security was to make absolutely certain you got two things right:
·         Access and Authentication
·         Protection of data in motion and at rest
 
I asked Max on more than one occasion what else was on the list and his reply was always…”That’s pretty much it”.
 
Fortunately, most of the technologies required to achieve what Max taught us was important already exists. The challenge is that we now need to adapt the existing authentication and encryption technologies to the cloud environment. There are, however, a few new aspects about cloud computing we’ll need to consider as we do this:
 
First, enterprises will need to operate and interact with more than one cloud environment. There will be hosted application clouds, infrastructure clouds, web hosting clouds, custom application, etc. Each of these cloud environments will present potentially new vulnerabilities that hackers will attempt to exploit in pursuit of the data each holds and we’ll need a well thought out threat based protection model to address them well.
 
Second, the regulatory environment will make deployment of comprehensive cloud based data protection systems not just a business imperative, but also a legal one. Even if your business isn’t covered by the existing requirements of HIPAA, SB-1386, Sarbanes-Oxley, or the EU Privacy Directive, you certainly will have new compliance requirements emerge from the data protection legislation pending in the U.S. Congress.
 
Third, as the TJ Maxx breach in 2007 and the Aurora attack earlier this year demonstrated, hacking into public and private sector networks is no longer the sole providence of bored graduate students and script kiddies. It’s now dominated by well-organized and well funded organized crime syndicates and nation states. The line between cybercrime and cyberwar has begun to blur and only a very well designed and coordinated collaboration between the public and private sector will enable us to address the growing threats both now pose.
 
Finally, the proliferation of cloud based applications and services combined with the global deployment of what we now call smart phones, will dramatically expand the requirement to get the Access & Authentication about which Max was so emphatic “right”. With people, devices, applications and entire cloud infrastructures will all interact constantly in an increasingly hostile environment. Consequently, we’ll need to have a global trust system in place that allows each of these entities to authenticate their identity and veracity to one another in support of each interaction and transaction.
 
We are early in our journey to the cloud and we have some time to develop the security systems needed to fully leverage the promise of cloud based computing. But, this is one of those situations where time will move very, very quickly. If we don’t focus on building this new computing infrastructure securely from the start, it will very soon become too late to ever secure it correctly and we will, indeed, be doomed to repeat history.

Posted by Dr. Larry Ponemon at 12:03 pm
Permalink Add Comment (0 Comments)

Training Is the Strongest Link

December 10, 2009

Today we held a RIM College event featuring three noted experts in corporate privacy training programs -- namely, Dean Forbes (Merck), Bob Posch (Merck) and John Block (Media Pro).  Our focus is: what are leading companies doing to achieve awareness and knowledge about privacy and data protection requirements?

To minimize insider threats within the corporate environment, I believe there is nothing more important that educating the workforce. Despite its importance, our Institute's benchmark results suggest organizations are not doing enough to educate employees, temporary employees and contractors. Here are some of our less than stellar results based on benchmarks of US based multinational organizations:

Only 68% of benchmarked organizations have a formal privacy training program and only 32% of these organizations consider this training event mandatory.

Only 38% of benchmarked organizations provide specialized training for individuals who handling, manage or protect sensitive or confidential personal information such as call center employees.

Only 44% of benchmarked organizations that do privacy training assess the training program for effectiveness, and 25% of companies formally assess or measure program goals.

In general, other benchmarks also suggest substantial privacy training programs are not widely implemented. If you would like to see these benchmarks, give us a call or send an email to research@ponemon.org.

 

 

Posted by Dr. Larry Ponemon at 3:50 pm
Permalink Add Comment (3 Comments)

Sophos & Ponemon Institute Announces New Study

December 5, 2009

We are pleased to present The State of Privacy and Data Security Compliance study conducted by Ponemon Institute and sponsored by Sophos. The purpose of the study is to determine if various international, federal and state data security laws improve an organization’s security posture. What is the value of compliance and does it correlate with the value of the compliance effort? 

With the plethora of new privacy and data security regulations, we believe it is time to ask whether regulations help or hinder an organization’s ability not only to protect sensitive and confidential information assets, but to be competitive in the global marketplace. Further, how difficult is it to be in compliance, who is the typical person or functional leader accountable for compliance? What is the value to the organization? Finally, what differences (if any) exist in security practices between compliant and non-compliant organizations?

We surveyed 528 IT and security practitioners (referred to as respondents) who are involved in their organization’s data security efforts, which can include responsibility for the technologies that support compliance efforts and managing and/or auditing legal and regulatory requirements.

Sixty-seven percent of all respondents say they have at least an adequate knowledge about the many U.S. states, federal and international privacy and data security laws that their organizations are required to comply with today. More than 52 percent of respondents are at or above the manager levels with an average of almost 10 years experience in the IT or security fields. 

Our sample of respondents was bifurcated into two groups – namely, 52 percent who reported their organizations have achieved substantial compliance with privacy and data security laws and 48 percent who admit their organizations have not achieved substantial compliance with all applicable laws. 

Respondents in both the compliant and non-compliant groups represent various vertical industries, including financial services, retail, technology, healthcare and many others. Based on the results of our study, compliance with privacy and data security regulations appears to have a very favorable impact on an organization’s security posture.

Specifically, the probability of a data breach occurrence that required notification to breach victims decreased by almost one-half as a result of better compliance efforts. Furthermore, organizations achieving a higher level of compliance reap a financial gain as measured by the reduction in cost associated with data breach. Respondents in the compliant group believe the top two technologies that give them an advantage in managing risks are data loss protection and encryption of laptops and desktops.

Compliance also makes a difference in the attitudes and beliefs of respondents about their organization’s security compliance efforts.  Accordingly, respondents in the compliance group believe they are more likely to achieve the following benefits: 

  • Improves their organization’s relationship with key business partners.
  • Helps secure more funding for IT security.
  • Improves their organization’s security posture.

To obtain a copy of this study, visit: http://www.sophos.com/security/topic/privacy-data-security-compliance.html.

 

Permalink Add Comment (0 Comments)
Entries 1 - 10 of 18 — Jump to page First 1 2 Last