CIO and CISO

Privacy Leader

Marketer and Brand Manager

Blog

Use What Works to Create a Culture of Privacy
December 20, 2009
I was in an industrial facility recently and noticed large banners on the walls proclaiming “12 Years without a Safety Incident. Permalink

Training Is the Strongest Link
December 10, 2009
Today we held a RIM College event featuring three noted experts in corporate privacy training programs -- namely, Dean Forbes (Merck), Bob Posch (Merck) and John Block (Media Pro). Permalink

Sophos & Ponemon Institute Announces New Study
December 5, 2009
We are pleased to present The State of Privacy and Data Security Compliance study conducted by Ponemon Institute and sponsored by Sophos. Permalink

Home » Blog » Dr. Ponemon's blog » 

RSS Feed

RSS Feed RSS Feed

Dr. Ponemon's blog

Training Is the Strongest Link

December 10, 2009

Today we held a RIM College event featuring three noted experts in corporate privacy training programs -- namely, Dean Forbes (Merck), Bob Posch (Merck) and John Block (Media Pro).  Our focus is: what are leading companies doing to achieve awareness and knowledge about privacy and data protection requirements?

To minimize insider threats within the corporate environment, I believe there is nothing more important that educating the workforce. Despite its importance, our Institute's benchmark results suggest organizations are not doing enough to educate employees, temporary employees and contractors. Here are some of our less than stellar results based on benchmarks of US based multinational organizations:

Only 68% of benchmarked organizations have a formal privacy training program and only 32% of these organizations consider this training event mandatory.

Only 38% of benchmarked organizations provide specialized training for individuals who handling, manage or protect sensitive or confidential personal information such as call center employees.

Only 44% of benchmarked organizations that do privacy training assess the training program for effectiveness, and 25% of companies formally assess or measure program goals.

In general, other benchmarks also suggest substantial privacy training programs are not widely implemented. If you would like to see these benchmarks, give us a call or send an email to research@ponemon.org.

 

 

Posted by Dr. Larry Ponemon at 3:50 pm
Permalink Add Comment (0 Comments)

Sophos & Ponemon Institute Announces New Study

December 5, 2009

We are pleased to present The State of Privacy and Data Security Compliance study conducted by Ponemon Institute and sponsored by Sophos. The purpose of the study is to determine if various international, federal and state data security laws improve an organization’s security posture. What is the value of compliance and does it correlate with the value of the compliance effort? 

With the plethora of new privacy and data security regulations, we believe it is time to ask whether regulations help or hinder an organization’s ability not only to protect sensitive and confidential information assets, but to be competitive in the global marketplace. Further, how difficult is it to be in compliance, who is the typical person or functional leader accountable for compliance? What is the value to the organization? Finally, what differences (if any) exist in security practices between compliant and non-compliant organizations?

We surveyed 528 IT and security practitioners (referred to as respondents) who are involved in their organization’s data security efforts, which can include responsibility for the technologies that support compliance efforts and managing and/or auditing legal and regulatory requirements.

Sixty-seven percent of all respondents say they have at least an adequate knowledge about the many U.S. states, federal and international privacy and data security laws that their organizations are required to comply with today. More than 52 percent of respondents are at or above the manager levels with an average of almost 10 years experience in the IT or security fields. 

Our sample of respondents was bifurcated into two groups – namely, 52 percent who reported their organizations have achieved substantial compliance with privacy and data security laws and 48 percent who admit their organizations have not achieved substantial compliance with all applicable laws. 

Respondents in both the compliant and non-compliant groups represent various vertical industries, including financial services, retail, technology, healthcare and many others. Based on the results of our study, compliance with privacy and data security regulations appears to have a very favorable impact on an organization’s security posture.

Specifically, the probability of a data breach occurrence that required notification to breach victims decreased by almost one-half as a result of better compliance efforts. Furthermore, organizations achieving a higher level of compliance reap a financial gain as measured by the reduction in cost associated with data breach. Respondents in the compliant group believe the top two technologies that give them an advantage in managing risks are data loss protection and encryption of laptops and desktops.

Compliance also makes a difference in the attitudes and beliefs of respondents about their organization’s security compliance efforts.  Accordingly, respondents in the compliance group believe they are more likely to achieve the following benefits: 

  • Improves their organization’s relationship with key business partners.
  • Helps secure more funding for IT security.
  • Improves their organization’s security posture.

To obtain a copy of this study, visit: http://www.sophos.com/security/topic/privacy-data-security-compliance.html.

 

Permalink Add Comment (0 Comments)

Crowe Horwath & Ponemon release HITECH study

November 21, 2009

I am delighted to share with you our recently completed benchmark study that focuses on healthcare organizations and their ability to comply with new regulations. Of 77 participating covered entities and business associates, 27% percent have not started or are barely aware of what they need to do, 32% are waiting for more details, 14% have a plan but are waiting for more details, and 21% are just starting to act.  This data was collected from June through October 2009. If you are affected by the HITECH Act, this benchmark study may be helpful to you.

Permalink Add Comment (0 Comments)

eGov Initiative Not Without Risk to Citizen Data

November 19, 2009

The eGovernment movement is a good thing, and maybe too long in coming given how many years businesses have been taking advantage of technology to provide convenience and a higher quality of service to their customers. Constituent services have been available online for years, certainly, but only recently has the effort to modernize government been policy.

Yet the push to digitalize federal agencies is not all photo ops and campaign sound bites. There’s risk involved, and unless that risk is acknowledged and addressed up front, the information that our government collects about its citizens – information we are often compelled to provide – may be in danger of compromise to negligence, malicious insiders, or cyber criminals.
That conclusion is not only one that any rational observer of data security and data privacy issues could have drawn through simple deduction, but it has been confirmed by a recent study the Ponemon Institute conducted.
Sponsored by CA, we talked to more than 200 senior IT professionals working for a variety of federal agencies to gauge their feelings and confidence related to the kinds of technologies being adopted by the feds and how data security might be affected. The results, as released in our Cyber Security Mega Trends study?
§ 79% of respondents see the rise in the use of collaboration tools as significantly increasing the storage of unstructured data sources that contain confidential or sensitive information that is not adequately protected or secured.
§ 71% of respondents believe that cyber terrorism is on the rise and this trend poses a very serious threat to the protection of proprietary systems as well as our nation’s critical infrastructure.
§ 63% see the mobility of the government workforce as contributing significantly to endpoint security risks as a result of a plethora of insecure mobile data-bearing devices that are susceptible to malware infections and botnet attacks.
§ 52% of respondents say that Web 2.0 applications such as social networking, social messaging, blogging and wikis contribute to the leakage of confidential or sensitive information as well as susceptibility to malware and botnet attacks.
It all adds up to an acknowledgement on the part of those individuals tasked with managing and protecting citizen data that there’s a great deal of risk involved in the digitization of federal processes. That doesn’t mean that we shouldn’t continue to make progress in dragging constituent services into the 21st Century, but what it does mean is that these eGov initiatives must be undertaken with proper consideration given to the security of sensitive personal information.
When we file our taxes, participate in a census, or register for one of the many benefits to which we may be entitled, we do so with the expectation that our public servants will give proper care and respect to the information entrusted to them.
Given the results of the Cyber Security Mega Trends study, we would all do well to question whether that trust is well placed.

Posted by Dr. Larry Ponemon at 7:36 am
Permalink Add Comment (0 Comments)

The Goal is Credibility

August 31, 2009

I want to share an article with you that I think has a tremendous lesson for anyone in the business of building trust.  The article is from a recent edition of Foreign Policy (reprinted from Joint Force Quarterly), but don't let the source put you off.  Admiral Michael G. Mullen, chairman of the Joint Chiefs of Staff, writes about what it takes to establish credibility and build trust.

Admiral Mullen's perspective is different from yours and mine, but there are nuggets here that are vital no matter what your business.

Here's one paragraph that stands out for me:

"That's the essence of good communication: having the right intent up front and letting our actions speak for themselves. We shouldn't care if people don't like us; that isn't the goal. The goal is credibility. And we earn that over time."

The goal is credibility.  And we earn that over time.

Follow this link if you want to read more.

Posted by Dr. Larry Ponemon at 2:20 pm
Permalink Add Comment (2 Comments)

Archer-Ponemon Treaty for Data Governance

July 21, 2009

I’m still processing a lot of the information gathered, shared, and created during our 8th RIM Renaissance this past weekend in Minneapolis. One of our sessions focused on the creation of an information governance “treaty” that holds various organizational members to a high standard (consistent with our RIM principles). Please review the following draft document and let me know what you think.

 
RIM Council Treaty on Information Governance
Draft V.1
 
[A.K.A. Archer-Ponemon Treaty project, created by the participations of the 2009 RIM Renaissance on 18 July 2009 in Minneapolis, Minnesota]
 
We the professionals, in order to establish and maintain a trustworthy secure enterprise that meets legal and regulatory requirements, customer expectations, and corporate vision, do hereby agree to the following:
·         Establish commonly understood terms and clearly defined policies with respect to data protection, privacy and information security.
·         Establish data protection and privacy principles that can be applied across the enterprise on a global basis.
·         Establish an information governance body to achieve an all-inclusive, cross-functional approach to oversee the organization’s data protection, privacy and information security requirements.
·         Establish a transparent mechanism for operational governance starting with a charter that is approved by the organization’s chief executive and other senior executives.
·         Ensure the governing body is representative of the organization’s various information users.
·         Ensure that representatives to the governing body are fully supported by their respective organizations or operating units.
·         Strive to build data protection and privacy into the organization’s DNA by educating all employees as to why it is fundamentally important to the organization.
·         Strive to create an information stewardship culture that fosters collaboration across the enterprise and diminishes silo thinking.
·         Ensure this initiative is top-down, starting with the chief executive and the board.
·         Empower the governing body to make difficult choices and take substantive action when necessary.
·         Require the chair of the governing body to report to the organization’s chief executive with communication to the board of directors or audit committee when internal conflict arises.
·         Establish and use objective metrics that define the organization’s performance in meeting data protection, privacy and information security objectives.
·         Communicate to internal and external stakeholders, including regulators and supply chain partners, about the organization’s information governance approach in ways that do not compromise the program.
·         Empower and reward employees to do the right thing with respect to their stewardship of information assets.
·         Ensure the organization takes advantage of enabling technologies that improve the state of information security in an effective and cost efficient manner.

Posted by Larry Ponemon at 4:10 pm
Permalink Add Comment (3 Comments)

Thank You, Friends of the Ponemon Institute!

July 20, 2009

A warm thank you to everyone who made this past weekend's RIM Renaissance a success.  The discussions were lively and productive, and I think we all came away just a little bit smarter as a result of the candor.  We do appreciate the enthusiasm that seems to pervade these events, and the willingness to put aside your valuable time to join with us on these annual occasions, as well as the ongoing conversations that take place throughout the year.

Please remember to contribute to this valuable dialog by joining us on our monthly RIM Council conference calls, commenting on this blog and our Facebook fan page (Friends of the Ponemon Institute), and also by following the growing number of privacy-minded folks on Twitter, where you can find the Ponemon Institute's social networking emissary, Mike Spinney, as @spinzo (rumor has it there may be a LinkedIn group soon as well).

 

Posted by Larry Ponemon at 3:36 pm
Permalink Add Comment (1 Comments)

What We have here is, Failure to Communicate

July 14, 2009

Privacy pro: Do you ever feel like you are working overtime to meet overly ambitious expectations? Are you frustrated by your attempts to outline a plan for protecting sensitive personal information only to get the sense that you are talking to a brick wall? 

CEO: Are you puzzled as to why the people your company has hired to address security and privacy concerns never seem to meet the objectives you have for them? Are you flummoxed by the fact that the investments you’ve made in data security aren’t helping to stem the tide of data loss? 
For a long time we’ve known that there’s been something of a disconnect between the C-suite and the front lines of security and privacy. Call it an educated gut sense, gained from reading between the lines of our many privacy and security studies – and reading between the lines on the faces of our friends and colleagues. 
We recently completed a study meant to identify that very situation and, to no one’s surprise, found that there is a significant gap between the perceptions and expectations of the folks occupying the corner office and those who are tasked with conceiving of and carrying out privacy and data security orders. 
Some of the findings include some stunning gaps between what CEOs believe to be among the most important security and privacy priorities, and what C-level security and privacy executives believe to be those priorities. For example:
·         100 percent of CEOs said reducing security flaws within business-critical applications was important or very important, but only 65 percent of C-level privacy and security executives agreed.
·         93 percent of CEOs said identifying and responding to a data breach was important or very important, but only 58 percent of C-level privacy and security executives agreed.
·         87 percent of CEOs said protecting confidential information shared with vendors, business partners, and other third parties was important or very important, but only 48 percent of C-level privacy and security executives agreed.
 The famous line from Cool Hand Luke seems to apply: “What we have here is, failure to communicate.” 
Let us know your thoughts on this troubling finding, and what strategies might security and privacy pros use to overcome this gap and bring their departments into harmony with the corner office. 
(If you are interested in downloading a copy of the study, you can do so by visiting Ounce Labs, whose generous underwriting made this research possible.)

Posted by Larry Ponemon at 3:38 pm
Permalink Add Comment (0 Comments)

More Employees Ignoring Data Security Policies

June 10, 2009

Does it surprise you to learn that, according to our recent study, Trends in Insider Compliance with Data Security Policies: Employees Evade and Ignore Security, employee compliance with corporate data security policies is on the wane?

 
Why do you think this is?  I’m seeing a confluence of conditions that appear to be contributing to this challenge to data integrity: the development of new, mobile technologies that empower employees to do more while away from the office; a failure of organizations to keep pace with the ways technology is changing the dynamics of data security; and current economic conditions that are putting increased pressure on individuals to be more productive with fewer resources.
 
According to our study, made possible through a sponsorship by secure USB flash drive developer IronKey, employees routinely engage in activities that put sensitive data at risk.  They are downloading data onto unsecured mobile devices (61%), sharing passwords (47%), losing data-bearing devices (43%), and turning off their mobile devices’ security tools (21%).  And, reflective of the blurring of the lines between personal and professional lives, they are using web-based personal email in the office (52%), downloading Internet software onto an employer’s devices (53%), and engaging in online social networking while in the workplace (31%).
 
With the exception of social networking, which we measured for the first time this year, each of these risky behaviors represents an increase compared to last year's results.
 
Interestingly, of those surveyed, 58% said their employer failed to provide adequate data security awareness and training, and 57% said their employer’s data protection policies were ineffective. According to 43%, there was poor communication and enforcement of data security policies.
 
The Ponemon Institute believes these results show overall lack of urgency by companies on the need to address data security.  Unfortunately, our studies have also shown that it often takes a data breach incident before an organization will finally get their wake-up call and take data security seriously.

Posted by Dr. Larry Ponemon at 4:38 pm
Permalink Add Comment (5 Comments)

Dr. Ponemon

April 6, 2009

Welcome to my new blog. I look forward to sharing some of our thought provoking research. I also look forward to receiving your comments and questions. Stay tuned.

Posted by Dr. Ponemon at 5:02 pm
Permalink Add Comment (4 Comments)