BlogPrivacy Professionals Should Share the Wealth Legislating Social Privacy When Privileged Access is no longer a Privilege |
RSS Feed
RSS Feed
Oil Spills and Data DrillsJune 20, 2010My heart sinks day by day as I watch events unfolding in the Gulf of Mexico. I doubt if anyone can begin to comprehend the potential extent of the devastation taking place as a result of the catastrophe. That massive oil leak is despoiling not only the visible beauty of the Gulf – water, beaches, marshes, wildlife – but is likely to result in enormous and long lasting damage to the region’s fragile ecology and economy as fisheries collapse, visitors stay away, and various industries curtail operations. As all concerned parties grapple with containing and, eventually, stanching the flow of oil as well as dealing with a massive cleanup effort, I can’t help but think of analogies that can be applied to data protection and offer some lessons learned.
First, we learned that one of the factors contributing to the conditions leading up to the disaster was a lack of appropriate regulations addressing the risks inherent with deep water drilling. While the technology and strategies needed to get at deep ocean reserves advanced and made drilling in offshore depths viable, the safety measures required to mitigate the risks inherent with deep water operations lagged.
For information security we can see the advance and adoption of technological innovation outpacing processes and policies for safe operation. Some of our recent studies have shown this to be the case in cloud computing, payment cards, and mobile communications, to name a few. Yes there are advantages to all these things, but adoption without appropriate precaution is irresponsible.
Second, we have learned that many of the missteps in responding to the oil leak were a result of no clear measure of the actual flow of oil from the damaged well. The failure of efforts such as Top Hat, Top Kill, and Junk Shot were due in part because no one knew (or would disclose) the volume or pressure of the leak.
In addressing information security risks you must first know what you have, where you keep it, how it’s collected, who has access… In the event of a data breach, the ability to quickly identify the source of a leak is critical to a successful response. More importantly, regular audit and assessment of information systems and processes will help to identify risks and afford an opportunity to address those risks before a breach occurs. And when the authorities come calling, if you’ve got the proper documentation and can demonstrate a viable plan, you’ll be in a much better position.
Finally there’s the issue of crisis management. BP’s reputation has taken a serious hit since the Deepwater Horizon oil rig explosion on April 20 not necessarily because of the initial event or even because of the leak itself, but because there is a growing sense that the company has been incompetent and insensitive to the disaster. This perception has been because of statements, actions, and failures made by the company and its executives and spokespeople. If there was a crisis response strategy in place at BP, it seems like a number of its key executives felt at liberty to go off script – and with disastrous reputational results.
Responding clearly, factually, with reasonable speed, and with appropriate contrition – and backing up statements with action – is the best way to rebuild lost trust. Making things up as you go along can never work. Crisis contingency planning is invaluable, even if you never have to put such a plan into effect.
Posted by Mike Spinney at 1:06 pmAdd Comment (0 comments) |
