Is honesty the best policy? It certainly seemed pretty clear when we were children, but then things inevitably get more complicated as you grow up. I'm sure we've all told white lies, for example, to avoid hurting the feelings of a close friend or family member. In the professional world too moral certainties over right and wrong can frequently be challenged, and in some cases shot down, for reasons of short term expediency. I mention this because new research has found that 20% of IT security professionals have seen their firm cover up a data breach.
This isn't just an IT issue, of course. But I'd argue that given their unique position in the corporate hierarchy, CIOs have a great opportunity and a responsibility to ensure that in the case of data breaches, honesty should be the one and only policy.
The research itself was carried out at RSA Conference in the US earlier this year. This makes the findings doubly surprising given that we can assume a large proportion of the 1,000+ attendees interviewed work for American companies. Unlike most European and Asian countries the US has mandatory data breach notification laws, so it's illegal to cover up incidents where personal and financial customer information goes AWOL.
In the UK and elsewhere in Europe, we don't yet have such laws. And it's easy to see why companies would want to keep quiet a damaging breach of customer data or intellectual property. Aside from the regulatory fines and remediation and clean-up costs, negative headlines resulting from a breach can persuade customers and investors to jump ship, hitting the share price, bottom line and brand value.
But today's cyber villains are smart, agile and determined enough that if they want to breach your organisation, there's not much you can do about it. At the very least, therefore, CIOs must nurture a culture where it's not frowned upon to report security incidents and deficiencies. Only by encouraging more openness, at least within the organisation, can information security be improved.
But this openness must be built into a clear framework.
The very first step is to conduct a comprehensive risk assessment. What are your most critical business processes and systems, and what are the biggest threats to these? How much will it cost to mitigate these risks with security tools, techniques and procedures? Once you've worked this out, it's time to sit down with the board and determine their risk appetite. Every organisation has a slightly different threshold for what is acceptable risk – those with a higher risk appetite are likely to invest fewer resources into information security, and vice versa. Then it's time to act on all of that and invest accordingly in risk management tools.
Once the IT department has done that, it has effectively covered its back. There should be no urge to cover-up a subsequent breach because you've played everything by the book, according to the risk appetite of the board. Cover-ups happen when there's uncertainty, a lack of structure and leadership and an absence of risk-based decision making.
An ethical blind spot
The problem of firms trying to hide data breaches is compounded by the fact that very often IT professionals are not given any kind of training around professional ethics. In larger organisations they'll often be forced to learn on the job, but in smaller and mid-sized ventures it might simply never be mentioned. This can leave a troubling blind spot within the IT department which makes it more likely that the reporting of incidents up the chain are overlooked.
It's really important to ensure that there's an up-to-date code of conduct within the department with a clear set of rules and procedures around breach reporting. It's all in the preparation; put in the hard work now and when an incident occurs things stand a much better chance of running smoothly. Then you and your team can begin to view each incident as an opportunity rather than a failure. It's an opportunity to engage with the board, raise the profile of information security and, hopefully, secure extra funding.
As if that wasn't enough, the EU General Data Protection Regulation will come into force soon with promised US-style disclosure laws. It should be yet another compelling reason to begin preparing and getting used to your risk management-centric set-up now. When it comes to information security, honesty really is the best way we can improve.
Raimund Genes is CTO of Trend Micro