We are a country in crisis in regards to adopting adequate Information Security practices. I am not an alarmist but when I review the Cyber Security update that my team compiles and sends out a couple of times per week and see multiple breaches in every update and when I see reports like the one conducted by Adam Dodge or the Verizon Report that show steady amounts of information security breaches every year I have come to believe that we are a country in Cyber crisis.
Puzzling to me is that for some reason we, as a society have decided that the safeguarding of personal information should be a soft skill that is done by committee instead of by the certified and trained professionals we hire into Information Security roles. Interesting enough the members who are sitting on the committees making Information Security and data protection decisions are often times not Information Security professionals. To use an analogy – it seems that instead of deferring to our qualified “pilots” we are allowing the passengers to fly the airplane without providing them flight instructions first. If we really want to protect our corporate data then we cannot keep making Information Security decisions, such as should Personally Identifiable Information (PII) be encrypted, by consensus. We also need to see the cost benefit with hiring Information Security professionals and then listening to their advice. Due to a large data breach the State of South Carolina recently ended up paying $12 million that could have been put to better use; they could have asked any of us Information Security professionals if the data they lost should have been encrypted at rest and in transit to save $12 million. Instead (and this is pure conjecture on my part) they probably made the decision not to do so by a consensus of the CIO and other IT professionals, none of whom were trained Information Security professionals.
In my personal life I refrain from telling my accountant how to complete my taxes or from telling my surgeon where and how to make her surgical cuts. It is time, if we truly want to protect our data or the data we are entrusted to safeguard, for our communities to start adapting the course of action that Information Security Professionals and Information Security Standards advise. If we don’t start allowing our certified and trained professionals to specifically mandate how organizational PII, Intellectual Property, e-PHI, collectively referred to as restricted data, should be protected we will continue to allow this data to be lost or stolen.
While there is no silver bullet that will prevent 100% of this type of data loss most experienced and certified information security professionals know that there are many controls and safeguards we can put in place, if allowed to do so, that will minimize the loss of restricted data.
Note – my use of the words Information Security is synonymous with Information Assurance.
© Kevin L. McLaughlin, probably cited re-use is acceptable