Leadership Feed

01/18/2012

Why should senior management be involved in security decisions?

I am putting the finishing touches on an executive presention for a client.  Our finding, after a series of technical tests, a review of their policies and their security administrative compents was that they are generally proactive on securty from a technical perspective but any additional maturation or improvement of their program requires management involvement.

I am going to present this to senior management team that has already informed me they don't want to hear that message.

This isn't the first time Jacadis has encountered such a situation.

Why should senior management be involved in security decisions?

At some level security decisions are really risk management decisions and not just technical, information security decisions.  Even the strongest technical team can't know the risks, obligations, contracts and mission priorities that senior management brings to the table. 

Sorry, managers but this isn't just geeky stuff.

Here is a quick list of five questions that my client's technical team needs senior management input, involvement and or leadership on:

  1. Are we obligated by law or contract to HIPAA?
  2. Are we obligated to PCI?  Are we exposed in the way we handle crtedit card data?
  3. How long can your business operate with reduced computer facilities?  Which facilities are most important to the mission?
  4. How will we respond to illegal activity on our network? Attacks from outside? In the event of a breach?
  5. What are our employees permitted to do with social media outside of work hours on their own computers?

Are you putting your technical team in a spot where you expect them to protect your business but don't share with them critical information or involve yourself in their decision making process?  If you are in a business that is data driven (and which business today isn't) your lack of involvement will likely ensure a high technical team turnover, raise the possibility that you will have security issues interfere with your business, decrease the resiliency of your business and potentially put at risk vendor and client relationship while also opening your business (and perhaps yourself personally) to legal and regulatory liability.

 

Enhanced by Zemanta

Posted by at 11:14 AM in Committee Action, Compliance, Continuity Planning, Information Security Basics, Leadership, Risk Management, Secure Value | | Comments (0) | TrackBack (0)

| | |

12/18/2011

Gap between what employees think and do versus what employers think and do

Last week I gave a Lunch and Learn Presentation to a group of business people and enterpreneurs at the Dublin Chamber of Commerce on Living Securly in a Digital World. 

Researching the topic for fresh material I tripped across a Unisys study that shows a disturbing gap between what employees and what employers think about data use in the  enterprise:

  • While 67% can access non-work-related websites only 44% of employers agree.
  • While 52% of workers say they can store personal data on the company network only 37% of employers agree.

Do you have that same perception gap in your company?

As an employer it may mean behaviors you don't want, non-productive sites visited during work time or worse, malware introduced into the company network. As an employer, it may also mean extra storage costs or extremely awkward moments during terminations (can I have my data back?!).

As an employee, it may mean a disciplinary action for what you think is approved or allowed behavior.  And more importantly it might mean loss of personal data an information if you lose or leave your job (or the company closes).

It is in the best interests of both sides of this divide to close the gap.

Enhanced by Zemanta

Posted by at 10:07 AM in Leadership, Living Securely, Policy, Secure Value, Speaking Engagement | | Comments (0) | TrackBack (0)

| | |

08/17/2011

Four Musts When Starting a Business

After operating my own business for 10-plus years I often get asked by new entreprenuers starting out what things I think are most important to someone starting up a new business.

1.  Focus on your craft, but become an expert at sales.  When I started I thought that I needed to be the best I could be at what we do (information security, privacy, risk management) and how we do it (project management, professional services management).  I have found over the years though that if you don't understand the sales process and excel as a participant in it you can lose sales to firms that don't know the craft as well as you and you can miss customer expectations.  Truly every project begins with sales.

2.  Find a good lawyer.  Find a good accountant. I have had a good accountant almost from day one, John Davidson (no relation, really) from Kyles Hill.  John's taught me a lot about the financial side of business, sat beside me in negotiations as our CFO and given me a different perpsective that has helped me and Jacadis grow.  We have had good legal work done but no attorney has given us th depth of the effort that John brought us on the accounting side.  That, I believe, was a weakness in our formative years. 

3.  Take the time to write a simple business plan.  Spend your time searching for a good simple business plan outline.  Take the time to work through it.  Focus on the directional issues.  Why does your business exist? What does it do? Why do people need it? Who are your customers? Where do you find them?  What do you need to do your work successfully?  Can your idea scale? What do you need to scale?  A solid business plan can be written in a weekend.  Don't put it on the shelf.  I pull ours out every quarter to check our direction.  Sometimes I adjust the plan with input from senior staff.  Sometimes I adjust the work effort or activities.  Regardless we make course corrections every quarter because the plan is a living guide for who we are, what we do and who we serve.

4.  Design the business with security and privacy in mind.  Really.  We run our businesses off the fuel of information.  Too often we have seen small businesses fail or struggle because they have lost the confidentiality of key information, lost access to key information or found that it became contaiminated and unusable.  Larger businesses can absorb more damage.  Many of them by virture of their size have these covered.  Small businesses can't absorb much damage.  In the rush to focus on sales and craft many entrepreneurs forget the basics and leave their networks open to the outside, key customer data exposed or simply opt to save a few bucks and not back up their information.  There are stories in the news regularly about business failures that were planning failures because business starters didn't think about security and privacy at startup. 

 

 

Posted by at 04:35 PM in Information Security Basics, Innovation, Leadership, Online Business, Risk Analysis, Risk Management, Secure Value | | Comments (0) | TrackBack (0)

| | |

05/05/2011

Train Sales People in Security Basics if Your Product Serves Security & Privacy Concerned Markets

Yesterday, I had a prospective vendor tweet out details of our infrastructure right after he got off the phone with one of our engineers.  I guess he thought letting me know he was working for me was cute.  He lost a deal because he violoated my trust. 

Today, we had a client ask if we could speak to their sales people about the importance of information security and privacy from their customer's view.

Do you sell products or services into markets that have information security risks or fears?  Do you consider security to be a feature of your product?  Do your customer's routinely include questions about how you handle information security in their RFQs and RFPs? Do your contracts include clauses that allow your customer's to audit your infrastructure?  Do you sell products or services into regulated industries such as healthcare (HIPAA/HITECH) or public companies (SARBANES-OXLEY) and so on?

If you said yes to any of those questions do your sales people understand the importance of security in building and maintaining customer trust?

Do you train them? Do you make their role in building and maintain trust an obvious part of their performance expectations?

Security training for sales professionals selling into protected markets should include:

1.  Information Security 101 covering basic terms that your customer's auditors and IT staff will use as a matter of everyday language.  They should be comfortable with terms such as risk, vulnerability, threat, safeguard, confientiality, integrity and availability.

2.  Industry issues related to security, privacy and regulatory compliance.  A salesperson serving health care markets needs to have a different knowledge base than a salesperson selling into financial markets and so on.  We've been involved with clients purchasing technology from vendors who have sales people claiming knowledge about regulatory issues that is wrong.  They don't get those sales.

3.  Product and service features that support a client's information security, privacy and compliance pains. 

4. Basic online ettiquite and secure online behavior.   Preparing sales people to participate securely and privately in communications particularly if social media is part of your communication strategy or part of the culture of your work force. 

5.  General trends in information security including some pointers on news sources that can keep your sales team informed.

An example: 

After Epsilon was hacked two weeks ago, I had two conversations with senior executives from two differenct firms that provided consumer oriented services that had never heard of the Epsilon.  Epsilon is an email marketer that provides email marketing services to large companies.  They were hacked and the customer emails of some 50 companies were taken.  You can expect firms in the direct consumer market to be concerned with the risks of having their customers exposed through other services.  These execs had no idea.  Without some idea of what to watch for in the news I wouldn't expect them to, but it would give an edge in customer conversations because the customers are very aware and knowledgeable.

We've seen good sales people with bad security habits lose business.  We've helped some of them change and with their companies create competitive advantage as this knowledge prepares them to begin building trust at the inception of the first lead contact.  I prefer to have my sales people be as productive as possible.  If you sell into security concerned markets this is a tool you should consider.

 

 

Related articles
Enhanced by Zemanta

Posted by at 03:17 PM in Committee Action, Innovation, Leadership, Living Securely, RoadWarrior, Secure Value, Small Business | | Comments (1) | TrackBack (0)

| | |

04/21/2011

You want to connect WHAT! to my network?!

This article by Jerod Brennan first appeared in Jacadis' quarterly newsletter.  It created quite a few conversations with our customers.  I thought it was useful to share here as well.

Smartphones and tablet devices are making their way into the workplace.  Unfortunately, the decision to connect these devices to the corporate network is often made without first consulting the IT department.  The worst part is that the information security team is frequently kept in the dark for fear that they would tell the business no.

But does security really need to say no to this request?

Of course not!  The security team should be helping the business find a way to do what they need to do securely.  Companies that embrace mobile technology in a safe and secure manner will reap the benefits that come from the increased connectivity and mobility.  The key to avoiding a security incident or data breach related to these devices is in the security details.

 A few questions that the security team needs to ask the business:

•     Have we documented an acceptable use policy for mobile devices?

•     What information do we need to include in that policy?

•     How are we going to keep track of these devices?

•     What steps do we need to take to secure devices before they connect?

Permitting mobile devices in the workplace should be a business decision based on a clear business need.  Before that decision has been made, engage the security experts in order to ensure that you deploy those devices safely.  You need to involve the right players from the very beginning if you want to securely integrate mobile technology into your business processes.

Remember:  It’s better to end up in the news for a record-setting quarter, and not for a security incident that could have easily been avoided.

Related articles
Enhanced by Zemanta

Posted by at 02:04 PM in Information Security Basics, Leadership, Mobile Security, Secure Value | | Comments (0) | TrackBack (0)

| | |

Information Owners Should Be Held Accountable for Breaches NOT Just Technical Staff

I have read several articles on the recent breach at the Texas Comptroller of Public Accounts site.

If you have an interest you can get a good summary from Computerworld's Texas fires two tech chiefs over breach as well as the announcement from the Comptroller's web site.

The story is not unlike many other breach stories we've seen over the years.  A mistake is made.  Information including individually identifiable information is exposed.  Somebody from the technology department is sanctioned or terminated.  Other corrective actions are taken.  End of story.

In information security there is a concept of information ownership.  An information technology department that fits properly into a business is providing a service to the business units, but those business units are considered the information owners.  IT has a responibility to provide appropriate quality services to meet the information owners needs.  But the information owners should be accountable to what is done with the information.

Here's a rough analogy.  I own a car.  I am the owner.  The Ohio Department of Transportation provides the infrastructure for me to use my car.  If the road fails and I wreck I as the owner (or driver) am responsible to maintain control.  

From an information ownership perspective in the case of a breach you rarely see sanctions laid down on the assigned information owners.  If information ownership was properly assigned and maintained the owner would have a responsbility to make sure the information was properly managed by the service providers from IT.

An information owner is the individual or departmental unit who creates, acquires or manages information through a business process.  When setting up a governance process I prefer an individual within the department has formally assigned ownership.  That assigned owner is then responsbile for understanding the value of the information, obligations the organization has to protect information of that type and value, proper handling procedures given those obligations and oversight of the organization's handling of the information.  In the case of many of these breaches an information owner overseeing the technical processing of this information would have had a chance of correcting the fault before it resulted in a breach. 

 

 

 

 

 

 

 

Related articles
Enhanced by Zemanta

Posted by at 11:30 AM in Breach Notifications, Committee Action, Leadership, Secure Value, Security in the Business News | | Comments (1) | TrackBack (0)

| | |

04/07/2011

Epsilon Aftermath Will Expand Seriousness of 3rd Party Verification for Suppliers -- Is your firm ready?

Jacadis helps businesses prepare and respond to security questionnaires and audit requests from their usually larger customers.  We also are the audit and assessment team for some firms who choose to use external resources to review their key vendors' security.

Frankly, as breaches Epsilon isn't a big of deal.    No protected information, just names and email addresses were taken.  And more sophisticated attacks have come and gone in the press largely unnoticed. 

Epsilon has received more attention than the more impactful breaches in part because it touched so many people.  Non techies are talking about it.  We believe that buzz is going to find its way into the executive suites and audit teams of big companies and boost the rigor and frequency with which larger firms test, prod, and assess their supply partners.

In fact it isn't just us that thinks that.  The Wall Street Journal reported in Insulating Your Firm from Third Party Breaches that:

Experts suggest that companies that outsource technology services take some of the following steps:

  • Make sure the vendor has a recognized certification for information security, such as ISO 27001 or SAS 70 Type 2, granted by an accredited auditing organization such as the International Standards Organization;
  • Sign agreements that oblige vendors to undergo regular audits by third parties, at least annually. Auditors should test software (especially software that can be accessed via the Internet) and hardware as well as people, to ensure that vendors’ employees themselves don’t fall prey to scams;
  • Make sure vendors assume liability for breaches that affect customers and end users; and
  • Make contingency plans with the vendor so that neither is caught by surprise in the event of a security breach.

Management consultants and corporate governance experts are providing similar advice to their Fortune 2000 and similarly sized customers.  These recommendations have been around for several years, however, the buzz from Epsilon has the potential to fuel the recommendations to reality.

This will impact you if you answer yes to any of the questions below:

  • Your business is part of the supply or services chain for larger regulated firms.  We see most of the third party verification activity from firms that have regulatory obligations to HIPAA; PCI, GLBA or other financial privacy rules, or Sarbanes-Oxley.  We have seen these type of firms apply the highest security and privacy standards to their vendors even if their vendors don’t process confidential or protected information.  Do you provide services to these types of firms?
  • Your business provides a service that includes considerably volatile information.  If, for instance, you process non-protected personal information but it is somehow seen as critical to your client’s business or it’s relationship with its customers this might apply.  Or, if, for another instance, you process company confidential information such as trade secret related information.  Do you provide services to these types of firms?
  • Firms in the supply chain stack.  You may not be doing business with a regulated firm, but you may be providing services to firms that provide goods or services to firms that provide services to regulated businesses.  You know what they say about it rolling downhill.   Are you at the bottom of a supply chain?

Take action

If you answered yes to any of those questions we suggest the following:

1.  Look at your customer agreements with firms in the categories above. 

  • Do any of those agreements place obligations on your company to protect your client’s information in a certain way? 
  • Do they have the right to audit? 
  • Have you told your IT team about these obligations? 
  • Are you prepared to meet these obligations?

2.  Sit down with your technical leadership and discuss:

  • Are we secure? Vulnerable? Do we follow a best practices approach to information security? Which one?
  • Do we routinely check through tests, assessments, and/or audits our answers to the questions above?
  • If we got an auditing letter from an existing customer would we be ready for the audit in a week? a month? 3 months? 
  • When the auditor arrives do we have documentation that defines our security programs values (policies), details the routines we follow to meet those values (processes), shows that those routines are being followed (logs, action reports, scorecards, etc.) and that our staff is aware of their obligations (awareness training)?
  • If we committed during the sales process with a new customer to do certain things to secure their data did IT and the others in the company responsible for delivering on that obligation have a hand in the answer? Are we overcommitting?
  • Are we managing security well enough that we can create a competitive advantage over other firms in our class?  Can we use that advantage to build new business?

If your business provides business to regulated businesses upstream in your market we recommend you keep asking these questions until you feel comfortable with the answers.

 

Related articles
Enhanced by Zemanta

Posted by at 10:45 AM in Committee Action, Competitive Advantage, Compliance, HIPAA, HITECH, Information Security, Information Security Basics, Leadership, Online Business, PCI, Policy, Secure Value, Security in the Business News, Small Business, Trust, Vendor Selection | | Comments (0) | TrackBack (0)

Technorati Tags:

| | |

02/23/2011

Show B2B Customers Your Firm is Trusted - Win Business!

Does your business process customer data? Show your business to business customers that your firm handles their information in a secure fashion and you may win new business.

Jacadis works with emerging firms (those in start up mode or those in high growth arcs) that suddenly find themselves with information security and privacy concerns.  Usually, they have been so focused on building business features and functions that security has been an afterthought.  Customers raise concerns about how information is handled, many times because the customer is regulated and is expecting our client to properly handle their data.  By the time Jacadis gets involved these concerns are creating barriers to new markets or have become minimum requirements to win new business or retain existing business. 

Our mantra is that if you can show yourcustomers, particularly your regulated business-to-business customers you operate in a manner that you can be trusted you have the potential to create competitive advantage and win new business.

And it is true.

Yesterday, we got word from a client that our efforts in implementing a security program for them had translated into a higher level trusted relationship with a key client AND a new $200,000 order.  The joy the sales manager had in telling me reminded me of the excitement my 8-year old has when he comes home from a great day at school.

Being secure does create competitive advantage.

Do you have those same concerns?

One tool we used was QualysGuard.  We used it to measure the vulnerabilities (fancy security jargon word meaning weaknesses) to attack that their technical infrastructure.  We used it initially to create a prioritized list of corrective steps for our client to take and now use it to maintain the current security levels and show the client's customers they are attending to security properly. 

You can test your network on your own with Qualys' free scan.

Enhanced by Zemanta

Posted by at 12:32 PM in Assessments and Tests, Committee Action, Competitive Advantage, Compliance, Information Security Basics, Innovation, Leadership, Online Business, Secure Value, Small Business | | Comments (0) | TrackBack (0)

Technorati Tags: , ,

| | |

01/25/2011

Questions for your newly formed Information Security Steering Committee to discuss

Padlock lockedImage by ☺ Lee J Haywood via Flickr

If you have formed an information security steering committee (or call it a governance committee, security working group or other similar name either to meet compliance or contract issues or because it is a leading security management practice you may have the committee version of writer's block: "We are all here.  What do we do next?"

Last week I helped a client kick off their steering committee.  After a quick training session on Information Security 101 and Security Govrnance 101 we as a group discussed the following openly:

  • How do we organize for infromation security governance?
  • What is the committee work product?
  • Do we keep minutes? Detailed minutes or just a summary?
  • We publish policies? What else do we do?
  • How do we, as a committee, develop, adopt and publish policy?
  • As a cross fucntional committee where do we do our work?
  • How do we raise awareness within this group that information security is important?  Within the company?
  • Does everyone here agree they have a role on this committee?

There's a lot of material on what the answers to these questions SHOULD be, but discussing them provides a great learning moment for a new committee.  And while I use much of the available literature to help guide my work in assisting customers in forming committees I've found that each company's cultural uniqueness can be acommodated within those leading practices.

Simply talking about "what do we do now" is a great ice breaker to get the committee aligned and moving forward.

 

Enhanced by Zemanta

Posted by at 01:22 PM in Committee Action, Leadership, Policy, Secure Value | | Comments (0) | TrackBack (0)

| | |

09/28/2010

Evaluate Your Company's HIPAA & HITECH Compliance Quickly with Expert Help

HITECH (known also by the mouthful Health Information Technology for Economic and Clinical Health Act) signed into law in February, 2009, changed the information security and privacy landscape in health care in two important ways.  Compliant-button

First, it broadened the scope of the HIPAA rules, including business associates or those that provides services to health care covered entities on the hook for compliance with HIPAA. 

Second, it included enforcement provisions including breach notification, mandatory audits and criminal penalties in an attempt to put teeth into the HIPAA tiger.

As Health and Human Services has proposed and written into rule various rule sets implementing the law our conversations with those who previously thought they were compliant with HIPAA and those newly required to be compliant have expanded.

We have found two common cases in the market:

  1. A firm embraced the original compliance dates in 2003-2005, developed a policy based HIPAA security and privacy program and then “put it on the shelf”.  Those programs are out of date and because they include policies and procedures that are not being followed are high risk.
  2.  Business associates, who provide products and services into the health care market, know they are not compliant and have no idea where to start.  Many of these firms have a real issue in that they must show compliance or bind themselves legally to it to keep and gain customers.

It is no wonder that either case presents an issue.

Since 2005 most firms have dealt with a number of external and internal changes while not constantly reevaluating their compliance with HIPAA or their information security program.

These changes include, but are not limited to:

1)    regulatory changes (e.g., The HITECH Act as well as numerous state level data protection laws)
2)    business growth or decline
3)    uncertain economy
4)    geographic expansion;
5)     personnel changes;
6)    increased penalties and sanctions; and,
7)     technology changes. 

If a company was compliant in 2006 based on a security program built for HIPAA compliance in 2005, most likely they have drifted into a state of non-compliance by 2009.  HITECH amends the rules.  That company is likely now far off the mark in an environment where liabilities are increased and personal for the company’s leadership.

If a company is new to HIPAA compliance, particularly those small businesses that serve the health care market but run lean and mean, they don’t know where to start their compliance program or how to do it affordably.

In either case firms need to assess quickly their information security and privacy program  to  have various aspects of your program audited/assessed in order to determine whether your administrative, physical and technical safeguards are reasonable and appropriate as required by the HIPAA Privacy and Security Rules, as amended by the HITECH Act.

In response to these dynamics we’ve built a collaborative workshop that puts the key business and technical leadership into a room to address the questions and uncertainties of HIPAA and HITECH compliance.

Based on our successful experience with other clients, including several in the long-term care industry, we believe our collaborative, education-based and results-oriented process will delivers a great amount of value in a short period of time.

Our HIPAA-HITECH Security Assessment WorkShop™ is a high-value, high-impact two-day engagement that meets customer needs including, but not limited to:

•    Reevaluating your organization’s compliance status
•    Jump-starting your program
•    Revitalizing your efforts
•    Updating your program with HITECH Requirements
•    Developing an internal benchmark score
•    Establishing an executive compliance dashboard
•    Evaluating current safeguards
•    Identifying gaps and new safeguards to implement

Upon Completion, You and Your Team Can Expect These Outcomes:

•    Working Knowledge Of Security And Privacy Basics
•    Working Knowledge Of HIPAA And HITECH Regulations
•    Jump Start Your HIPAA-HITECH Compliance Program
•    Compliance Indicator Benchmark Score
•    Gap Analysis of HIPAA Security practices
•    Gap Analysis of HIPAA Privacy practices
•    “Low Hanging” Remediation Items and Action Plan
•    Solid Foundation for Completing HIPAA Risk Analysis

Executive Dashboard on HIPAA Security – One of the Deliverables:

  HIPAA HITECH Dashboard

Clients have successfully used the dashboard as a baseline for the beginning or revitalizeation of their HIPAA information security and privacy program.  They have used it to communicate to customers and prospects where they stand.  They have used it internally to prioritize work on missing components.

Included with the workshop is the the HIPAA Security Assessment ToolKit™, which gives each firm, post workshop, to continue to track their complianace efforts.

Enhanced by Zemanta

Posted by at 10:35 AM in Committee Action, Competitive Advantage, Compliance, HIPAA, HITECH, Information Security Basics, Leadership, Secure Value | | Comments (0) | TrackBack (0)

| | |

Next »
My Photo

About

TypePad Profile

Get updates on my activity. Follow me on my Profile.

Categories

Twitter Updates

    follow me on Twitter
    Blog powered by TypePad
    Creative Commons Attribution-ShareAlike 3.0 Unported