In the past, a company's privacy and security officers worked within their own confined orbits, oblivious to the common risks each department faced. But with corporate data breaches compromising nearly 216 million private records, the two sides can no longer afford to ignore each other.
Industry experts delivered that message during the recent (ISC)2 SecureBoston conference. Privacy and security teams should communicate regularly on each others' challenges and activities, and should work together on an effective response plan in the event of a data breach, the experts said.
"With the growing data breach threat, privacy and security officers must work closer than ever before and accept the fact that they are partners," said Peter Kosmala, assistant director of the International Association of Privacy Professionals (IAPP).
Kosmala focused his talk on ways for security and privacy officers to build a better dialogue. In particular, he said the two sides can find plenty of common ground on a data breach response plan and that the better the plan, the easier it will be for the company to survive a breach. While the privacy department tends to focus on legal and practical matters and the security department on procedural and technical concerns, each side is responsible for such common challenges as data breach response and notification, information outsourcing and vendor management, identity management, exploits and emerging threats.
By sharing insights and resources, he said, the two camps can do much to make their company more secure and in lockstep with all the latest industry and government security requirements.
Kosmala used Marriott International as a case study on how privacy and security officers can team up on a more effective defence, based on how it was explained to him by Chris Zoladtz, the hotel chain's vice president of information protection and privacy. According to Zoladtz, there are daily interactions between the privacy and security teams. The chief privacy officer is considered the "business owner" of privacy needs, including gap analysis, risk assessment, policy development and communication. The chief information security officer, meanwhile, develops and manages the mechanisms to address those needs as well as the broader needs of IT. Along the way, Kosmala said, there's plenty of cross-pollenisation of ideas, skills and credentials.
For Kosmala and other experts at the conference, one of the overriding issues is the need for companies to draw up detailed data breach response plans. No matter how seriously a company takes security, they said, everyone is vulnerable to a successful attack and must plan as if it's eventually going to happen. This has been a major theme at a number of recent security conferences. Experts at the (ISC)2 event used the TJX data breach response as an example of how not to do things.
When TJX first disclosed its data breach in January, the retailer came under heavy criticism for what many considered a sloppy response. The company didn't disclose the breach until a month after it was first discovered, and few accepted its explanation that investigators recommended the period of silence. TJX also seemed to have trouble getting an accurate assessment of the damage. For example, the company initially said that attackers had access to its network between May 2006 and January 2007. Later it admitted that thieves were inside the network several other times, beginning in July 2005. The came word that the stolen data covered transactions dating all the way back to December 2002.
TJX has also come under fire for failing nine of the 12 requirements under the Payment Card Industry's Data Security Standard (PCI DSS). Michael Gavin, a former Forrester Research analyst who now works for Security Innovation, said he can see a scenario where a company can come close to meeting PCI DSS but end up getting slapped for coming up short on more obscure provisions.
"Failing nine of the 12 requirements is quite bad, but each requirement consists of many sub-requirements, and furthermore some of those have sub-requirements," he said in an email exchange. "While unlikely, especially from what I have heard and read about the TJX situation, it is possible to be quite close to passing all 12 requirements, but actually fail nine of the 12 for one relatively minor sub-requirement in each of the nine failed requirements."
It's possible TJX could have achieved better PCI compliance had the privacy and security teams been working more closely together. But even if that wouldn't have made the difference, experts at the (ISC)2 event said better communication between both camps could have meant a better data breach response.