"Can we stop data breaches, really," was the title and first question asked during a panel session at the 2012 RSA Conference in San Francisco. The five people debating this topic were:
• Larry Ponemon (@ponemon), Chairman & Founder, Ponemon Institute (Moderator)
• James Christiansen, Chief Executive Officer & Chief Information Security Officer, Evantix, Inc.
• John Townsend, Manager of Information Protection & Security, DTE Energy
• Rich Dandliker, Director of Product Management, Symantec Corporation
• Jon Oltsik (@joltsik), Senior Principal Analyst, Enterprise Strategy Group
If you came just for the answer, you could have left after the first three minutes as the entire panel universally answered, "No." But all is not lost. The team offered up some really interesting tips and advice to thwart data breaches, and explanations as to why data breaches can never be stopped. Here are some of the topics and issues that came up during the discussion:
• It's like the war on drugs. We can stop some problems, but the issue is getting bigger and we're getting worse at stopping it.
• You'll never stop the intent some people have to break in.
• There are so many levels of regress that it's an impossible task to stop all data breaches.
• We can improve the situation by educating employees and putting proper monitoring in place.
• Larry Ponemon told a story from his research about one employee who lost 11 laptops in two years. Instead of disciplining the employee, the management's attitude was, "You just have to know this guy. He loses things." What do we need to know about this person? Is it negligent? Is it criminal?
• Data breaches happen because of criminal or malicious intent, absent mindedness, or people who are trying to get work done and don't know a better way.
• Christiansen said in some cases you have to look at the result of a data breach and not the intent.
• Well intentioned insiders often cause data breaches. For example, Dandliker mentioned a story of doctors forwarding patient emails to their webmail account so that they could catch up on work from home.
• While training helps with awareness, we have to assume that training can only go so far. There's a diminishing return if you keep spending money on training.
• Training shouldn't be a once a year class, but rather technology tools that deliver real-time notifications to problems. Dandliker told a story of one company that sent real-time alerts to employees when they were doing something that could constitute a data breach. They didn't block anything, but as a result of the real-time warnings, problems decreased 80 percent.
• IT is losing control. Many IT decisions are being made outside of IT. This envelops the consumerization of IT and also the movement of business processes to the cloud.
• There's a greater assumption to data availability. Customers expect their data to be available everywhere. IT can no longer say no to universal access as employees can sidestep IT to get what they want to do their job.
• BYOD -- One of the concerns employees have about BYOD is that the company can confiscate the device. It's not a mild concern. They're appalled. They're reluctant to let the corporation put any sort of agent on their personal device. It's a major challenge.
• Never say never. There was a time that companies claimed they'd never have wireless in the corporation or that they'd never outsource IT. Remember that was our history and be prepared to evolve.
• There are plenty of options for BYOD. The question is what have organizations had success with? What options should I choose?
• Say yes more to questions about expanding capabilities. You'll get the CEO to listen to your more rather than just being seen as a cost center.
• Ponemon said that from his research the most severe data breaches are inside jobs.
After the session I spoke with the moderator, Larry Ponemon, about a study he did on the importance of data protection activities and how important that is to protect from data breaches.
What he discovered is there's a huge gap of knowledge between the people responsible for protecting the data and the C-level people who need their data protected. This is a real problem for security people who need funding and C-level people who need the company's data protected, said Ponemon.