Data privacy, embedded awareness top ISF New York meeting
Designating employees - in departments like HR and marketing- as privacy ambassadors can help organizations better safeguard sensitive information, a chief security officer from a large food company.
Designating employees - in departments like HR and marketing- as privacy ambassadors can help organizations better safeguard sensitive information, a chief security officer from a large food company, said at the Information Security Forum (ISF) New York City Division Meeting: “Data Privacy & Embedding Security Awareness” held at the Harvard Club in New York.
“Don't expect them to be data privacy experts,” the CSO said, but they can be “a local resource for privacy,” built-in censors of sorts who can identify personally identifiable information (PII). But, he noted, that he hasn't determined yet “about how to incentivize them.”
The Wednesday meeting gave attendees at ISF's divisional meeting an opportunity to discuss the issues facing security professionals, particularly as they relate to the Internet of Things.
ISF Managing Director Steve Durbin kicked off a discussion about embedding security awareness. The “mashup of personal and business information” on a single device creates its own set of challenges for chief security officers (CSOs) and others. “I'm now bringing my kids' photos to the party and doing business from the same device,” he said. “That's a nightmare for security. We're creating a perfect storm.”
Pointing the cascade of breaches that have occurred just in the last couple of years, Durbin said how organizations handle those incidents can make a world of difference. Target, for instance, took a hit for its poor handling of its high-profile breach and is still feeling the fallout while Home Depot fared better, in part because its response was more practiced.
“Reputational risk and damage is bigger than any particular number that a regulator or legislator can place” on a breach, he said.
He recommended that companies “get the game plan down [for handling a breach] before they hit playing field.”
Efforts to raise awareness and embed security should meet four requirements, he added. They should be risk-driven, target behavior change, set realistic expectations and engage people on a personal level.
The ISF chief warned against putting too much faith in technology or relying on it as being foolproof, noting that people are still an important part of the security equation.