ChoicePoint Inc., which became the poster child for California's data breach notification law earlier this year, undertook a slew of initiatives to position itself as a company that holds customer privacy in high regard. Over just six months, the acquisitive company's lead executives stopped selling information that contains sensitive consumer data, acquired a fraud detection/analytics solutions company, and enhanced their privacy website to offer information and assistance to customers on identity theft and more.
The much-covered data fraud incident, which was facilitated through what many experts say was the company's lax customer credentialing process, involved criminals posing as legitimate clientele to obtain sensitive consumer data. After the company announced the activity in February 2005, its stock quickly dropped some 10 percent in one day. Overnight, ChoicePoint, which is comprised of 4,000 employees spread over some 50 locations, became a household name to even the most novice technology users.
So far, the ongoing investigation of the event has prompted a total of 162,000 consumer disclosures. Initially, as required by California's SB1386, the company notified 145,000 individuals whose information could have been compromised.
Not surprisingly, during that aforementioned progressive six-month period, ChoicePoint executives also hired a former government administrator to fill a newly-established privacy program post. Carol DiBattiste, the chief credentialing, compliance and privacy officer, leads an independent office in Washington, D.C., overseeing improvements in customer credentialing processes, a site-visit verification program and more. While she reports directly to the Board of Directors' Privacy Committee, she and Aurobindo Sundaram, the company's assistant vice president of information security, are working closely together to ensure the protection of proprietary data, says Sundaram, who has filled the IT security role for about five months.
"There's an awful lot that we work together on. Her primary role is in handling privacy issues, interfacing with government agencies, regulatory concerns, things of that sort. Under the information security umbrella, which I own, it has to do with internal information security, such as protecting against network-based attacks, protecting our internal users against virus attacks and [more]," says Sundaram. "Where we do work together is where we can use policies and all the things that we, as the information security unit, develop for internal users and push them out to our customers, our vendors and our resellers."
Rufus Connell, research director of information technology at analyst firm Frost & Sullivan, says the thieves involved in the ChoicePoint incident "exploited weaknesses in policy. From a network security perspective they were legitimate users," he says. "Network security enforces business policy and therefore is only as strong as that policy."
DiBattiste and Sundaram both look at policy and compliance for information security and confidentiality, but Sundaram's expertise comes into play with implementation, he says. As a simple example, DiBattiste would seek to gain consensus from business units to enlist Sundaram's strong user access control program already used internally.
ChoicePoint's former CISO Rich Baich, now with Pricewaterhouse-Coopers, had reportedly advocated for a convergence of security functions, such as physical security, fraud and incident management, credentialing and technical security information, into a single office before he left the company, says Sundaram. But the company has opted to skip such an approach.
"The jury is still out on whether this kind of convergence is actually beneficial," says Sundaram. "In my personal opinion, what I'm seeing is a little more divergence than convergence. Especially in organizations that deal a lot with data and financial information. The amount of things for a single person or office to address has become so great it makes more sense to move some areas into different parts of the organization," he said.
A convergence of physical security, which typically plays in the human resources/facilities realm, with virtual security departments simply is not taking place. Indeed, Sundaram says he is unconvinced it will because the technology to aid such an oft-trumpeted merge of logical and physical security is unavailable.
"We work closely with the compliance office, internal audit, physical security, and our business units -- in terms of setting policies and letting them prove compliance with our policies," he says. "But I think to have the CISO report directly into the operations and the COO may or may not make sense depending on the company...I don't believe the synergies are there just yet."
Connell says the question about the convergence of various security realms is a good one.
"In some areas, such as government, we are seeing a lot of network security functions, like logical access merge with physical security," he says. "In terms of authentication, we are seeing growing use of smart cards for authentication for both physical and logical access. For this to happen, the responsibility for physical security obviously moves into the hands of the networking and security teams."
But dealing with physical theft of laptops or access to physical and virtual spaces depends more on carefully specifying the interfaces between different departments, rather than converging various units, contends Sundaram. For ChoicePoint's incident response team, which legal owns, representatives participate from information security, human resources, marketing, operations and all business units, meeting every quarter as well as sharing details about new/existing projects regularly.
The potential incidents Sundaram is worried about responding to run the gamut -- from phishing attacks or more sophisticated application attacks to an influx of coordinated attacks spearheaded by organized groups of cybercriminals.
"It's all about the money," says Sundaram. "There's a lot of fraudulent activity that's being attempted."
So, for next year, his team is focused on stronger authentication among internal users and customers, as well as application-level security to help detect anomalous behavior among regular users at the web server level. This means he and his information security team will need to continually find the right arsenal of solutions and best practices to combat these threats.
"Measuring needs, demonstrating value"
Getting both the executive support and resources he requires means measuring and justifying needs, says Aurobindo Sundaram, ChoicePoint's assistant vice president of information security.
"If you can't measure your progress, justify your existence every day, you are going to fail," he says. "I drill it into the heads of all the people who work for me: If you come to me with an idea, you'd better have a way to communicate it, implement it, measure it for success and, most importantly, fix it when it's not working right. We do that enterprise-wide on several of our programs that get sent to my boss, the CIO, and then on up. It's just simple math: if you need people or resources, you've got to demonstrate it."
To do this correctly, IT security pros must avoid ad-hoc business processes, says Rufus Connell, Frost & Sullivan. "With clearly documented processes and policies, somebody can secure your network," he says. "Without it, maybe nobody can."