IT Best Practices and Compliance Reporting Information

The rash of data loss headlines over the past few years has ignited a firestorm of federal, state and local laws requiring notification to anyone whose personal information may have been compromised.

The potential costs of notifying potentially tens or hundreds of thousands of individuals should cause most companies to sit up and take notice. However, the recently released results of a survey by the Ponemon Institute raise the negative backlash of a data breach to alarming proportions.

According to an article in Processor, the cost to comply with breach laws is rising, with an average cost per company per breach of $14 million – or $140 on average in recovery costs per customer record breached. But that’s just the beginning…

The long-term consequences are significant and potentially far more severe. The survey found 20% of customers terminate relationships with a company after a security breach and a full 58% of customers believe the breach notification decreased their sense of trust and confidence in the notifying company.

According to Ponemon Institute founder, Dr. Larry Ponemon, “This permanent loss of customer trust and confidence can translate into hundreds (or even thousands) of dollars in lost future economic value per customer or perspective customer.”

If you don’t have the ability to identify on the detailed configuration settings that control the security of every part of your infrastructure that interacts with your critical data, you are at great risk. Are you prepared to risk losing 20% or more of your customer base?

There is an automated solution that will significantly reduce your risk of exposure to a breach. Believe me, the expense is negligible in the light of these costs!

It's been a while since my last post. I have been traveling around the country speaking at a number of IT security and compliance events.  Last week, I was in Las Vegas to speak at ISACA Net Security 2006.

Two other recent security-oriented events emphasized the need for IT to shift their emphasis in communicating with corporate executives away from protecting infrastructure to the top-of-mind issue of data security. However, the events fell short of providing compelling evidence to convince corporate executives to invest in IT security.

At Forrester’s Security Forum 2006 in Atlanta, Georgia, Paul Stamp, a Forrester analyst, said, “The focus should be, we need to protect data vs. secure the infrastructure.” Stamp was quoted in Network World as saying to head off data leaks, business units must accept responsibility for the security of the data they generate and control.

Meanwhile, at The Security Standard conference in Boston, Massachusetts, IT managers were given a similar message.  Attendees were challenged to focus on business risk, customer impact, regulatory requirements and due diligence when justifying the need for IT security investments to corporate executives.

Unfortunately, all the explanation in the world still can’t hold a candle to one event when it comes to loosening the corporate purse strings. According to Edward Amoroso, CSO at AT&T Inc., in a ComputerWorld article, “the most effective way to get more funding for security is to flunk an audit test.” Mr. Amoroso did add “that [method] can be destructive to one’s career” as he went on to suggest having an auditor come in to identify security gaps.

Well, Mr. Amoroso is half right. Plenty of spending commitments mired in red tape can be approved and implemented in lightning speed in the wake of one failed audit. Where Mr. Amoroso goes wrong is in recommending bringing an auditor in to identify security gaps.

First, auditors are not cheap.  Second, bringing an auditor in without knowing what your gaps are is inviting additional scrutiny you might not be prepared to handle.  Third, an auditor can show you your weaknesses, but they probably aren’t going to tell you how to fix them.

A better answer is investing in an automated solution for reporting detailed configuration settings and changes to those settings.  These reports can identify the specific security gaps in your infrastructure and compare those gaps to your standards. Results can be shared with corporate executives to validate the need for increased security spending and your personnel can quickly identify and remediate problems before the auditor shows up. Better yet, in addition to a more secure infrastructure, you’ll be able to generate reports as a deliverable to hand the auditor the minute they walk in the door. And, you’ll have the confidence of knowing you’ll pass with flying colors.