Do you remember? In January 2002, Bill Gates sent a famous mail to all the Microsoft employees and announced Trustworthy Computing. Since then it became part of our DNA. The interesting thing to me is, that the four pillars of TwC remained the same (except for pillar four, which we had to re-name). Today the diagram still looks like this:
The key focus of the early years was to get security right within Microsoft. We always stressed, however, that TwC is an industry initiative. Looking at that it was natural that Privacy would be addressed more and more over time.
In parallel we had to learn that the threat landscape changed significantly. A few years ago we had the vandals on the web attacking our systems, bragging about the success of their attacks – today we have the organized crime going for money. To keep it simple, the landscape changed from cool to cash! Our Security Intelligence Report we are releasing today:
So it is pretty clear that Personal Identifiable Information (PII) is today the currency of the criminals.
So, which roles in a company are working with PII? Security people want to protect it. Privacy people want to make sure it is being managed correctly. And the business wants to use it to generate business.
Looking at the intelligence data there is a question that has to be raised: How good is the collaboration between these roles? This is the key question we wanted to get some insights into. Therefore we commissioned a company called The Ponemon Institute, which specializes in privacy research, to survey more than 3,600 security, data protection/compliancy, and marketing executives in the USA, UK and Germany. The research was with companies of various sizes and across many different industry sectors. This study is one of the key announcements Ben Fathi at his keynote he gave at RSA Europe today.
Let me take you briefly through the highlights (lowlights?) of the study.
Collaboration pays off: One of the key questions you will get asked when you look into this is what kind of motivation a manager could have in order to change something to make collaboration happen. The data is pretty clear and significant (we asked the companies whether they had a "significant data breach"):
Relationship between collaboration and one or more reported significant data breaches
This data shows us clearly that a good collaboration seems to lead to significantly less data breaches. The difference between companies with good collaboration and companies with poor collaboration is about 50%! So, you reduce the risk of losing PII significantly and as the CEO is personally liable in a lot of countries this might reduce the risk of the CEO going to jail significantly.
"But the collaboration is not poor": How good is the actual collaboration really? We asked the three groups, whether the business consults security and privacy when they use PII. Look at this:
Is security/privacy asked when PII is used by the business?
If you study this data, it is significant that the security and privacy people think that they are consulted but the business (e.g. marketing) does not really want to talk to us…
Why is this the case? Do you remember that I talked and blogged several times already on the necessity of security to become a strategic value for the business? Security and Privacy is and has to be a business enabler. Is this really true? See the red bar in the following diagram
This shows clearly that the business sees privacy and security as a hindering them to achieve the goals. I have to admit that I understand this. Security and privacy people tend to be paranoid and risk avoiding (do not get me wrong, I am one of these paranoid, risk avoiding people). We do not like to take risks – therefore we tend to say "no" to changes, to new ideas, to new business models… In my personal opinion, IT is here to serve the business and security/privacy is here to help IT to serve the business. There are clearly legal and regulatory boundaries as well as customer expectations to be met. But this is not in contradiction to what I said but definitely in line.
So, how shall we address this problem?
I would love to be able to give you the "silver bullet" just in this section. Before I give you my view on the "solution", let me share a final data point with you. We asked as well whether the combination of the roles would make sense. Here are the results:
This is interesting: If the collaboration does not work, people look for a combination of the roles, where it works, nobody cares of a combination!
This leads to a simple conclusion: There is no silver bullet at all. The solution depends on the culture of the company, the culture of the country and a lot of other requirements around this. The solution to look for is probably pretty individual per company.
Call to action:
There are two things I would like you to do:
If you want to get more information on this story, visit our website: http://www.microsoft.com/mscorp/twc/IAPPandRSA.mspx
PingBack from http://hinder.wpbloggers.com/?p=2579
I hope you read my yesterday's blog on the RSA story (if not, it is here ). I mentioned the Security
Since quite some time we are talking about the "Death of the DMZ". This seems a little bit provocative