The CISO Club, powered by HP Information Security, is an exclusive ...

The CISO Club, powered by HP Information Security, is an exclusive ...

Some data


The CISO Club, powered by HP Information

Security, is an exclusive group of security

thought leaders who gather to discuss

current trends and influences that impact

on business security.

At the most recent meeting, sponsored by

HP and McAfee, they discussed whether

information security professionals have fully

grasped the value of data to the enterprise.

It may seem strange to suggest that

information security professionals

do not understand the value of data

seeing as it should be central and

fundamental to their daily working lives.

However, the CISO Club was looking

beyond the accepted concepts

of data protection, based on IT

security systems such as DLP and

anti-malware. So what was the CISO

Club talking about? For a start they

were critical that too many security

professionals still see data as an

abstract and discrete component

of the business process that must

be locked down. In addition, security

professionals also treated certain

groups and stakeholders, within

and external to the enterprise with

caution bordering on distrust, despite

evidence (from CISO Club members)

to the contrary. What they concerned

themselves with was protecting

data from individuals rather than

protecting the data itself. Protected

data can flow freely and efficiently

serve the enterprise.

It was strongly felt that CISOs and

other senior information security

professionals need to be much more

concerned with critical business

data and the role it plays. Instead

of focusing on DLP systems that

are thought to be out of step with

advanced CISO Club thinking, CISOs

should begin to build a programme

of data trust and responsibility

among employees and bring them

on message that the protection of

customer data, archived data, shared

data and in-transit data is paramount

and increases the business value of

enterprise data.

Without such protection, trust fails

and essential outsourcing models

that promise cost savings and

operational efficiency in challenging

economies will fail too.

To achieve this shift CISOs may need

to tap into new business theories

such as emotional intelligence. This

of course may be less than easy

for a generation used to dealing

with IT based and firewall thought

processes but in a conflicted and

complicated business world coping

with consumerisation, cloud and

cyber crime its something they may

have to get to grips with soon.

In terms of data, the CISO Club

suggest an emotional approach

would be to ask how employees

handling data, which is most in the

modern enterprise, might feel if their

own personal data was mishandled or

lost. This is a direct emotional appeal

and transforms data from an abstract

notion into a valuable asset just like

personal music or photos.

That way employees begin to see the

value of data and take ownership. The

message should be that employees


Lessons from the CISO Club



are not just data handlers but must

see themselves as responsible data

owners for however long that data is

in their care.

Employees (at all levels) should care

for data like any valuable physical

property – such as the consumer

devices that they wish to bring in to

the enterprise today.

However, all too often CISOs worry

about the threat from short-term

contractors and partners who have

access to data whereas the threat

from full-time staff is far larger.

This threat could be down to

complacency, carelessness or

malice, but whatever the reason,

CISOs are allowing themselves

to be distracted by dangers that

do not necessarily exist. They

are not paying attention to those

that exist right in front of them.

Information security professionals

must reappraise data strategies if

they are to ensure secure data flows

across all borders and business

processes. They need to take a

more intelligent and human-based

approach to data, its value and its

shifting residencies.

Today, data is only as secure

as the people charged with

its protection but if people are

made positively aware of their

ownership responsibilities and

empowered, data security can

be increased significantly.

For more information regarding

the CISO Club please contact

Key takeaways

from the

1 Outsourcing and data sharing are the

lifeblood of the modern enterprise, enhance

your data protection policies to embrace this

2 Concentrate on soft skills and the human

element in data flows

3 Develop emotional intelligence and apply to

policies and people management

4 Root out and deal with careless data owning

employees and re-educate where necessary

5 Empower employees as data owners to take

pride in data responsibility

6 Stop looking for data thieves and leaks. Start

to build trust and create better data flows.

The bad guys will out

7 DLP systems have outlived their usefulness

but may have some use in identifying

business processes and can be redeployed


More magazines by this user
Similar magazines