Former President Obama said, If the people cannot trust their government to do the job for which it exists – to protect them and to promote their common welfare – all else is lost. By that standard, we may be in trouble.
A report released by the Office of Inspector General (OIG) in September found the U.S. Federal Deposit Insurance Corporation (FDIC) suffered a whopping 54 verified data breaches between January 2015 and December 2016. Thats scary, considering the amount of personally identifiable information (PII) the FDIC houses. Doubly scary are these findings:
- The FDIC did not perform the legally required (by FISMA) privacy impact assessments nor communicate with the Data Breach Management Team within the designated timeframe for 13 of the 18 breaches the OIG reviewed.
- On average, the FDIC took 288 days to notify individuals their PII was involved in a breach; also in violation of the FISMA requirements for breach notifications.
- About 67% of the reviewed breaches took more than the 72-hour timeframe required for initial investigator actions. In fact, the FDIC took an average of 21 days to complete the tasks and did not have an incident response coordinator.
While these findings in and of themselves are staggering, they reveal a much bigger issue within many organizations, U.S. government and otherwise, worldwide. And that is a staggering lack of definition, transparency and executive support for information security authority and responsibility. U.S. government agencies, in particular, are notoriously siloed. They largely use outdated practices and technologies, and typically do not have the full support of their executives nor the authority to implement the controls necessary.
So what needs to change within these organizations to avoid the kinds of results experienced by the FDIC? Here are some places to start:
- Clearly defined roles and responsibilities. Every organization must assign information security authority and responsibility to a position, team or department. Not only is this a best practice for security; an increasing number of laws, regulations and contracts require it. The party responsible for information security provides direction to the rest of the organization and ensures appropriate education and tools are in place. In small- to mid-size organizations, this may be a responsibility given to those who have other responsibilities, as well. For most mid-size to large organizations, it is necessary to have a dedicated information security department. A key component to emphasize here is that this role must be given authority to make and implement information security decisions and rules. Without authority, those with responsibility will not be effective. I know this from first-hand experience; it usually makes it nearly impossible for those assigned to those positions to build an effective program.
- Visible executive management support. Over the years, I have seen a consistent common denominator within organizations that have successful information security, privacy and compliance programs: visibly strong and consistent management support. On the flip side, every organization I have seen without such support has had ineffective programs, creating significant challenges and frustrations for those tasked with information security. Make sure your top executives are seen and heard as they emphasize the need for all employees to follow security rules during the course of their daily work activities.
Tip: Early in my career, I was given responsibility for building the information security and privacy program at a large, multi-national financial and healthcare corporation. The executive VP and CIO agreed to have his name printed in the CC line of every memo and communication I issued. This dramatically improved compliance throughout the organization. The employees could see simply by his name appearing as a stamp of approval on the communications that if they did not comply with the information security policies, they would have to answer to a strong leader. And that could impact the trajectory of their professional success. Now that was game-changing support!
- Coordinated efforts and clear communication. No one security control is 100 percent effective; it takes layers of different types of information security controls. So, as part of these layers, there must be documented and tested data breach policies, supporting procedures and trained teams to be able to quickly, effectively and consistently respond to incidents when they occur. Although the individual, team or department responsible for information security leads these efforts, it must be supported by clear communication and transparency across the organization.
To run a successful information security program, organizations need: 1) funding necessary to have a strong program; 2) training to ensure awareness of threats, vulnerabilities and tools available to mitigate risks; and 3) a coordinated effort to support an information security program instead of disjointed silos that often do more harm than good.