Economic growth and prosperity rely on healthy business communications. Whether this is between corporations, with customers, or with governments the ability to quickly and reliably share information is key to the long-term success of any venture. But wrestling with the potential tradeoffs between speed and collaboration vs. risk and exposure is not a simple matter.
Information Security and Privacy: At Odds with Speed and Collaboration?
Thought Leadership Summit on Digital Strategies
May 25, 2004 - Hanover, NH
hosted at the Tuck School of Business
CIOs and security executives from Cargill, Cisco, Citigroup, Dartmouth-Hitchcock Medical Center, Eaton, Fidelity, General Motors, Hasbro, IBM, Owens Corning, and Staples joined by academics from Tuck, Harvard, Dartmouth and Bentley for this roundtable. This event was the seventh summit in the Thought Leadership Summit on Digital Strategies series.
The customer information that must be kept private is also an essential ingredient to product design, marketing and relationship management. The financial information that is confidential needs to be communicated rapidly and transparently to investors at the appropriate time. Similar issues exist in most processes of today's extended enterprise. All of this takes place in an increasingly complex regulatory environment.
Information security is no longer a discussion just about firewalls and encryption. It must include the people who gather and use the information, the defined processes for using the information, and the technology to secure it when in transit, storage or use. This summit explored this complex set of interactions, the tradeoffs and organizational issues they imply. The discussion yielded the following insights:
- Information security today is much like quality was twenty years ago: bolted on not built-in, viewed as an inhibitor of operations, and residing in a "special" department. It must move to being designed in at the start, being an enhancer of operations, and internalized throughout the company.
- Education is key to tackling information security vulnerabilities. Notable areas to address are:
- Employee education - "We are all part of the solution"
- Board education - "Good governance today demands security be part of the governance portfolio"
- Information security is not just a technology issue, but also a social one. Two important views that emerged were:
- Socializing security measures and policies appropriately within a company's culture is very important - tying security to an already well-accepted part of the culture is a best-practice
- The next generation is growing up with a fast and loose understanding of information security (e.g., sharing of passwords and files in p2p links) - university education must improve in this arena
- Better benchmarking and industry standards are needed far more than government regulation. Ideas that emerged were:
- A managed repository of anonymously reported incidents in industry
- A source of security spending data, best practices and standard setting to facilitate benchmarking, perhaps residing in pan-industry bodies such as the Financial Securities ISAC
- An accepted framework for analyzing corporate information security
- Government regulations that touch this space (e.g. Sarbanes-Oxley, EU privacy laws) have been poorly written, variedly interpreted and are driving disproportionate and inappropriate security spending
- The extended enterprise (i.e. collaboration with value chain partners) is being impacted by information security and privacy concerns:
- You are as vulnerable as your weakest link
- Corporations are decreasing the number of vendors in an effort to increase control
- The willingness to go with innovative young companies is decreased
- The speed of integration is slowed as corporations audit partner security
- The jury is out on whether better security can become a source of competitive advantage. It may be in so far as better security will enable more flexibility in outsourcing and partnering. The odds of it being so are best for technology companies - for many other industries it may just be the price of entry.