Corporate security pros have to worry about not only whether the defenses they create meet industry standards, but also whether they adequately defend information on the network, says Torsten George, a vice president for security firm Agiliance. Increasingly that includes whether the defenses withstand legal scrutiny of class-action lawsuits brought by those whose information becomes compromised.
Even as the consequences for corporate data breaches get stiffer and stiffer it is accepted as inevitable that all business networks will be breached eventually, putting executives in charge of protecting these networks in a pickle.
"Yes you will get breached even if you have a definite in-depth strategy," says George. "This is a reality nowadays. There is no 100% protection."
In order to survive the scrutiny of regulators, other enforcement agencies and the courts, security pros should make sure their defenses go beyond merely following standards by rote, Straight recommends. Ask, Am I actually protecting the information I should protect?'" he says.
Structurally, security officers such as CSOs shouldn't report to the CIO because they have conflicting duties, he says. The CIO is responsible for design of networks and ensuring uptime for information to be used. CSOs' job includes restricting that access.
Corporate security execs should carefully document the defenses they do put in place. "No matter what we do at some point there's going to be intense scrutiny on what we do. We'll have to sit in front of our colleagues and explain how the security program is adequate," Straight says.
Despite the best efforts, hassles with the law will become a long-term nightmare for companies that suffer loss of customer data. "Technical remediation is relatively straight forward," Straight says, "legal fallout will take years."