Data Security: A Team Sport
“Data security is a team sport.” That’s how FIS Chief Risk Officer Greg Montana summed up cybersecurity efforts at a June 20 session of the SPARK National Conference held in Washington, DC. The panel included not only experts from the private sector, but also Deputy Assistant Secretary for Cybersecurity and Communications at the Department of Homeland Security Gregory Touhill.
“Security has been gaining a lot of prominence in the last few years,” said Broadridge SVP Badhri Parthasarathy, adding that it is so important that at many companies, cybersecurity staff report to the board of directors or CEO.
It is necessary to understand the threat environment, Touhill said. The threats to plan for, he said, are cyber-:
Not Just What, but Who
Simple data protection is not enough, panelists indicated. “Implement data protection, but also regularly validate who has access to data,” said Parthasarathy, warning that if one doesn’t, one is “sure to have some people with access who shouldn’t.”
End users also can pose a threat, observed David Levine, Principal, Groom Law Group. End users “sometimes are happy to give away more privacy than they realize,” said Levine. And, he added, plan sponsors can have unsecured systems.Best Practices
Panelists offered ideas on the best ways to protect the security of data. Parthasarathy suggested performing threat analytics; and that engaging a third party to assess and scan a system also can be helpful. “In most cases, you can expect them to see things you won’t,” he said.
Training also is key, panelists argued. “You’re only as strong as your people are,” said Parthasarathy, adding that a firm should make sure the relevant people have necessary training. But in providing training, he said, it is better to target campaigns to specific audiences and functions. Touhill struck a similar theme, telling attendees, “One size does not fit all” and suggesting that “you’ve really got to tailor” training by function in the organization.
But while following best practices is important, a firm should remember that is not the be-all-and-end-all. Touhill argued that it is important to remember that best practices bring compliance, but the converse is not always true.The Bigger Picture
Cybersecurity can serve a firm in more than the obvious way. For instance, Levine pointed out, “Not only is having a program or mechanism in place worthwhile, it can a marketing tool, too.”
And, ultimately, Montana and Touhill both reminded attendees that data security is really about managing risk.