Security and governance: Balancing collaboration and control

In late 2006, hackers stole information concerning 45.7 million debit and credit cards from the parent company of discount retailers T.J. Maxx and Marshalls. In another security breach last year, the confidential information of some 1.3 million job seekers was stolen from the website of Monster.com, the online job forum. The two incidents show the importance of governance and compliance, and illustrate the sticky problem of balancing collaboration and control — topics discussed by a panel of experts at the "Achieving Innovation through Collaboration" symposium, hosted recently by the Center for Advancing Business through Information Technology at the W. P. Carey School of Business.

In late 2006, hackers stole information concerning 45.7 million debit and credit cards from the parent company of discount retailers T.J. Maxx and Marshalls. It was the biggest breach of consumer information up to that time, according to Associated Press reports. The retailers remained buoyant, however, and stock in the TJX Cos. still does well.

In another security breach last year, the confidential information of some 1.3 million job seekers was stolen from the website of Monster.com, the online job forum. Reuters, the news agency, called it "one of the biggest Internet security breaches in recent memory" and reported that the hackers who broke into the password-protected site used credentials lifted from its users.

The two incidents show the importance of governance and compliance, and illustrate the sticky problem of balancing collaboration and control — topics discussed by a panel of experts at the "Achieving Innovation through Collaboration" symposium, hosted recently by the Center for Advancing Business through Information Technology at the W. P. Carey School of Business.

Privacy and trust

In light of the T.J. Maxx and Monster.com incidents, the most important security and compliance issues facing U.S. businesses today are privacy and trust, says Benjamin B. M. Shao, associate professor of information systems at the W. P. Carey School and the panel moderator. Americans are gravely concerned about identity theft, and believe that personal information should be guarded vigilantly, Shao said.

"Privacy is a key deterrent for people in conducting transactions, both online and offline. Governmental legislations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Information Security Management Act (FISMA) can help," he said, "but American companies still need to find new ways to increase customer trust in them." New business like ID theft protection has been born out of this privacy concern.

Creative and innovative solutions are critically needed and can offer tremendous opportunities. New approaches will also involve governance and compliance. According to Wikipedia, governance includes consistent management, cohesive policies and processes, and decision-rights for a given area of responsibility. Governance catches breaches, monitors and fixes errors, and reports problems. It is proactive by design.

Compliance, however, refers to the systems or departments at corporations and public agencies that ensure that personnel are aware of and take steps to comply with relevant laws and regulations. Each company must decide what governance and compliance means for their own organization, said technology risk manager Mark Williams of Protivity, because it will vary considerably depending on the nature and history of the company and its employees.

"This must be well documented and detailed." The policies and procedures that constitute governance and compliance are similar, he added, but there are discreet differences between them, and organizations need both. Along with the "Thou Shalt Not" there must be training.

Increasing the risks of security breaches

What about outsourcing? Does this increase the risk of security breaches? Most business managers presume that outsourcing financials to professional experts reduces risk because it reduces error. This is a national trend, but Rob Maloney, Solutions Engineer for Nexus Information Systems, questions whether it lowers risks at all. "All that outsourcing does is lower culpability. It's somewhere to hook blame," Maloney said.

The way to minimize damage is dedicating an in-house manager to oversee everything being done on the outside, Maloney added. Bijan Hafezi, the vice president of security sales consulting for CA, said that the requirements of the Sarbanes-Oxley Act and the growing numbers of identity thefts have driven business to his company.

His new clients — including health, IT, and real estate companies — are looking for solutions to help comply with these mandates, he said. Social networking sites like LinkedIn.com and MySpace.com present new security challenges for companies, Hafezi said. An increasing number of job seekers subscribe to these sites, Hafezi said.

He found several recruits on LinkedIn, and many included their MySpace links within their resumes. These social networking sites create new risks for corporations, he said. "People can fish for passwords or these can be lost or leaked," he said. "Then there is the problem of third-party copyright, with people taking credit for other's information, their work achievements or ideas."

Minimizing security risks

So, how to minimize these risks? Enforcing governance programs by educating your workers should help, Hafezi said. Companies should be enforcing compliance checks and developing risk management, including watchdogs to monitor your site, filtering content, requiring different sign-ons for different social networking sites, and assigning one employee to monitor social networking in general.

"It might be viewed as snooping but in this climate, management should know which employees visit these sites," he said. In spite of well-publicized security breaches like T.J. Maxx, some old-school companies still resist making their company information secure and compliant. Some companies, even large and established ones, are complacent, Williams said. "These company executives think that the old system had worked up until now, so why change it?"

There is also value in investing in security and logging. Logging allows you to track those who have accessed your IT resources, such as your servers, files, and printers. The log should include the point of access and the time. The resulting log file allows you to identify where, when and how a problem occurred. But this pays off only if you invest in the tools that allow you to draw crucial information from the data, said Maloney from Nexus.

Hafezi endorsed logging too, but said that a system should be shut down immediately if a security leak arises. Most companies do not have automated systems that can respond to security breaches; most still need manual intervention. Automated systems (incorporating intrusion detection systems, application-layer firewalls and network address translation, or NAT, servers) should be accompanied by well-planned procedures and policies to guide people to respond to security breaches as soon as they happen.

It's all about trust, Maloney said. A lot of information is stolen from the inside, in his view. "There will need to be another T.J. Maxx incident before we get through to businesses unfortunately, and that's just the way that things work," he said. To sum up, Shao notes that the requirements of security and control for social networks are unique in the open and collaborative Web 2.0 environment. In this context of "organized chaos," we need to strike a balance between the maintenance of security governance and the exploitation of the "wisdom of the crowd."

Bottom Line:

• Benjamin B. M. Shao, associate professor of information systems at the W. P. Carey School of Business, thinks that the most important security and compliance issues facing U.S. businesses today are privacy and trust.
• Shao also believes that concerns about identity theft deter Americans from conducting transactions both offline and online, and that companies need to work harder to win consumer trust.
• When the computer system at TJX Cos., the parent company of Marshalls and T.J. Maxx, the retailers, was hacked in late 2006, the Associated Press reported it was the biggest breach of consumer information ever. The credit and debit card information of 45.7 million shoppers were stolen.
• Businesses are not doing enough to protect their information, and another T.J. Maxx incident might happen before data protection and security experts get through to businesses.
• Social networks impose unique security challenges for companies. The key is to strive for a balance between effective governance control and potential opportunities for collaboration offered by Web 2.0.