Do you remember? In January 2002, Bill Gates sent a famous mail to all the Microsoft employees and announced Trustworthy Computing. Since then it became part of our DNA. The interesting thing to me is, that the four pillars of TwC remained the same (except for pillar four, which we had to re-name). Today the diagram still looks like this:
The key focus of the early years was to get security right within Microsoft. We always stressed, however, that TwC is an industry initiative. Looking at that it was natural that Privacy would be addressed more and more over time.
In parallel we had to learn that the threat landscape changed significantly. A few years ago we had the vandals on the web attacking our systems, bragging about the success of their attacks – today we have the organized crime going for money. To keep it simple, the landscape changed from cool to cash! Our Security Intelligence Report we are releasing today:
- 31.6 million phishing scams in H1 2007 representing 150% increase over H2 2006
- 500% increase in malicious code used to steal passwords / key stroke loggers
- Microsoft's Malicious Software Removal Tool removed infections of Win32/Bancos and Win 32/Banker alone from 615,220 computers in last six months. Both bot programs are used to steal private banking data
So it is pretty clear that Personal Identifiable Information (PII) is today the currency of the criminals.
So, which roles in a company are working with PII? Security people want to protect it. Privacy people want to make sure it is being managed correctly. And the business wants to use it to generate business.
Looking at the intelligence data there is a question that has to be raised: How good is the collaboration between these roles? This is the key question we wanted to get some insights into. Therefore we commissioned a company called The Ponemon Institute, which specializes in privacy research, to survey more than 3,600 security, data protection/compliancy, and marketing executives in the USA, UK and Germany. The research was with companies of various sizes and across many different industry sectors. This study is one of the key announcements Ben Fathi at his keynote he gave at RSA Europe today.
Let me take you briefly through the highlights (lowlights?) of the study.
Collaboration pays off: One of the key questions you will get asked when you look into this is what kind of motivation a manager could have in order to change something to make collaboration happen. The data is pretty clear and significant (we asked the companies whether they had a "significant data breach"):
Relationship between collaboration and one or more reported significant data breaches
This data shows us clearly that a good collaboration seems to lead to significantly less data breaches. The difference between companies with good collaboration and companies with poor collaboration is about 50%! So, you reduce the risk of losing PII significantly and as the CEO is personally liable in a lot of countries this might reduce the risk of the CEO going to jail significantly.
"But the collaboration is not poor": How good is the actual collaboration really? We asked the three groups, whether the business consults security and privacy when they use PII. Look at this:
Is security/privacy asked when PII is used by the business?
If you study this data, it is significant that the security and privacy people think that they are consulted but the business (e.g. marketing) does not really want to talk to us…
Why is this the case? Do you remember that I talked and blogged several times already on the necessity of security to become a strategic value for the business? Security and Privacy is and has to be a business enabler. Is this really true? See the red bar in the following diagram
This shows clearly that the business sees privacy and security as a hindering them to achieve the goals. I have to admit that I understand this. Security and privacy people tend to be paranoid and risk avoiding (do not get me wrong, I am one of these paranoid, risk avoiding people). We do not like to take risks – therefore we tend to say "no" to changes, to new ideas, to new business models… In my personal opinion, IT is here to serve the business and security/privacy is here to help IT to serve the business. There are clearly legal and regulatory boundaries as well as customer expectations to be met. But this is not in contradiction to what I said but definitely in line.
So, how shall we address this problem?
I would love to be able to give you the "silver bullet" just in this section. Before I give you my view on the "solution", let me share a final data point with you. We asked as well whether the combination of the roles would make sense. Here are the results:
This is interesting: If the collaboration does not work, people look for a combination of the roles, where it works, nobody cares of a combination!
This leads to a simple conclusion: There is no silver bullet at all. The solution depends on the culture of the company, the culture of the country and a lot of other requirements around this. The solution to look for is probably pretty individual per company.
Call to action:
There are two things I would like you to do:
- Go to your own company and look (honestly) internally. Ask yourself how the collaboration between security, privacy/compliance, and business actually works. How often did you have data breaches that could have been avoided? After this analysis, go out there and change!
- I was asked several times now, why Microsoft is doing that and whether we can give you a solution. I wish I could! The reason, why we did this study and why we go public with it now is that we want to open a dialogue within the industry at an issue we are convinced that it is evolving and that we have to start working on now – otherwise we will fall behind the criminals again! So, participate in this dialogue and start doing that now – I am looking forward to receiving a lot of feedback and comments!
If you want to get more information on this story, visit our website: http://www.microsoft.com/mscorp/twc/IAPPandRSA.mspx