This year has marked another key milestone for IT executives again beyond our control. The Snowden revelations have had the same impact 9\11 had on international airline security. A recent seminar I attended was both illuminating and very open. The panel members represented the who’s who in security and data privacy, and very clear about the situation every company finds itself in now. The message we’ve been hearing for a while now has been updated to this: There are only two types of companies: One that knows it’s been breached, and one’s that don’t. Therefore the obvious conclusion is how does this not so good message percolate to the Board and to the customers.
BYOD – bring your own device – is no longer just a concept, but most organizations are actively pursuing this path. The conference clearly outlined the increasing security issues which Smartphone access have created and sadly, ramps up the ongoing monitoring, intrusion alert and diagnosis requirements for any business, something that very few have planned for.
Many of the conclusions reached by the panellists and surprisingly, the lawyers, were that every company should be able to support a ‘fair information practice’ well beyond most privacy guidelines currently shown as due diligence. This really means any business must show the proportionality and purpose of their data collection and in effect, walk the talk that data collected is only ‘what is really needed’.
Finally, I was very impressed with the legal advice for companies to be far more open and have ethical review boards that clearly show to customers that privacy policies are being adhered to, and that data is now considered an asset which needs to be protected and requires consent and the ability for customers to get answers when they ask what ‘data do you have on me’
In true legal contradiction, the advice was the cost to brand damage is a ‘pay me now or pay me later’ and a reasonable balanced far more open approach is unequivocally required to maintain confidence and control over all costs.