I was interested to read the results of a Secerno poll reported in today’s Computer Weekly. The poll reveals that 77% of IT Security professionals back a UK data breach disclosure law, and that around half of those who back such a law believe that companies should be forced to disclose a data breach immediately.
It’s reassuring that so many professionals are prepared to risk their careers in the interests of leveraging the business case for their security budgets. Because disclosure is a double-edged sword. It imposes a reporting burden on companies and it presents a threat to management. But it also helps protect customers and leverages business cases for security improvements. I’m a strong advocate for such reporting because it makes business units pay closer attention to security.
We all understand the importance of engaging business managers in security risk assessments. But in practice too many mangers interpret this as an excuse for not spending money. Risk appetite too often becomes correlated with the cost of security, rather than the business impact of breaches. Data disclosure helps brings home the consequences of incidents. And as any good psychologist will tell you, the key to achieving a behaviour change is to highlight consequences of peoples’ actions that are personal, immediate and certain.
As with any significant change, there will be casualties. We’ve already seen data leakage incidents this year that have cost companies millions – perhaps billions – of dollars. Let’s hope that other organisations will learn quickly from their pain. And let’s hope that Crown immunity won’t prevent Government ministries from disclosing their breaches. Of course the real answer to that one is to place sensitive citizen databases under the management of private sector specialists operating under strict Government regulation. Because Government is good at that.