Gartner calls for sunlight to disinfect data breaches

Gartner's Security Summit has opened with a call for privacy law enhancements and changes to the way business considers security.

Analyst firm Gartner has opened its Australian security summit in Sydney today (August 14th) with a call for Australian governments to accelerate the development of legislation forcing organisations to disclose breaches of confidential data. Such legislation, the model for which was developed in California, makes it compulsory for organisations to inform customers if data about them is lost or stolen.

"Until business leaders see disclosure they will not believe data loss is an issue," said Rich Mogull, a research Vice-President with the firm. Legislation forcing disclosure, he added, sees market forces compel organisations to tighten security in order to avoid the embarrassing consequences that come with forced disclosure.

"Negative exposure is a phenomenal way to drive behaviors," Mogull said. "The system is broken, the only way to fix it is with data security laws."

Keynote calls for security 3.0

Mogull also used his keynote at the event to prepare attendees for what he calls Security 3.0.

The first phase of security, he said, was the mainframe era. Today's era sees organisations operate reactively, acquiring new tools to cope with the latest threats.

This approach, however, is not sustainable. "Organisations that are reactive spend 8-10% of their iT budgets on security,' he said. "Proactive IT teams spend as little as 3-4%."

Security 3.0, he said, sees organisations start to plan for better security by "baking it in" before they deploy any infrastructure, then working tirelessly to ensure their IT is prepared to deal with emerging threats.

"We call old style security a 'whack-a-mole' approach," he said. "But do you think you can ever win a game of a 'whack-a-mole'?"

"It is a little frightening what the bad guys are capable of and what it takes to respond, so you now need to build and buy security differently. You need to build security first and bake it into bus processes."

"Security 3.0 is a lofty goal, but that is partly because security is a is a journey, not a destination. But it is a journey to nowhere and you do not have destinations and metrics along the way you will not succeed."

Read more on Privacy and data protection