About Us | Contact Us
View Cart

The Adoption of Information Security

By Dan Hadaway | Tuesday, February 17, 2015 - Leave a Comment

and the Advent of “Partial Compliance” . . .


How do you decide where to start if you are NOT in a regulated industry?
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .


ServIcons_ITAudit_01

I have been having more than one interesting discussion with a few prospective Clients recently.  The conversation I have in mind was with a gentleman who runs a company that is NOT in a regulated industry.  This particular business is not collecting substantial amounts of PII or ePHI, other than checks he gets from his Clients, which are collected as he relies upon Remote Deposit Capture.  He is conscious of the need to protect information about his customers, and has already undergone a high-level compliance audit.  He’s reaching out to infotex as a part of his risk mitigation efforts.

But his primary question, which is similar to questions I’m getting from several unregulated businesses, and born out of a skepticism that information security is worth the cost, is this:

 “Are we in the early adopter phase of information security adoption?”

I almost feel like these businesses are “using my own language against me” because I do preach that you should determine where you want to be “in general” when it comes to the adoption of technology, and I encourage smaller businesses to consider being a “late majority” or even a “laggard” when it comes to adopting technologies outside the core mission of their business.

Now . . . I have to admit my response has evolved as the question keeps coming up.  But I think it has stabilized now, to the point where I’m writing an article about it.

And the evolution of my response is interesting.  By the time I talked with this gentleman, I had learned to avoid my initial “knee-jerk” response:  “You can’t partially comply with information security.  The bad guys aren’t going to say, “oh wait, he didn’t protect this part of his system, so it wouldn’t be fair for us to exploit this vulnerability.”

And though knee-jerk, I withheld from using that response the first time this question was posed to me by an unregulated business.  My earliest response, to a woman who was also wondering if holding off on security would mean that when she DID pull the trigger she would deploy more sophisticated processes at a lower price.   I swallowed my ” you can’t partially comply” response, and instead I asked, “do you consider protecting your customers to be one of your core services?”  It was easy for me to respond in this way, to this particular person, because she had met me at a webinar where I was preaching that you can be a laggard in technologies outside of your core services.

But this response didn’t work so well in the next few opportunities, partly because I hadn’t had a chance to explain Everett Rogers Diffusion of Innovation Theory, but also because over time I was realizing that even in regulated industries we CAN justify “partial compliance” to a framework.  Let’s face it . . . . even regulated businesses are in . . . . SHOULD BE IN . . . . a state of “partial compliance,” and that’s one of the most important deliverables of a good risk management program!

So by the time I was in this most recent conversation, my response had evolved into this one:

“You should base the level and timing of adoption on the promise that you are making to your customers.”

My prospective Client had asked, “once we choose this framework, what would make us want to be in ‘full compliance’ with it?  Why not strive for ‘partial compliance?'”  But by the time we had this recent conversation, I had abandoned the “no partial compliance” answer.  Don’t get me wrong, I will always answer any question about “where do we start” with “conduct a risk assessment.”  To me, no matter WHAT you decide to do, the risk assessment has to be a decision-making tool.

But beyond that, I’m totally behind the concept of “partial compliance.”  In fact, I would recommend that NO small business be in “full compliance.”  But you still need to determine where, on that compliance spectrum, you want your business to fall.

So when asked, “do we become an early adopter of Information Security in general,” my response is now squarely at the following:

“Base your compliance response on the promise you’re making to your customer, whether overt or as part of your ‘illusion.’   Use this promise to determine how much risk is acceptable.  And then articulate your current position with a risk assessment.”

Like any other technology adoption, you need to decide how important Information is to your company, from two angles:  reputation with your customers and value to your own company.

Because you are not regulated, this decision is more difficult.  Your customers MAY be forgiving if you experience a breach.  The implications of your adoption decision are more crucial for you than they would be a financial or healthcare institution, because regulated businesses have no choice.   Compliance to them is as much a “cost of doing business” as rent and utilities.  If there is a breach and the aftermath shows they are “not in compliance,” they’ll be in big trouble.  That, in fact, is what makes you a “non-regulated business” . . . . you have no legal responsibility to focus in on information security.

So to me, it boils down to this:  what promise are you making to your customers?

  •  If you are my daughter, selling oil paintings for a living . . . and wow, she’s actually making a living at it! . . . . there simply is NO promise to her customers.  Some pay by cash, some by check, some by PayPal, but my daughter is not giving ANY illusion that she is protecting your name or that check.
  •  If you run a gas station, I would say the extent of the promise to your customers . . . . at least as it relates to information . . . Is that if they use their credit card at the pump or in the station, you are complying with certain ‘standards,’ invented by the Payment Card Industry, to protect their credit card number and any other information associated with it.
  •  If you also use any type of “discount card,” you may also be making a promise, or at least “giving the illusion,” depending on how you use any other information collected at point of sale, that you are only using that information for internal purposes and not selling it and that you are also protecting that information.

If, in the course of your business, you collect Personally Identifiable Information (PII, which could be PHI, ePHI, NPI, etc for those of you in regulated industries), your customers are expecting you to protect that information, and that expectation becomes part of the “illusion” you are giving to your customers even if you are not overtly promising that protection.  That illusion is part of your “customer service process.”

 

If you do NOT collect PII, then there is no illusion.

 

Most companies collect PII when they accept a payment, even if by check.  But we can say the volume on that is small enough to where it’s not worth jumping through a whole bunch of hoops to protect that information, beyond common sense controls.  But if you are collecting information beyond that, ask yourself:  do my customers expect me to protect this information?  Is that part of our “customer service promise?”

The key question you must ask yourself is this:  what are you promising, and how important is it for you to keep that promise?

Because if information security is part of your promise, then you should be an early adopter of information security technology.  If not, then yes, play the numbers game and, in the spirit of “partial compliance,” go after the low hanging fruit so you can increase the likelihood of “staying under the radar.”

But also know that you could eventually be breached, so if you are fooling yourself, you are also fooling your customers  . . . and they won’t be happy about that!


Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

 


same_strip_012513


 

Latest News
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]
    With nearly three in four people using third-party payment services tied to their bank accounts, the risk isn’t limited to your own policies and procedures… An article review. When working on cybersecurity awareness messages for your customers you may be inclined to focus on your own systems, but a new study on security in digital […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX infotex is excited to announce that Cody Smith has joined the team as the newest Data Security Analyst. Cody holds several industry certifications (including the most recent: SSCP) as well as a B.S in Cyber Security & Information Assurance from Western Governors University. […]
    It’s all about protecting Customer information . . . In 1999 the Gramm-Leach-Bliley Act (GLBA) directed the Federal Deposit Insurance Corporation (FDIC) and other federal banking agencies to ensure that financial institutions have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information.  The FDIC and other federal banking agencies […]
    A Ghoulish Gallery! Just a few scary-themed Awareness posters from our collection, which you can see at posters.infotex.com! Below you will find both the vertical and horizontal versions of each of the posters, all you need to do is “right-click > “Save link as…” to download! Vertical 8.5″ x 11″ Format   Horizontal 11″ x […]
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    With the potential to break all existing forms of encryption, quantum computing poses a unique challenge… An article review. While quantum computing has been a buzzword for some time now the technology remains largely theoretical, with small scale proofs-of-concept that still suffer from serious limitations.  That hasn’t stopped security researchers from worrying about the technology’s […]
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]