Tom Preece, Rational’s Business Development Manager, recently spoke with Ted Augustinos, Partner at Locke Lord LLP, about his thoughts on how organizations should best address emerging trends in cyber and information security. Ted is a member of Locke Lord’s Privacy and Cybersecurity Practice Group, which assists clients in developing and enforcing data privacy and security policies to ensure compliance with the standards and practices of the industries and legal frameworks in which they operate. The group also provides legal evaluation, guides forensic evaluations, prepares data breach response plans, oversees remediation, and helps respond to inquiries from governmental agencies.
Locke Lord is a full-service, international law firm of 23 offices designed to meet clients’ needs around the world. With a combined history of more than 125 years and a wide domestic and global footprint, Locke Lord is a worldwide leader in the middle market sector. Locke Lord advises clients across a broad spectrum of industries including energy, insurance and reinsurance, private equity, telecommunications, technology, real estate, financial services, health care and life sciences, while providing a wealth of experience through its complex litigation, regulatory, intellectual property and fund formation teams. To learn more about Locke Lord, visit http://www.lockelord.com
Tom Preece: It seems that despite a growing number of state, federal, and international laws dealing with cyber security breaches and privacy protection, legislation regularly lags behind technological advancement. How is this gap best addressed?
Ted Augustinos: Laws and regulations always lag the market, and that’s clearly the case in privacy and cyber security, where both the threats and solutions change very rapidly. That’s why the best approach is to view the issue of privacy and cyber security for what it is – an enterprise-wide risk management issue. Legal and regulatory compliance is certainly a part of the response, but if this is viewed as a legal problem, the real challenge will not be met. Similarly, it’s not just an IT problem, and IT professionals can’t solve it. The best approach addresses privacy and security holistically across the enterprise by incorporating legal and compliance resources, IT solutions, business leaders, HR personnel professionals, and marketing and PR talent.
Tom: The private sector seems to be responding to consumers demanding increased privacy, with companies like Apple making privacy protection a selling point. Will data privacy be a competitive advantage for companies?
Ted: Increasingly, we see that companies are looking for ways to trumpet their privacy and cyber security profile as a competitive advantage. Of course, this comes with risks, and woe to the company that says it’s better than its peers at this, but isn’t.
Tom: There has been an increased trend towards cloud computing in recent years, including a “cloud first” policy among many federal government departments. Are the advantages of moving to the cloud worth the purported risks, and what are the most important data privacy and security considerations a company should address before doing so?
Ted: The cloud solution is one of many options, and needs to be viewed as such. In considering a cloud solution, the question has to be asked, “compared to what?” Also, not all cloud solutions are created equal. Any assessment must include a thoughtful assessment of objectives, risks, and costs, all in the context of other available options, and all of that looks different for different companies.
Tom: There seems to be a large disparity in the information security maturation level of companies today, even amongst the Fortune 500. Without naming names, can you describe the worst or best information security program you have seen at large corporations.
Ted: The best of the best continually monitor the threat landscape, and reprioritize perceived threats. They follow developments in applicable laws and regulations, and in technology solutions, and update their policies, procedures, and technology to reflect these developments. Their business leaders work with privacy and security professionals in designing and implementing new products, services and initiatives, so that the related privacy and security issues are considered and addressed at the outset. Their governing boards are fully engaged and updated on these issues. The best conduct regular training of all personnel to avoid mistakes, and to identify and escalate incidents that may be of concern. They also conduct simulation exercises with their incident response teams, and use those experiences to improve.
It’s a rare company that hasn’t done any of these things, but the worst will face harsh consequences for not taking reasonable steps toward addressing their legal, regulatory and contractual obligations to protect the data with which they are entrusted, and toward mitigating these risks.
Tom: Many companies require the devastating impact of a security breach, regulatory investigation, or litigation to overcome the inertia of developing a modern information security or privacy protection program. For growing companies that have not yet felt this jolt, is there anything you might say to shock them into action?
Ted: No – if the daily news and the stories of their peers haven’t made an impression, there’s not much anyone can say! Seriously, to overcome the causes of inertia (typically, lack of budget, bandwidth, or a sense for where to start) I would suggest that they work with someone who can help identify and rank threats and vulnerabilities, and set a reasonable list of priorities. Then establish a reasonable budget that won’t bankrupt the company, and start working down the list. There are important things that can be done to improve the company’s risk profile with literally no budget, and there are others where a modest investment will make a significant improvement. There is no silver bullet, but focusing on these issues and establishing a culture of compliance and risk mitigation will better position the company to survive in the current and developing environment.