Sunday, November 11, 2012

Rubbernecking, INFOSEC, and South Carolina.

Get out in front of this one and use it to your advantage!!! 

One of my pet peeves on the highway is rubbernecking. You are driving along, nice rate of speed and wham. Traffic slows to a crawl. After 15 minutes of this, you realize there is no problem on your side of the road. The accident on the other side of the divided highway is attracting the attention of drivers in your lane and they are slowing down to get a good look at the scene. Maybe see some blood, or a crumpled car or two.

In case you haven't heard, the state of South Carolina has suffered one of the worst breaches of private information ever for a state government. See here on Reuters and Yahoo news. 3.6 Million social security numbers and 387,000 credit/debit card numbers were stolen through an internet attack on the state Commissioner of Revenue systems.

As I reflect on the information security catastrophe in South Carolina, I am reminded about rubbernecking. However, in this case a bit of rubbernecking is a good thing. As a public sector CIO you will not be able to avoid it. Lets slow down enough to get in front of this one.    

As you have seen, I write primarily about local government issues. This is one instance where when the state sneezes, the localities can catch a cold. It provides us an opportunity to have the discussion of the value of providing stewardship for our citizens information.

So, for the local government CIO it is only a matter of time until someone asks to have this explained. The usual question will be "can this happen to us?". Here are three things you as CIO can do to get in front of this:

#1 - Answer the question before they ask it.
I always volunteer to go first when given the opportunity to speak or contribute and I am a big believer in getting out in front of a controversy. You WILL be asked about this, unless your management chain is just clueless. Take an hour and compose a brief summarizing your perspective, the efforts to date with information security, the areas of exposure and the work that you still have to complete. Keep the language business level and non-technical.
#2 - Talk to your staff. 
This is a teachable moment. Make sure your staff understands the risk, and the exposure. This is likely to raise a chorus of "...we need to do more!!!", and that is healthy. It is valuable to discuss this as an organization, not just within the information security group. Most information security breaches occur due to a combination of failures.

#3 - Review your INFOSEC program 
Review the South Carolina experience and model it within your own locality. How can you prevent it? If it happens how would you react? What protocols do you have in place? Perform a gap analysis analyzing the difference between where you are, and where you need to be be, using the South Carolina impact as the trigger event.

Sometimes pet peeves like rubbernecking can teach us to slow down and use events to review where we are and where we need to be. There is no higher priority for local government CIOs than protecting citizen data, lets all review how we are doing with that mission.

1 comment: