Honesty is the best policy - even with data outflows!
The outflow of data streams is, of course, not a purely IT problem. But CIOs, because of their position in the company, have the opportunity to ensure that dealing with it honestly is the only possible course of action.
The survey referred to was conducted this year at the RSA conference in the USA. Some conclusions are even more surprising; after all, a large proportion of the more than 1,000 respondents work for US companies.
In contrast to many countries in Asia and Europe, a reporting obligation in the USA is very strict. This means that covering up data leaks is simply illegal!
Nevertheless, many companies prefer to keep quiet about a data leak: The damage caused by compliance penalties, cleanup costs or negative press is enormous! Customers or investors could also jump ship - not to mention the share price.
Risky business
If cybercriminals want to compromise your organization, you must assume that they will succeed! As a CIO or security manager, you should at least foster a culture of openness.
The reporting of security incidents or even "just" suspicions should be welcomed and not be negative. Only then is there any chance of discovering possible incidents at an early stage.
This requires a certain framework. The first step is a comprehensive risk analysis. Only then can you sit down with the management.
This is primarily a matter of deciding what risk it is willing to bear. Every organization has different ideas here. Those that are willing to bear a higher risk will invest less in information security than the other way around.
Once this decision has been made, the next step is to invest the corresponding budget in tools for risk management and mitigation. In this way, the IT department has created good conditions to "watch its back".
After all, there should now be no reason to conceal data outflows. If this does happen, it is often due to uncertainties, a lack of structures, or the absence of a risk-based decision-making basis.
Unfortunately, very few explicitly train their employees on the desired code of conduct. In large organizations, it's often learning-by-doing. In small and medium-sized ones, even this is hardly the case. As a result, incidents sometimes "peter out" in the IT department.
Code of conduct as a blind spot?
It is therefore all the more important to explicitly define a code of conduct. This should also contain very clear rules on reporting incidents and suspicious circumstances, but also on how to deal with them.
Of course, this means a certain amount of effort. However, it makes more sense to put in the effort beforehand. In an emergency, everyone then knows how to act - and the probability that everything will go smoothly is significantly higher than with panicky ad hoc decisions in the heat of the moment.
It also allows each incident to be seen as an opportunity for improvement rather than a failure. It is an opportunity to learn and to sit down with management again with the lessons learned.
Be it to sharpen or strengthen their own profile - or (hopefully) to discuss an increase in the budget. And as if that weren't incentive enough, there's also the European Union's General Data Protection Regulation. When this comes into force shortly, we will have similarly stringent requirements and reporting obligations as in the USA, including very severe penalties for violations.
So this should be another good reason to prepare and introduce a risk-based approach in the company. Because with this legal background, honest really does last longest - and is the best way to improve security.