The missing chair in your boardroom

Hi all,

The attached is an article we did for Sun's Inner Circle newsletter. The lovely Robin Wilton-- IDm guru extraordinaire-- liked it well enough to blog about it here: at (Very cool!)

So, I am reproducing it here & would love to hear your thoughts.

Here's the link:

& the article:

The Missing Chair Around Your Boardroom Table

Protecting privacy is an inevitable challenge in a free society. With more and more personal information moving onto the Internet, what role must companies assume to protect employee and customer privacy? And globally, what are the implications for privacy with regard to cultural differences and harmonization of identity and data protection standards?

Sun Chief Privacy Officer Michelle Dennedy calls this participatory Web era the "Network of You." Below she shares her views on how companies can protect their assets and stakeholders by expanding the way they think about data privacy and personal information management.

Q: What is the "Network of You?"

A: The "Network of You" is a concept that links traditional business practices to evolving Web 2.0 practices in the new environment of data-enriched enablement. The Network of You recognizes that for the first time in human history, we can individually participate in a global web of information flow. There is obviously a strong economic benefit, but there is also a strong risk factor if we're not careful.

Q: What are the most worrisome threats to online users' privacy?

A: The most worrisome threats are the unplanned, unexpected uses of information that violate individual cultural or legal mores. Organizations can fail to notify users about why they're collecting information — or that they're collecting information at all. They can fall into the trap of abusing collected information for which they are a fiduciary, but not an owner. Information about individuals is the currency flowing through the enterprise and that enterprise becomes, in a sense, its banker. One of the biggest threats is failing to recognize the power of information as a leverageable asset. When you collect too much, not enough, or the wrong information, you store risk that doesn't drive value back into the organization.
Information about individuals is the currency flowing through the enterprise and that enterprise becomes, in a sense, its banker.

To quantify the risk involved, we can look at the case study of breach notification legal requirements. In the U.S., it's becoming typical for organizations that have been forced to notify customers about a data loss to provide two years of credit protection per record lost. So if you lose a laptop that contained 100,000 records with a standard credit protection cost of roughly $40 per record, per year, for two years, you're looking at a potential liability hit of $8 million. That figure doesn't account for brand loss, sales opportunities lost, lawyer fees, or the paper exercise of sending out letters. And that's just a ballpark — I've heard figures from banks up to $500 million, or $250 per record for a major breach.

Treating data as an asset up front and giving it the respect it deserves frees precious organizational time for communicating with customers about the stuff that drives revenue.

Q: Data control is said to now be a boardroom issue as well as an IT issue. Thoughts?

A: It's absolutely a boardroom issue due to the ascendancy of information as the most valuable asset. I think there is an empty chair at the CEO's table that is unique in charter from the chief financial officer, general counsel, chief information officer or chief privacy officer. If the trend to use, collect, and manage data and to connect with customers and workers on a global scale continues, there will be a significant role for new types of executive leadership in the boardroom.

There needs to be an information control officer who looks at information the same way you look at cash, with the nuance that information about human beings is non-replaceable. Once you have disenfranchised your customers or employees because you failed to protect their information, you can't get them back as readily as you can recover cash if you have executed poorly in your capital investments. One of the ongoing tasks for this new executive will be to partner with the CFO, CIO, HR, and R&D leaders to help drive in economic value and drive out risk by only collecting information that has value and doesn't cause harm.

In the short term, existing business unit leaders share in these new data asset and liability-driven duties, and each must become his or her own data advocate, legal advisor, and accountant.

The expanding universe of stakeholders and government regulations like the U.S. state data breach notification laws, the Gramm-Leach-Bliley Act, HIPAA, EU Directives, member state regulations, and the Canadian PIPEDA and other international regulatory frameworks will continue to complicate the business landscape. At the same time, a global community of users and creative entrepreneurial opportunities will continue to press for more data, more control, more transparency, and more respect than ever before.

Q: Is technology the problem or the solution? What technologies can be employed to protect privacy in the online world?

A: Technology can be both. If technology is used in the absence of people or processes, it can be a huge risk. Technology can gobble up more information than any human can possibly consume. Technology can share information faster than human minds can think it, so it can be harmful if you don't have that boardroom-level care of information as well as a system that sets up how information flows, where it is shared, who has access to it, what role those people play in the organization, and assurance that the information is audited.
Identity management technology is critical to understanding "who" is participating on your network.

Identity management technology is critical to understanding "who" is participating on your network. "Who" is your customer and "who" will serve that customer's various needs? Sun has deep identity management leadership and experience in helping with auditing and identity compliance. Sun's capabilities include user provisioning, role management, access management, federation, and directory services. These are examples of technology that can make a big positive impact when deployed with a clear strategy to get in front of the business challenge of "who."

You can centralize and better secure data by using ultra-thin clients like the Sun Ray, which greatly minimizes your data footprint and reduces risk. The only way to use a Sun Ray is by logging in, therefore every action is auditable. Instead of spreading data by duplicating and multiplying it across desktops, a greater proportion of the data stays centrally managed at the server level. Users authenticate and access information that is stored in a guarded place. Then security, privacy, and audit professionals can outreach, manage, and train the person who's allowed to use that interface.

Where data really "sticks" is in your storage strategy. That's where technology, management, and training help you figure out how to utilize your information as an asset. Sun's open data archive solutions enable organizations to change the economic equation for their IT departments because they are 10 times more scalable, use 50 percent less physical space, and can reduce energy costs by a factor of 10 over competing products.

It's critical to understand where you're storing stuff. Your CIO may not be looking at the risk and potential rewards implied by stored data. Which gets back to my "empty seat at the boardroom table" notion. Where it's appropriate, cut down your data footprint to keep the good investments of data that drive value, and systematically get rid of data that only serves to create unmanageable risk.

Q: What role should governments have in helping companies or individuals protect their privacy?

A: Hopefully not a heavy-handed one. My personal responsibility is to cover the globe, and we have business interests in almost every country. We must understand how to harmonize information flows with other governments and protect information through its lifecycle when that lifecycle goes from very restricted civil law countries, to common law jurisdictions, to socialist republics and beyond into emerging economies that are only now selecting a governance strategy for people and data.

We have to agree on the functional definition of how information is protected, despite differences in culture and legal strategies. We can look at how identity management strategies can be deployed to ensure that only the right people at the right time in the right place view authorized information.

Let's say Person A is fulfilling Function B and Strategy C is protecting it. Once you realize that the information pipe is secure, you can rationalize that protection in a common law society like the U.S. where we enforce by regulatory agencies and private litigation. In civil law societies like Europe, where the whip is felt from various agencies, protecting the data pipeline with rigor can satisfy those data protection authorities. When you get to other parts of the world with different notions of individual privacy, you can do that same calculus of role-based access — Person A, Function B, Strategy C — and if that protection is robust and transparent enough, it can satisfy all of these governments with differing enforcement strategies.
You need a leader who understands and cares about data protection and that person must scream from the mountaintops in the language of employees, vendors, and partners to let them know what is expected of them and that data governance is a valuable investment.

Q: What do executives need to be thinking about and planning for over the next five years?

A: People, process, and technology. Your people have to know what to do when. You need a leader who understands and cares about data protection and that person must scream from the mountaintops in the language of employees, vendors, and partners to let them know what is expected of them and that data governance is a valuable investment.

Process has a lot to do with your identity management strategy — who is going to be allowed to look at what when? How long is that information available to those individuals? How do you de-provision those people when they move on? It also has to do with how you determine data value, track it across your enterprise, and protect its integrity throughout its lifecycle.

You have to constantly look at your technology resources, whether you own them or whether you leverage Web 2.0 tools and communities, to determine what brings value. Sun leverages an open, interoperable architecture. The reason people come to Sun and the reason that we are the fiduciary for so much confidential, highly sensitive data is because this architecture allows you to think about the future and where information is going to be stored. All of the information that is housed on those storage media comes at a cost if you lose it, and can bring value if you leverage it well.


Brilliant article. It clearly shows where you and other CPOs are thinking. In my experience with hundreds of smaller and mid-sized companies however, almost none consider the employees in the data/protection/loss equation except for their role in protecting company and client information. For some reason employee data doesn't have a "value" to most businesses. I think that if they look at the direct costs of a breach you brought out in your piece it might make for a much easier decision to act.
Imagine a company taking the proactive step to offer identity protection programs to staff before a data breach! Acording to your stats a business will not spend from $8M to $500M in credit monitoring after a breach of employee data because everyone will already have access to such protection. And if they employee pays for the service it didn't cost the company a dime! There have been 10s of millions of employee and staff records compromised in the past 12 months alone.

I ran across the attached survey yesterday. It clearly shows that execs are living a dichotomy where ID theft is concerned. They fear their own ID will get stolen while at the same time they don’t think it is important to protect the identities of their own employees. They are careful to protect the information belonging to their clients but don’t believe a breach will happen in their company. They acknowledge the risk from lawsuits and fines but are willing to take the risk by doing nothing about it.

I have one question however. You didn't mention that FCRA, GLB, and FACTA resulting from the enactment of the so called Red Flag Rule now require compliance prior to Nov 1st of 2008. Most every U.S. business is impacted and are required to establish breach response plans and prevention policies.

Thanks for a great and well thought out piece.


Business owners have false hopes when it comes to data loss
by Steve Ragan - May 28 2008,
A recent study of fifteen hundred business owners shows that most have an “air of invincibility” when it comes to the potential for their company to suffer an intentional or accidental data exposure. This could explain why we have seen record numbers of information stolen, lost, or leaked over the past year or so.
It is understandable that some companies feel they are secure. However, when the topic of data breaches ranked last among the biggest business fears behind government fines, lawsuits, bankruptcy, and natural disasters, there is something wrong. Forty-five percent of those interviewed admit they are more concerned about data breaches than in the past, however that figure pales in comparison to the fact that thirty percent are more concerned that they could personally become a victim of identity theft (76% vs. 45%).
Isn’t it a comfort to know your boss is thinking about you? The next set of data is confounding, eighty-six percent think safeguarding customer data is a high priority and eighty-three believe that a breach would definitely have an impact on business reputation. However, it appears very little customer/employee protection is being implemented, as nearly two fifths do not have an incident response plan or outside vendor management procedures in place. The study also found another third does not encrypt customer/employee data that contains personally identifiable information.
Now that is sad. Customer information is secured, all fine and dandy, but apparently, it is ok to leave the HR data wide open. You have to ask, what is the point of a company spending all this money on data security if they do not protect all of it?
"The survey confirms a head in the sand mentality regarding the threat to businesses today which we call a `data breach awareness gap'," says Judd Rousseau, Chief Fraud Officer for Identity Theft 911. "Many decision makers still haven't implemented the proper security measures to protect their company, customers, and employees."
What this proves is one of two things. Either the companies who took part were a part of the smaller class of company who has not yet taken the time to research data protection, or they are so smug they think because they can throw money at a problem, it will go away. In any case, this is foolish. In the end, if data is exposed, ultimately the senior manager will take the blame. Sure lower employees will be fired over a security breach, but the boss will have to account to the shareholders or other company directors.
Forty-four percent of those who responded report that a security breach would have minimal to no financial impact on their business, with another twenty-two percent reporting that they don’t know what the financial impact would be. How is this possible? Are these “leaders” on something? While the incident happened last year, TJX still makes headlines over its data incident. How are these “leaders” unaware?
The numbers should be treated as numbers, not as a view of business as a whole. Aside from the forty-four percent of the original fifteen hundred “leaders” who took part in the study, most business managers know, security is serious and data should be protected.
With that said, there were no names or companies mentioned in the report on the study. I don’t think any one of these “leaders” would go public with their thoughts if put on the spot. That is why you have to love anonymous research

Posted by John Taylor on May 29, 2008 at 08:49 AM PDT #

Data entry is used to convert data into information. Data entry is also known as data processing that is generally programmed on a mainframe, minicomputer, microcomputer or personal computer.

Posted by Data entry on May 29, 2008 at 08:22 PM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed



« July 2016