Here's an article from The Economist that nicely captures the sea change around data protection. It posits that safeguarding of identity assets has become “a business issue” on the “corporate agenda” rather than simply an aspect of IT operations…
IT NEVER rains but it pours. Just as bosses and boards had finally sorted out their worst accounting and compliance troubles, and beefed up their feeble corporate governance, a new problem threatens to earn themespecially in Americathe sort of nasty headlines that inevitably lead to heads rolling in the executive suite: data insecurity. Left, until now, to geeky, low-level IT staff to put right, and seen as a concern only of data-rich industries such as banking, telecoms and air travel, information protection is now high on the boss's agenda in businesses of every variety.
Bosses, according to the piece, need to put risk-management processes in place:
“Boards should pay as much attention to these IT operational risks as they do to other operational risks in the firm, argues George Westerman of the MIT Sloan School of Management. After all, boards have audit committees and compensation committees. It may be time for a data-protection committee, he argues. Bosses must ensure that there are effective data risk-management processes in place, be aware of their greatest vulnerabilities and promote a corporate culture that acknowledges data risks rather than hides them.
But there is a catch:
… the problem is often a lack of understanding by senior managers not just of technology but of business processes, says Thomas Parenty, author of Digital Defense: What You Should Know About Protecting Your Company's Assets (Harvard Business School Press, 2003). No one in the organisation bothers to look at the value of what data they hold, the consequences if something bad happens to it, and the appropriate mechanisms to prevent that from happening, he says.
The bottom line seems to be litigation:
Many of the worst recent data leakages resulted from failure of the most basic kind. The data-processing firm that suffered the breach that exposed 40m credit-card accounts was not in compliance with the security standards of Visa and MasterCardwhich may now find themselves liable for negligence. If nothing else gets bosses to focus on data security, surely the prospect of ending up in court will.
I'll be curious to see how you put a price tag on an information catastrophe.