Addressing Privacy: There Will Never Be a Technology-Only Solution Because of the Human Factors Involved
Last week I had the pleasure of being interviewed by Jay Cline for a Computerworld article he was doing about small companies, such as mine, that provide privacy services to organizations.
The article, "Eight Privacy Firms to Watch" has now been published.
It provides a good look into some of the issues small firms such as mine address, what services we offer, along with demonstrating the diversity of privacy issues that organizations must address.
Due to space limitations all the information we discussed during our email interview could not be included. Here is one of the questions that there was not room to address within the article, but it is something that is very important for organizations to keep in mind when they are developing their privacy programs. In response to the question, "Where do you think the market is going in the next 2 years?" I responded:
"Right now it worries me that so many organizations are purchasing software to put them into, what they believe based upon the vendors' claims, 100% compliance with data protection laws and contractual requirements. Organizations need to understand that much of information security and privacy work that needs to be done is people-based; policies, procedures, training, awareness, response activities, and so on.Yes, many activities *CAN* and should be automated, such as logging access to files with personally identifiable information (PII), intrusion detection, and so on. But there will always be a significant human factor required to achieving effective information security and privacy throughout the enterprise.
Information security and privacy must be incorporated throughout the entire fabric of the enterprise and into the entire SDLC to be effective. I believe there will be more realization over the next two years that information security and privacy cannot be a band-aid add-on after a product or system has been launched; it must be incorporated into the mindset of all personnel.
I believe over the next two years there will be more activity in the market within awareness and training activities and materials, but I also think there will continue to be more vendor software solutions being created and launched claiming to be the ultimate technology solutions for all organizational information protection needs. I hope that organizations will realize that there is no one silver-bullet information security and privacy compliance technology product in existence that can do all their work for them, and there never will be. There will always be the human factor that must be addressed, and technology alone will not meet the human factor requirements and components."
I've written about many times, but it is worth repeating many times more; technology alone will not solve a company's information security, privacy or compliance challenges and requirements. The human factor is significant and must be addressed.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
I am in total agreement. In fact, many seminars that I have attended recommend that when implementing a process to secure company assets, you should leave the least amount of decision making to the users. Sure security software comes in handy and will help you with the job, but it is highly recommended that companies establish security policies that handle procedures before, after, and during data processing, including what to do in an emergency on top of how to handle data on a day to day basis.
Posted by: mroonie | April 30, 2007 2:49 PM
Yes, there will always be responsibilities on the part of the end-users to make free-will decisions on whether or not to follow policies. However, if the tools exist to enforce policy it is not only good for security and privacy, almost all the end-users I've spoken with say they prefer it that way as well.
Most personnel prefer to have all acceptable actitivities enforced through technology so they don't have to think about whether they are doing something wrong or not. However, as you know, a great many activities that impact security, such as disposing printed papers with PII, loading PII on mobile computing devices, opening emails with malicious code, or responding to phishing messages, cannot be completely secured with technology. This highlights the need for good, effective training and ongoing awareness communications and activities.
Posted by: Rebecca | May 2, 2007 7:49 PM