Is it possible to protect something if you aren't sure what you are protecting?
Well, a new survey from global consulting company Protiviti shows that IT managers are trying to do just that: protect data without really understanding what is and isn't sensitive information.
The report, "The Current State of IT Security and Privacy Policies and Practices," asked more than 100 IT executives and professionals how their organizations classify and manage the data they accumulate. Specifically, the survey asked the managers how they handle the security of sensitive data to ensure customer privacy as well as comply with federal and state privacy laws and regulations. The results, according to a release:
Twenty-three percent of respondents said their senior management appears to have "limited or no understanding" of the difference between sensitive information and other data. Only 26 percent believe their senior management has an "excellent" understanding of these differences.
I wonder where the other half falls. Do they have some understanding of what makes up sensitive data in their organization? They must know something because 69 percent of companies in the study report having a clear data classification policy to categorize information (sensitive, confidential, public, etc.). On the other hand, only half have a specific plan in place to classify this information. Of course, for me, it goes back to my earlier question: Is it possible to protect the data properly if you aren't sure exactly what you should be protecting?
Cal Slemp, managing director and head of Protiviti's IT Security and Privacy practice, said in a statement:
This basic understanding of what constitutes sensitive' is absolutely critical because it sets the tone for how data is treated in every phase of its lifecycle from collection to destruction. Without this foundation, companies open themselves to needless costs and legal, regulatory and reputation risks. It is our view that data with different sensitivity needs to be treated differently from an information security perspective. In addition, knowing what to keep and what to purge also helps organizations avoid falling into a default process of saving everything forever,' which comes with its own costs and risks.
Slemp's words echo my own thoughts on the issue. And doesn't it all come down to education? It's important to make sure that everyone within the organization is on the same page when it comes to the definition and the security of sensitive data.