Summit interview: Deloitte discusses security implications of the data deluge

Deloitte believes that the PCI Data Security Standard has done a lot to raise awareness

V3.co.uk: How do you think the problem of information overload has contributed to poor information security?
Mike Maddison: It’s been a fairly recurring theme of the past few years. A few years ago it was all about availability, with worms taking down networks. More recently, it’s shifted to confidentiality of information and organisations realising that information has an intrinsic value and is being targeted by groups. We’ve worked with every sector looking at information protection, and we’ve found in all sectors a huge amount of information has been retained, and duplicated within organisations, often for good reasons, and some of that information could be considered sensitive. So there has been a growth in retention of information often without any information governance strategy.

But are organisations getting there now?
MM: Yes – now there’s a recognition, and not just a technical one by IT, but a board level agenda. It’s driving interesting behaviours in organisations, because it’s happening higher up the food chain than previously. I’m optimistic because there’s a recognition that information security needs to be embedded in the day-to-day running of the business. The role of information protection is more visible too, as is the role of risk management. You just have to look at the number of CISO [chief information security officer] roles at a senior reporting level that there are now.

What is driving a greater awareness of information protection?
MM: The PCI Data Security Standard has done a lot to raise awareness among organisations that haven’t necessarily invested in securi ty before. It has added to the whole tone and tenor of what people need to do about data protection. There are large-scale privacy initiatives in a number of organisations now, whether it has been driven by the Financial Services Authority (FSA), the Data Protection Act or PCI. But there is still a challenge they face in understanding what information they hold – this is not just sensitive personal information either but corporate information – and where it flows out to the extended enterprise. It’s a big problem.

Why have security incidents still been happening, even with all the publicity they’re getting?
Steve Cummings: I think with organisations it’s possible that the people who work with the data don’t recognise the value and importance if they deal with the stuff every day. They take it for granted and that needs to be recognised internally – organisations must put programmes in place to ensure the people who work there do recognise this. We’re seeing a kind of stick and carrot approach being adopted by many, so they will reward good behaviour with data and also enforce a system of compliance to make it clear that if something is done in the wrong way there will be consequences.

So education is the most important aspect?
MM: Yes, the right processes and technologies should underpin it but there needs to be an education piece embedded in the day-to-day operations. Unfortunately, the credit crunch has probably had an impact on that. Where organisations fail is when they do a one-off shot, especially on the awareness piece. If it’s not embedded and doesn’t happen on a regular basis they’re setting themselves up to fail.

SC: Most responses to government data breaches have been about cultural change, because the technology is already in place there. It’s about getting everyone at the right levels to understand this and act responsibly.