A new context for data protection

Experts gathered for the ongoing InfoWorld Enterprise Data Protection Forum in New York today said that companies need to get a better handle on all the factors that make their sensitive information susceptible to attack and become more proactive with their overall defensive strategies if they are to improve on their current security status.

In a panel presentation featuring leading security executives and consultants, experts highlighted a need for businesses to study all the elements that contribute to classifying their most valuable information as truly sensitive.

Protecting records whose value is immediately apparent -- such as social security and credit card numbers -- isn't enough as companies must also shroud any related data that can be used to create an individual profile that could be used to carry out identity theft or other forms of fraud, the speakers said.

By defending all the contextual data that can be used to create such a picture, enterprises can greatly reduce their risk and move beyond more obvious strategizing, said C. Warren Axelrod, chief privacy officer at financial services giant U.S. Trust.

"What's interesting in financial services is that it is the combination of data that becomes valuable information when it comes together to create an identity," Axelrod said. "If you are just going to file away social security numbers with no way to tie them to identity, they're actually pretty innocuous; but even if you just have a way to associate that information to a phone number or other data, someone can put things together."

Axelrod said for the record that "data protection is a contradiction in terms," and that the process will never be perfected, based on the nature of IT systems and the need for businesses to easy retain access to important information. 

The only way to effectively improve data security is to create a governance hierarchy that allows IT workers to better classify all types of information and to elevate protection of anything that can be used to create an individual portrait, he said.

IT consultants agreed, saying that they are advising their customers to use contextual data to help carry out their regulatory compliance projects with greater efficacy.

"It's the context that data is used in that qualifies it for regulatory oversight," said Peter Robinson, senior manager for financial services information security at BearingPoint. "You have to protect both the data and all this other information."

Perhaps the biggest challenge facing enterprises today in improving their overall data security strategy is becoming more proactive about trying to expect attempted misuse or theft of information, and putting more intelligent tools in place to defend themselves before those situations arise, said Pamela Fusco, chief security strategist at consultancy FishNet.

Fusco, who chaired the panel, is also a former chief security officer at financial services bellwether Citigroup.

"We don't write a law unless something happens first, as with seat belt laws. We write regulations because something happens, but those are reactive," Fusco said. "Most consultants feel as if we're in reactive versus proactive mode for data protection and integrity."