Larry Ponemon is optimistic about the state of cyber-security—but he knows there’s a long road ahead in protecting the privacy and security of users.
Larry Ponemon, chairman of the Visual Privacy Advisory Council and founder of Ponemon Institute, knows a thing or two about data protection and privacy. He’s dedicated his life’s work to these issues. But for Ponemon, privacy is more than a buzzword or trend: He considers privacy a basic human right. As more organizations began to collect personal information on consumers and users, Ponemon realized, early on, that this practice could become a major issue for these organizations and users. Ponemon was right. In this Q&A with CIO Insight, Ponemon discusses who should lead the security charge, how the good guys are getting better at protecting data and how to shore up weak points in an organization.
CIO Insight: What drew you to dedicating your career to information privacy management and data security?
Larry Ponemon: I started my career over 40 years ago as a cryptologist in the Navy. We would monitor communications from different ships around the world – either ensuring the messages were encrypted correctly, or trying to decipher information. That experience exposed me to some interesting aspects of information security. After the Navy, I began to take notice of a schism between legitimate and illegitimate uses of information. I then started to learn more about information ethics and focused on privacy, which seemed like a basic human right to me. A lot of companies were just starting to collect information, and I thought that this could become a crisis issue for both organizations and consumers, which clearly it has.
CIO Insight: How do organizations minimize human error in regard to IT security? Is it a fruitless effort?
Ponemon: Human error is the No. 1 enemy of IT security. More often, we see a good guy doing negligent things rather than a bad guy doing malicious things. For example, an employee gets up from their desk to collect something from the printer and leaves a confidential document displayed on the screen – an easy target for a visual hacker.
The No. 1 tool to minimize human error is training. A lot of organizations don’t make an investment in training, so it is mediocre at best. Training should focus on policies and procedures, and alert employees to threats – such as visual hacking – and the technology in place to mitigate it.
CIO Insight: Is IT security resiliency the responsibility of a few or the responsibility of all?
Ponemon: Resiliency is something that all managers and C-level employees need to be thinking about. It is too great of a risk to allow one person to manage the whole program; it takes a whole group of like-minded individuals to collaborate and improve. However, it can be beneficial to have one person as the leader of the group, and that should be the CISO.
CIO Insight: Who has the upper hand? Those working to protect data, or those looking to compromise it?
Ponemon: Organizations today are constantly under attack. With stories in the news every week about a security breach, it seems like the people who want to compromise data security are winning. But in reality, it is a mixed bag. The good guys that are working to protect data are getting better at it, too. There is a lot of innovation and improvement in next generation security tools being developed. This can help organizations identify vulnerabilities proactively so they can fortify and monitor.
CIO Insight: As organizations retain more data and provide more touch points for users via mobile devices, mobile apps and connected devices (IoT), it seems the surface area exposed to potential cyber-attacks is rapidly increasing. How do organizations identify a weak point before the wrong person does?
Ponemon: The IoT was built with convenience in mind, not security. Developers are working to identify weak points in their systems or products and fortify them, and over time there will be standards and regulations.
CIO Insight: Are you optimistic about the state of IT security, or should the world gird itself for more Wild West scenarios?
Ponemon: There is no doubt we will see more Wild West scenarios, but in general, the state of security innovation is improving. Things that used to be impossible to control are able to be controlled now. We are seeing more proactive protection of information, which will only continue to improve.
CIO Insight: What can CIOs and IT security leaders do to reassure their stakeholders that they have security under control?
Ponemon: Unfortunately, if a CIO or IT security leader broadcasts that their information security is top notch, they can invite an attack from a hacker looking to prove them wrong. Instead of advertising to stakeholders how great your security protocols are, show them. Customers want to see sophisticated security protocols in their day-to-day interactions with a company. This can come in the form of complex passwords, biometric requirements or authentication. As long as a company demonstrates good security protocols, stakeholders will be reassured.
Staying appraised of security and privacy threats can help CISOs determine best practices in an evolving landscape. Joining thought leadership groups, such as the Visual privacy Advisory Council, can help CISOs and security advisors share protocols and learnings from likeminded individuals.
Dr. Larry Ponemon is the chairman and founder of Ponemon Institute, a research "think tank" dedicated to advancing privacy and data protection practices. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework. He also serves as the chairman for the Visual Privacy Advisory Council (VPAC), a panel of privacy and security experts representing major business and governmental entities. VPAC recommends policies, tools and best practices to protect organizations from the loss of sensitive, private and confidential information as a result of visual hacking. Members represent the VPAC by speaking at conferences and events, authoring articles and sharing their professional experience in privacy protection and policy.