The IT industry is slowly becoming a technically solid sector, but until now, it continues to be vulnerable as well. Security incidents are still widely reported in the press. It’s an important topic, and one there are many ways of looking at it. This is I why lead a round table session with nine LeaseWeb customers, where questions were answered about the new Dutch Law on Data Breach Notifications (Meldplicht Datalekken) and participants discussed how to organize a secure online company.
The participants were executives of companies which have IT as a core business, or companies that use IT for their online services. They were joined by LeaseWeb founders Laurens Rosenthal and Con Zwinkels, and Jort Kollerie, Enterprise Security Specialist at Dell Security. In addition, IT journalist and security specialist Brenno de Winter shared his experiences about the topic.
The IT Industry remains one of the less mature industries, stated De Winter. ‘One of the most commonly used breaches is discovered in 1996. Isn’t it strange that companies haven’t formulated an answer to a twenty years old security breach?’ According to De Winter, finding data breaches and exploiting them is not as complicated as many people think: ‘Most of the time a data breach is a simple flaw in the code.’
Security as a barrier
Measures for better software security are still considered to be a barrier instead of an enabler to make organizations safer and more competitive. Companies are afraid that that adding security will slow down the process of releasing new software, at a time when to market is becoming increasingly important (this is why methods such as Scrum or DevOps are so popular these days).
The Round Table participants agreed that developers simply don’t think about security during the design phase. This was the case thirty years ago, and it still is. ‘If you design a bridge you have to be compliant with all kinds of security requirements. A software developer can do whatever he wants’, one of the participants said.
Law on Data Breach Notifications
This situation will change once the new Dutch Law on Data Breach Notifications is in place. ‘Having a good security policy is no longer a matter of debate. You simply have to have it’, said De Winter. Most of the participants are not fully prepared for the new law. After January 1, 2016, when the law will be in force, the consequences of a data breach will be substantial, however. A company will risk a fine with a maximum of 820,000 euro if it loses personal customer data.
It seems appropriate to raise the question whether companies have to outsource their security or do it themselves. The participants of the Round Table did not agree on this. Some think security is business critical and therefor something to keep in-house. Others argued that security may be business critical, but that in most cases, it is not an organization’s core business. An experienced and specialized company will always be able to do it better, they said.
Never outsource a security policy
The debate at the round table session became more balanced as it continued. Larger IT organizations with sufficient resources and expertise may very well be able to organize protection against cyber criminals and data breaches themselves, while smaller companies with limited resources could benefit from partially outsourcing security. This is because it’s relatively easy to outsource technology. Outsourcing a security policy, which makes employees aware of the risks, is never an option, everyone agreed.
Talking about security is more urgent than ever. It should be a discussion that starts with identifying all risks, then checking those risks on a regular basis and after that verifying if those checks reduce the risks effectively. The process is complete by determining if all risks are controlled or that more checks have to be in place. Decisions then to be made by executives. It’s a discussion that starts and ends in the boardroom.