|
Spreading the Word
Most risk experts believe that every company will eventually experience a data breach. Perhaps with this in mind, all large enterprises have incident response plans (though sadly, only 50% of these plans are tested on an annual basis). Few midmarket enterprises have incident response plans at all.
Thus, before a breach happens, there are some steps you need to take.
First, get a handle on the personally identifiable information (PII) swirling around your enterprise. PII encompasses any data that can be linked to a unique person. Your enterprise must maintain strict control over the access, distribution and destruction of PII. It's not enough just to have policies or even effective processes in place. You also need to create an institutional awareness that PII is one of the most important assets in an organization and ensure that policies are adhered to.
Next, take advantage of the knowledge of those with privacy expertise. Contact your strategic vendors and ask how they address the issue. Ask their chief privacy officers for help. Michelle Kennedy, the CPO at Sun Microsystems Inc., and Peter Cullen, the CPO at Microsoft, are among the privacy thought leaders who use white papers and other information to share their expertise.
The bottom line is that you need policies, practices and enterprise-wide commitment to manage the full lifecycle of PII. If you don't, you may find your CIO world turned upside down.
Thornton May is a respected futurist, adviser and educator whose insights on IT strategy have appeared in Harvard Business Review, The Wall Street Journal, BusinessWeek and numerous computer industry publications. To comment on this story, email editor@ciodecisions.com.
|
