Channel Daily News

Security and privacy need to come together

Plano, Tex. – The challenges around privacy and protecting personal data in the information age are increasingly tied to technology, particularly when it comes to compliance with regulations such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

However Peter Reid, chief privacy officer with global technology information provider EDS Corp. (Nasdaq: EDS), said far too many organizations have security and privacy as separate functions, in separate reporting structures. While his primary responsibility is ensuring EDS has policies and procedures in place to protect its employee’s data, he also works with the consulting and sales teams to help them ensure the privacy of client data.

Speaking during a media briefing at the EDS headquarters, Reid said that security/privacy separation is the biggest challenge he faces when working with EDS clients. Generally the chief security officer (CSO) is part of the IT community and reports to the CIO, while the majority of chief privacy officers (CPO) come from a legal background, they’re attorneys and report into the general counsel.

“One of the challenges I have to address is to make sure the CPO interfaces with the CSO,” said Reid. “My big challenge is to make sure those two groups are communicating.”

With globalization and outsourcing trans-border data flow is becoming the norm, and privacy regulations such as PIPEDA and other regulations in Europe requiring organizations to commit to handling data in certain ways, it’s important for that information to flow from the legal side to the IT side.

“Most CIOs not aware of what need to do to stay in compliance with these laws,” said Reid.

Internally, the company is eating its own cooking. As EDS chief security and privacy officer, David Morrow has responsibility for IT security, physical security and privacy, as well as crisis management, executive protection and health and safety. Morrow is responsible for setting standards and policies for EDS in all those areas, although the physical security functionality is outsourced as is IT security, in this case to EDS itself.

“I’m in many ways I’m like the CSO at one of our large customers. I set the policies, provide the oversight, get the metrics, and I can feel client pain when talking to other CSOs from clients,” said Morrow. “I tell the CSOs of our clients the only advantage I have is I know where those guys live and I can go stand on their desk and yell at them if I have a problem.”

Morrow’s office is part of a group created a few years ago at EDS called enterprise risk management, which brought privacy, IT security and physical security together into one organization. Bringing those functions together into a single group, said Morrow, leverages the synergies of both groups and overcomes the disadvantages of stove piping them.

“Different groups talk about different challenges,” said Morrow. “For us, it’s a very strong model.”

As an example, for years Morrow said the advice of the IT security group to its employees in a Latin American country where EDS has a large data centre was to take their laptops home at night, so they could work from home or elsewhere in case of trouble. However, when a member of the physical security team visited the country, he observed the crime rate was high and it wasn’t uncommon for drivers to be pulled over and relieved of their laptops and other valuables at gunpoint at a traffic light.

“We’d never thought of that,” said Morrow. “We realized we’re putting our own people, and our data, at greater risk with our standard advice. Until we got those people in the same room we never would have known that.”

In its outsourcing and consulting service EDS is also moving into new areas. While the company previously just offered security as an embedded part of its other technology services EDS is now beginning to offer security as a separate, discrete offering said Bryan Palma, vice-president, global information security with EDS.

Helped along by its acquisition of a UK-based integrator that played in the managed security provider space, Palma said EDS is now being called-in to consult on application security and identity management, and is offering discrete managed security services such as anti-virus and firewall as a separate service.

“We pulse our clients regularly on what they’re most interest in, and the number one thing was protection/security,” said Palma. “We have 2,500 people dedicated to security services within EDS, giving us larger size than other players in the space. It’s just a matter of changing market focus.”

Palma said with the consolidation that has been occurring in the security infrastructure space, the market is becoming more suited to a managed services model. He added it’s not threat or fear that is driving interest in security today, but rather more of a business focus.

“The pendulum has swung a little bit. After 2001 the big focus was on security and compliance; many organizations went into lockdown and overdid it,” said Palma. “EDS believes security should enable business. Too many security departments just say no and prevent business; we believe there needs to be a balance.”