strategy+business is published by PwC Strategy& LLC.
or, sign in with:
strategy and business
 / Autumn 2006 / Issue 44(originally published by Booz & Company)


Looking for Privacy in All the Wrong Places

Moreover, encryption of stored data carries significant risks. If the decryption of a transaction involving dynamic data fails, resulting in a mishmash of the original message, the data can be resent. But when the decryption of a disk drive goes wrong — an infrequent but nonetheless disturbing prospect — in most cases nothing can be done unless there is an unencrypted backup stored elsewhere. Few IT executives would relish telling a user that the 40 gigabytes of data on his or her laptop are unrecoverable. Moreover, encryption can slow performance of PCs by anywhere from 1 to 20 percent, depending on implementation, so user dissatisfaction can become a significant issue.

But those problems are minor compared to the threat of data theft. With breaches occurring literally every week, few senior managers can afford to do nothing. The situation is analogous to that of the late 1990s, when the Y2K threat presented an IT problem urgent enough to require senior management involvement to marshal the resources necessary to complete the task.

If protecting static data isn’t already a high priority for corporate leaders, it needs to become one — and fast. Theft of data can be catastrophic: It can destroy the trust a company has built with its customers, negatively affect earnings, and result in intervention by regulators or prosecutors, which could be costly. With so much at stake, the responsibility for leading the effort to safeguard confidential information must reside at the highest levels of the organization.

To minimize data theft, CEOs should oversee an enterprise-wide initiative that includes:

• Implementing stringent corporate information retention policies and processes. These rules should state explicitly what data can be stored, where it can be stored (on PCs, laptops, PDAs, etc.), and how (encrypted or not) it should be stored. The policies need to address all types of data (customer, employee, and supplier records), not just financial information, and they should include guidelines for getting rid of obsolete information as soon as it is not needed, to reduce the amount of information stored.

• Allocating resources, such as money, staff, and time. This will likely require postponing other IT work. CEOs must be vigilant that the data security program should at no point be put on the back burner while more popular projects are completed.

• Running interference. Users need to be told explicitly that the decision to protect sensitive data comes from the CEO and that IT management is simply the CEO’s agent for implementation.

The best guess is that in five to seven years, all data — be it stored in a data center, on tapes sent by messenger to off-site storage, on laptops, cell phones, PDAs, or who knows where — will be encrypted. But before then, many organizations will suffer embarrassing data losses and information theft. Smart CEOs will act now before they are victimized; others will pay the price for dismissing the vital importance of keeping data private.

Author Profile:

George Tillmann ([email protected]) recently retired from Booz Allen Hamilton, where he was a vice president. He spent his first 17 years at the firm as a management consultant specializing in information technology and his last five years as its chief information officer. He now helps CIOs manage their IT organizations.
Follow Us 
Facebook Twitter LinkedIn Google Plus YouTube RSS strategy+business Digital and Mobile products App Store


Sign up to receive s+b newsletters and get a FREE Strategy eBook

You will initially receive up to two newsletters/week. You can unsubscribe from any newsletter by using the link found in each newsletter.