The International Journal of the Business Espionage Controls & Countermeasures Association (BECCA) ISSN 2168-9741 (International Standard Serial Number) Journal@BECCA-online.org
A Mandate — Develop Actionable, Full-Spectrum Information Protection Plans By Matthew Wilson, CCO, PMP
Organizational information and personal privacy. More than ever, the assault on critical organizational information and personal privacy requires awareness and defense across multiple domains and security disciplines. The explosive growth of information technology in past decades has proliferated and scattered government, corporate, and private information — much of it landing in vulnerable locations. The protection of information being transported and residing on information technology systems is the focus of much of the information security profession. However, the volume of critically private information resting in unanticipated places is significant. Think of (or imagine) a time before computers were so prolific. The vulnerabilities to information that existed then included a lack of adequate physical cover and access control, improper use of transmission systems, and loose talk, just to name a few. The fact is, all of these vulnerabilities continue to exist today. These types of often-forgotten vulnerabilities require the same aggressive application of protective measures as are being waged by many of today’s information security professionals. While system patches and password protocols are vitally important, only full-spectrum information protection plans can achieve the necessary level of protection to an organization’s critical information.
Development of specific and actionable information protection plans is equally as important as applying information security measures across the entire spectrum. Successful plans adequately inform an enterprise as to the Who, What, When, Where, and Why (5Ws) of the plan as a whole and of each protective measure individually. In too many historical examples, an organization’s plan to protect information rarely has gone deeper than the handful of PowerPoint slides used to inform leadership or gain their approval on a way ahead. These products lack the detail and fidelity required for translation into distinct and accountable actions across the enterprise.
In a general sense, Information Security professionals identify information requiring protection, assess the capabilities of competitors and wrong doers to obtain the information, and develop measures to protect the information. Organizations need to look closely at these measures and assess how actionable they are. Many measures are near the mark with respect to the “What,” but lack enough details for the remaining 4Ws to ensure the successful protection of the information. For example, a measure that states, “Reduce visibility of sensitive events” is a solid step in the correct direction to protect critical information: the “What” is being addressed. However, too much detail is left to chance and interpretation. Who specifically will conduct the measure? When is the exact period during which the measure will be conducted? Where exactly are the locations of the events? Why ultimately are we executing this measure — to protect which specific piece of information? The most likely outcome of failure to plan at this level of detail is nonexecution of the desired measure. It could be as simple as people assuming someone else will execute the measure for action. More damaging, unintended consequences of poor information protection planning include inadvertently placing other information at increased risk or misallocation of time and money spent implementing misinterpreted measures.
More than most, the Certified Confidentiality Officer (CCO) community can contribute to the successful development and execution of actionable, full-spectrum information protection plans. The integration of our Information Security, Counterintelligence, and Business Espionage skillsets is a force multiplier in all planning evolutions.
The BECCA Journal is a peer reviewed publication. Members use the Journal to publish research papers and other materials as part of their academic pursuits in degree programs, to enhance their careers in the public and private sectors, and for other purposes as they see fit.
****** * International Journal of the Business Espionage Controls & Countermeasures Association *
The International Journal of the Business Espionage Controls & Countermeasures Association (BECCA) is concerned with security issues involved in identifying and preventing business espionage in the global business community and the advancement of the free exchange of research and knowledge in the field. We invite white papers, research papers, opinion papers, manuscripts, reports, and reviews of tests, books, and other media of interest to practitioners and scholars of the Four Faces of Business Espionage controls and countermeasures, and related security topics. The Journal will consider only original and unpublished materials not under current consideration by others.
Submission: Electronic format via email. Manuscript Preparation: Double-spaced, using Microsoft Word, Times Roman or Arial, 12 pt. preferred. Style: Manuscripts should conform to the Chicago Manual of Style. Title Page: Title page should show tentative title and list names of all of the authors, their affiliations, addresses and contact information, and disclose any financial support and sources of sponsorship, when applicable. If the paper was presented, the name of the organization, location and date of the presentation. Abstract: Submitted with the manuscript and stating the issue or problem, research method, and conclusion. Include the number of pages and word count. (Approximate length of abstract: 120-150 words.) Reviews: Book and other reviews of recently published works should list title, author, publisher, date of publication, number of pages, ISBN, cost, and reference citations. Length of Manuscript: Open, depending on the subject, content, and depth of study. It is the author’s responsibility to acknowledge all sources of included materials and credit all sources, references, quotations, charts, graphs, tables, etc. Authors are responsible for obtaining permissions and/or licensing from the original authors. Citations: All sources in the text (in parentheses) should include names of authors, year of publication, and page numbers, where applicable. References: An alphabetical list of all references should appear at the end of the manuscript. Footnotes: Used for comments only, numbered consecutively, and at the bottom of each page. Proposals and Queries: Should include a tentative title, subject, a brief description, and a one-page bio of the author. Submissions will undergo a peer-review process. The Editor of the Journal will review submissions for content and forward them for review.