The Certified Confidentiality Officer (CCO) Program
Develop Actionable, Full-Spectrum Information Protection Plans
by Matthew Wilson, CCO, PMP
“Organizational information and personal privacy.
More than ever, the assault on critical organizational information and personal privacy requires awareness and defense across multiple domains and security disciplines. The explosive growth of information technology in past decades has proliferated and scattered government, corporate, and private information — much of it landing in vulnerable locations. The protection of information being transported and residing on information technology systems is the focus of much of the information security profession. However, the volume of critically private information resting in unanticipated places is significant. Think of (or imagine) a time before computers were so prolific. The vulnerabilities to information that existed then included a lack of adequate physical cover and access control, improper use of transmission systems, and loose talk, just to name a few. The fact is, all of these vulnerabilities continue to exist today. These types of often-forgotten vulnerabilities require the same aggressive application of protective measures as are being waged by many of today’s information security professionals. While system patches and password protocols are vitally important, only full-spectrum information protection plans can achieve the necessary level of protection to an organization’s critical information.
Development of specific and actionable information protection plans is equally as important as applying information security measures across the entire spectrum. Successful plans adequately inform an enterprise as to the Who, What, When, Where, and Why (5Ws) of the plan as a whole and of each protective measure individually. In too many historical examples, an organization’s plan to protect information rarely has gone deeper than the handful of PowerPoint slides used to inform leadership or gain their approval on a way ahead. These products lack the detail and fidelity required for translation into distinct and accountable actions across the enterprise.
In a general sense, Information Security professionals identify information requiring protection, assess the capabilities of competitors and wrong doers to obtain the information, and develop measures to protect the information. Organizations need to look closely at these measures and assess how actionable they are. Many measures are near the mark with respect to the “What,” but lack enough details for the remaining 4Ws to ensure the successful protection of the information. For example, a measure that states, “Reduce visibility of sensitive events” is a solid step in the correct direction to protect critical information: the “What” is being addressed. However, too much detail is left to chance and interpretation. Who specifically will conduct the measure? When is the exact period during which the measure will be conducted? Where exactly are the locations of the events? Why ultimately are we executing this measure — to protect which specific piece of information? The most likely outcome of failure to plan at this level of detail is nonexecution of the desired measure. It could be as simple as people assuming someone else will execute the measure for action. More damaging, unintended consequences of poor information protection planning include inadvertently placing other information at increased risk or misallocation of time and money spent implementing misinterpreted measures.
More than most, the Certified Confidentiality Officer (CCO) community can contribute to the successful development and execution of actionable, full-spectrum information protection plans. The integration of our Information Security, Counterintelligence, and Business Espionage skillsets is a force multiplier in all planning evolutions.