Washington Post VP Addresses IT Conference
Bryan Miller of Virginia Commonwealth University addresses a breakout session. -- VMI Photo by John Robertson IV.
LEXINGTON, Va., Oct. 9, 2012 – In dealing with information security issues, it’s vital to know your company, its culture and its appetite for risk, along with factors that can mitigate that risk, in a world in which threats can change daily or even hourly.
Stacey Halota, vice president of information security and privacy at the Washington Post Co., shared that message with information security professionals during the Virginia Alliance for Secure Computing and Networking conference held at VMI Oct. 9-10.
This year’s conference, which drew an audience of 145 professionals from higher education, private industry, and government, bore the title, “Securing the Future: BYOD and Beyond.” BYOD stands for bring your own device – with a device being anything from a laptop computer to an iPad to an Android phone. With the trends of both BYOD and data storage on remote “cloud” servers growing, Halota chose to speak on the topic, “BYOD and Cloud: Getting Your House in Order.”
Halota began her remarks with a stark reminder of how much an information security breach can cost – roughly $5 million per episode, according to a study by the Poneman Institute.
Much of Halota’s speech focused on the need for information security professionals to be aware of potentially troublesome issues related to cloud storage. Halota reminded her audience that it’s critical to know where data is stored, whether on the cloud or off, and how it’s backed up. Sometimes, she pointed out, storing data on the cloud doesn’t make sense financially when extra security costs are factored in.
Furthermore, she noted, cloud storage and data accessibility are affected by a host of federal privacy laws, some applying to all companies and others applying only to specific industries. “Every time we do an outsourcing … we have to take a look at the privacy laws,” Halota said.
Complicating these privacy laws are other laws which mandate that a cloud service provider hand over a company’s data in response to a subpoena – and in at least some instances, there is no legal requirement that the company be notified that the data has been handed over to a third party.
Halota urged her audience to make sure they had a legal obligation to be notified when data is shared with a third party. It’s important to know “who keeps the keys” when sensitive data moves to the cloud, she argued.
Halota also spoke about the rising popularity of applications for mobile devices, and the risks, such as viruses, that the use of these applications can present. With 10.9 billion mobile applications downloaded in 2010 alone, “This is definitely a huge, booming industry,” Halota said.
She offered a bevy of questions for her listeners to ponder, such as whether application use should be limited, and whether a company should consider getting a security add-on for mobile devices.
Halota concluded her remarks with a reminder that educating employees about information security issues should be an ongoing effort, and it can take the form of anything from a brown bag lunch to online training for software developers.
“Regular communication is critical,” she said.