| |
February 18, 2009
Interview by Scott Harrer
Brand Director, Tiversa, Inc.
"I think that the P2P risk issue is a
'sleeper.' Even sophisticated corporations
and other institutions have not yet
realized the significance of its risks...
Tiversa found a way to mitigate the
risks...and I don’t believe any other
companies out there were perceptive
enough to do so."
Related News
Pittsburgh Tribune-Review March 4, 2009
Detection of Security Leak Spotlights Firm
Forbes
March 2, 2009
Smart Health Care's Privacy Pitfalls
About the Executive Visionary Series
This Tiversa segment is a thought-provoking new series featuring interviews with industry innovators that are leading their organizations in new directions in privacy, information security, and risk management.
|
|
SH: Kim, before we get started, Tiversa would like to thank you for taking the time to chat with us as the very first featured guest in our new Executive Visionary Series.
As Chief Privacy Officer at Highmark, could you briefly describe your role and daily responsibilities?
KG: Daily responsibilities are next to impossible to describe – there really is no such thing, as what I do on any given day varies tremendously. I could be doing anything from traveling to Capitol Hill to meet with Senate and House staffers to discuss proposed legislation, to overseeing a corporate project related to privacy or information security, to training consultants or employees as to policies and procedures, to meeting with executive management regarding how to safeguard proprietary information.
This position is responsible for the following:
- Oversee the corporate privacy compliance program, functioning as an independent and objective body that reviews and evaluates privacy issues within the organization.
- Ensure that executive management and the Board of Directors are aware of any significant privacy compliance concerns and that behavior in the organization meets the corporation’s Privacy Code of Conduct, privacy policies and procedures all relevant privacy laws rules and regulations (state, federal and international), ethical guidelines, accreditation mandates and industry standards.
-
Identify legal and business strategies and exercise sound judgment to promote cost-efficient use of internal and external resources.
-
Oversee safeguarding of confidential information (i.e., members’ individually identifiable confidential information and corporate proprietary, human resources, financial, account and provider information) of Highmark and its subsidiaries and affiliates.
-
Oversees the privacy-related activities for all majority- and wholly-owned subsidiaries and affiliates.
-
Oversee a complaint office that investigates and resolves breach of privacy complaints related to Highmark or its providers.
- Set strategic direction and analyze issues related to information security law and policy, physical security law and policy, and cyber law and policy.
SH: Very interesting Kim...that's a huge responsibility. You mentioned safeguarding confidential data...as an industry expert in privacy and security, what concerns do you have regarding the daily exchange of sensitive data?
KG: My greatest concern is the safeguarding of confidential data once it leaves Highmark’s perimeter. While I believe that our CIO and his team have done a wonderful job of protecting the availability, confidentiality and integrity of data within our company, we must rely upon the security practices of others when that data is exchanged.
SH: Larry Ponemon, chairman and founder of The Ponemon Institute, has been quoted as saying "many of the measures we were told companies are taking to prevent data loss through P2P networks, such as firewalls, ID management, and monitoring of the World Wide Web, are completely ineffective against P2P files sharing disclosures."
While these existing measures are certainly needed, Tiversa's daily work confirms the fact that they are not effective when dealing with P2P disclosures. Would you agree with these statements? If so, please elaborate.
KG: First of all, let me congratulate Larry Ponemon for filling a needed niche within the privacy world. I have the utmost respect for the invaluable studies that have come from the Ponemon Institute.
Second, I must concur with Larry for what I believe to be obvious reasons. Many companies have installed state-of-the-art security measures to protect their confidential information. However, these companies cannot fully control human nature and human error, nor do these technical safeguards protect data outside of the perimeter. Once information has gone beyond the corporate “walls,” a company must rely upon the persons then holding the information. Many times these companies are naïve when it comes to information security and many times the individuals handling this information do not realize the risks and dangers. I have found that most individuals have no idea that they may be running a file-sharing program on their home computer that may make their confidential documents vulnerable – including work they may have emailed to themselves at home.
SH: Wow. That's exactly what we see on a daily basis at Tiversa. It's about much more than protecting an organization's "four walls". What are your thoughts on P2P and when did you first realize P2P file sharing was a major risk that Highmark should investigate?
KG: I think that the P2P risk issue is a “sleeper.” Even sophisticated corporations and other institutions have not yet realized the significance of its risks. As more and more cases of P2P data aggregator crime are perpetuated, however, more companies will begin realizing the need to mitigate this risk.
The risk was first brought to my attention a couple of years ago when P2P fraud first made national news. Shortly thereafter, Highmark talked to Tiversa about its services and after our initial meeting and document review, Highmark determined that this was a risk we needed to address.
SH: Our recent research confirms that a large percentage (93%) of file disclosures are continuing to occur outside the corporate perimeter (what we refer to as the Extended Enterprise). Would you agree that the Extended Enterprise poses a significant threat?
KG: Absolutely. It’s difficult to control what happens with data once it leaves the corporate perimeter. All the contract terms in the world can’t help to protect data passing from one entity to another if they’re not followed. Performing due diligence and assessment of a business partner’s security practices and policies won’t always ascertain information security weaknesses. Human error usually can’t be anticipated. And once a data compromise occurs, it’s usually too late to fully mitigate all harm.
SH: Can you speak about the steps you've taken at Highmark to mitigate this threat?
KG: Highmark has engaged Tiversa’s services to monitor traffic on the P2P network and to report back to us when potential vulnerabilities are spotted. That allows Highmark to educate its business partners, vendors and others as to the risks that they may be carrying that might affect Highmark – and might affect themselves. Even if a relatively harmless file is found on the P2P network that was inadvertently released by a business associate, Highmark’s notification to that business associate can assuage risk for both Highmark and the business associate. I look at it as perhaps patching a crack before it becomes a bigger crevice.
SH: Kim, years ago, you had the foresight to spearhead the Unique Member Identifier project, which was designed to prevent identity theft. Do you see a direct correlation between the risks posed by the Extended Enterprise and new methods of identity theft?
KG: While the Unique Member Identifier (UMI) project addressed placing Social Security numbers on identification (ID) cards, it clearly also addressed the risks associated with identity theft that could therefore follow. Social Security numbers are probably the single most sensitive piece of information about a person in the United States today and are the most beneficial for a “fraudster” to obtain. I would imagine obtaining Social Security numbers is the greatest means for committing ID theft today.
Now, fast forward a few years – will information retrieved by fraudsters on the P2P network become the means to the greatest number of cases of ID theft? Perhaps. Not only will information found traversing the P2P network often include Social Security numbers, but it may contain such incredible volumes of other information about an individual that may include identifiers and other personal information we haven’t even yet considered.
SH: You're right about that. There is a tremendous amount of information being shared inadvertently; we've seen millions of disclosures occur. Many more than reported in the media. What drove you to ultimately work with Tiversa?
KG: Tiversa found a way to mitigate the risks inherent in the P2P network, and I don’t believe any other companies out there were perceptive enough to do so. To me, that’s forward thinking and something that other companies will soon try to mimic. Tiversa’s staff members have been professional to work with and prompt in their reporting.
SH: What does the future of enterprise privacy and security look like?
KG: If I could look into the crystal ball and predict the future of enterprise privacy and security, I would be out there creating my own company and retiring at an early age! I think enterprise security necessarily evolves on a need-driven basis, usually as a result of crime or other bad behavior. It’s somewhat of a game of cat and mouse.
Kim, it's been great catching up with you. Thanks again, I think you provided invaluable insight into P2P-related risk and the value in being able to address data in the Extended Enterprise.
back to top
|
|
