ZeroPoint Risk Research, LLC

Let me put on the table a conversation I recently had with my (just turned) 13 year-old daughter.  My daughter was asking if we could upgrade our cell phone plan to include unlimited TXTing.  My response to her was this, “Why not just use some of the minutes and call your friends when you have reached your TXT limit?”

Her response, and I bet many of you already know what it was, “Dad, we just don’t do that, we talk via TXT.”  And yes, that was, in fact, the entirety of the conversation.  Oh how I long for the days when we tied a string between two tin cans…….

Communication.  How we, as humans, communicate has changed over the years.  I have distinct memories of using a tin can or cup phone.  I also vividly remember my first walkie-talkies and how cool they were.  And a great way to kill time on a 3-hour ride North to go skiing…..listening to my Dad trying to find out where all the “smokies” were on the highway using his CB Radio.

Fast forward a “few” years.  I remember seeing my first cell phone.  It came in a big bag and often got tossed in the trunk of a car.  If you want to travel back in time, take a look at this:

Flip phones, Star-Tac, Blackberry, iPhone, Android, etc…  Technology clearly has changed how we communicate with each other.  Technology has made communication much easier.  And swifter.  And, in many cases, more efficient.

However, what the technology has NOT done for us is to improve upon our own inherent communication abilities.  Technology can’t (always) make it easier to understand issues.  To get at root causes.  To not only hear what someone is saying but to digest and completely understand what they are saying, even if only spoken with body language.

Why is this important, and what does it have to do with Risk Management, Privacy, and other significant areas of concern for any organization?  If decision makers and anyone providing information to you are not successful at truly communicating what is important, or what is needed, how can you adequately plan, manage risk, avoid data breaches, etc.?

You can’t.

If your CTO is not communicating to you the impact of the economy on financial resources for your organization, how are you able to understand why choices are being made to not implement critical projects/initiatives (i.e., Security Information and Event Management, Control of Cloud Computing, Risk Rated SLA and Vendor Management Programs, Threat Management, etc.)?

You can’t.

Granted, sometimes there are situations that are not meant to be communicated until certain, specific times.  Any company about to undergo a restructuring, a series of significant layoffs, or a sale of the business, may not want, or may not legally be able, to communicate timely.

Sometimes, the need for communication is legally required.  Take, for example, the Privacy legislation enacted by the State of MA:  201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth.

One component of this legislation, as well other similar legislation, is an attempt (I explicitly chose that last word since there seems to be a great deal of ambiguity regarding the success of this portion of the legislation) to quantify reporting requirements for an organization that has experienced a data breach.  One does not need to look just at large-scale breach scenarios (TJX, Heartland, etc.) to understand the importance of this legislation, regardless of how successful it is (or isn’t?).

Call me a glutton for punishment, but every now and then I like to review the chronology of data breaches that is listed and continually updated on the Privacy Rights Clearinghouse website:

What does this ever-growing list communicate to me?  For one, universal compliance with the legislation has not yet been achieved.  That may never happen.  Also, there is one small detail regarding the above linked list that may escape many readers…..You can only list what is reported!

Go back to the list one more time and look at the types of breaches and how many involve 500 records here, 750 records there.  Between December 1st and December 5th, seven breaches were reported and listed on the site.  The record count for some of these breaches is not yet known/listed.  But the others…..8,300, 1,716, 845….small-fry compared to the millions of records involved with some of the most widely publicized breaches of recent times.

Here is a quick sampling from the website of some of the types of breach scenarios that keep me up at night:

- Hundreds of blank checks, bank and telephone statements, Social Security cards and IDs were found in a dumpster by someone from a neighboring store.

- A former employee accidentally posted sensitive information in a place that was publicly accessible on the Internet.  The home addresses of sheriff’s deputies, names of confidential drug informants, confidential emails between officers and other sensitive information were accessible from April until the discovery in November.

- An administrative report that should have been shredded was accidentally thrown in the trash. Reports are usually left in a storage location for 45 days and then discarded properly.  Anyone looking through the report would find names, Social Security numbers and other patient information.

I am always amazed at events like these.  In the past, my initial reaction might include a statement such as, “How could someone do something like this?”  But of late, I have also included something like, “What policies, and the implications of non-compliance, were not satisfactorily communicated to all employees?”

Clearly, failure to communicate has many detrimental effects.  Though some folks may not want to make the effort, it does pay off.  Just the other day, I was planning on signing up for a service/app for my BlackBerry.  As part of the registration process, I had to provide my credit card number for the transactions I would be conducting via this application.

In the old days (or prior to TJX), I may have immediately provided my card information to the website.  Instead, I checked the company’s website to see if they were a PCI Level-1 Certified Merchant.  They were.  I then went to Visa’s website to ensure they had an approved Report of Compliance on file for the merchant from within the last year.  They did.

Or course, this does not guarantee that my card information will not be compromised.  But it does communicate to me a greater sense of security and knowledge that the risk of compromise is likely to be less than if I were to provide my card number to a website in Russia that “sells” MP3 files.

We, as consumers, have to place a great deal of faith in the technology we use today.  Businesses are almost required to utilize technology if they want to succeed.  Look at what,, and other similar websites have done to the corner bookstore…..Many have been wiped out of existence.  Some have survived.  How?    They have loyal customers.  They provide an inviting, warm environment to browse.  They have hard-to-find books that the big e-tailers just cannot afford to maintain in their inventory.  But succeed and survive they have.

At the root of this success is…communication.  It takes many forms.  It could be in the form of a print advertisement.  It could be a radio advertisement.  It could simply be word-of-mouth.

Communication must be clear.  It must be concise.  It must ensure that what you intend to say is said, heard, and understood.  The technology of today has complicated things.  As I state above, technology is meant to make our lives easier, more efficient, more exciting.  But at what cost?  We need to control the technology. We need to manage and mitigate inherent risks in the technology we use.  We don’t get this for free.  But it is an expense each and every person and organization has to make.

I wish, for the sake of our economy, that communication was always simple.

It’s not.

I wish for the sake of my clients, that they all knew how to communicate well.

They don’t.

I wish sometimes (useful) technology meant to aid communication wasn’t so difficult to use.

It may never be.

Oh how I sometimes wish I could just go back to simpler times!  I think I may go home tonight and, at risk of hearing “Dad, that’s so lame”, ask my daughter if she wants to make one of these with me:

- Jeff Bamberger

3 Responses to “Hopefully, What We Don’t Have Here is a Failure to Communicate”

  1. John

    Ever try to talk to your kid about security/privacy when they use their tech devices? My daughter is the same age. Talk about the eye roll!

  2. Gerry Kane

    Despite the anticipation of the dreaded eye roll, it is encouraging that risk conscious entities are beginning to understand the importance of risk management “away from the office.” We are finding at ZeroPoint that these entities are specifically requesting that we include elements of home computing when we deliver security awareness training to their employees.

  3. Jeffrey Bamberger

    This is always an ongoing issue with our children these days. Call me a wishful thinker, but with any new tech device that my daughter wants/(thinks she)needs, I try to make her listen to my security/privacy caveats. “You want “X” device, you get my feelings about it first. The answer to the question “does it make a difference” is one I may never know for sure.

Leave a Reply

Proudly powered by WordPress. Theme developed with WordPress Theme Generator.
Copyright © ZeroPoint Risk Research, LLC. All rights reserved.