Don’t we all work for the same company? Part 2

By Alex Bender, Director, eGRC Programs and Strategy, EMC

Yesterday’s blog started talking about how important collaboration is to eGRC issues such as privacy of information. I asked you to consider any kind of information breach and looked at why IT and legal will inevitably be involved and have to work together. I recently spoke to Barb Mosher about the Ponemon Survey and she wrote a great article titled: GRC Initiatives Critical, Yet Enterprise Strategy, Collaboration Lacking which outlines the key issues I have described in this blog series. Let’s now look at the other two key functions to get drawn in: operations and finance.

Operations in the firing line

The effect of a breach on an organization’s operations will very much depend on the nature of the breach and the organization’s business. As data-breach notification laws become more common, every breach will at least require customers to be informed — especially those customers directly affected. Many breaches will also have a direct effect on the organization’s ability to continue to deliver its products or services, whether because a network or website must be taken offline, product functionality must be reengineered, or a back-office process must be suspended until the issues have been investigated and remediated.

If an organization is lucky, any disruption to business-as-usual will be brief; but we’ve seen that it can take weeks to restore affected services, giving customers more to complain about and reporters and bloggers more to write about. Collaboration between IT and operations is critical to managing the timelines for service restoration or product remediation, and for the related task of managing customer expectations.

Customer (and media) communications following a breach are fast becoming a minefield for organizations, with the potential to explode no matter what they do. Pressure is mounting for notification to happen as soon as an organization becomes aware of a breach, whereas even a year ago it was not unusual for months to pass between breach identification and notification. This new demand is perfectly understandable: if private information relating to you has been compromised, you’d rather know sooner than later. But it means that organizations may not have time to understand what’s really happened before they have to tell customers; which in turn may necessitate embarrassing corrections as the picture becomes clearer. It’s really not unusual for the investigation of a breach to reveal that it’s more serious than the organization first realized.

If pressure continues to mount to speed up the notification process, it will become more vital than ever for IT, operational and legal teams to work together to clarify understanding across the organization of what’s known, what isn’t known, and what might be subject to further discovery and possible revision.

Finance in the command center

Ultimately, organizations need to know what the total financial implications of a breach are, because risk management is ultimately about weighing the cost to prevent a risk against the likelihood of it happening and the cost to the organization if it does. When a breach happens, the finance department needs accurate information in order to validate the organization’s approach in relation to this kind of risk, or to adjust it going forward.

Reporters will pounce on any movement of a company’s stock price in the days and weeks following a breach. If the price drops, it will be loudly proclaimed as a sign that the company’s brand has suffered as a result of the breach. We may never know how far that is true. Just as one cold winter doesn’t imply anything one way or the other about the reality of global warming, so a momentary stock price movement can’t really tell us anything about whether a company’s reputation has been significantly or permanently damaged. But in measuring the true financial cost of a breach, organizations do need to find ways to measure the effect on customer, investor and shareholder perceptions and behavior; as well as the more obvious costs of investigating, reporting on and remediating the breach, financing legal battles or settlements, and meeting the cost of fines or other sanctions.

To be able to accurately assess these costs, the finance department needs to be able to see and clearly understand what effect the breach is having on IT, legal, operations and other functions across the business.

So what department do you work for?

Thinking through the implications of any privacy-related incident, it becomes apparent that privacy is no longer (if indeed it ever was) purely a legal issue or an IT issue — no matter who is regarded as being its ultimate ‘owner’ from an organizational point of view. And as with privacy, so it is with most eGRC issues.

So the next time you need to talk to someone in another part of the organization to respond to an eGRC initiative, and someone asks what department you’re from, say you’re from the ‘legal unification department’ or the ‘IT unification department’ and your responsibility is to work across the organization to get everyone headed in the direction the organization as a whole needs you to go.

Further reading:
1. The Ponemon survey

 [S1]Or ‘My last blog’ or ‘Tuesday’s blog’ or whatever. And link to it.