'Vast Gaps' in Data Protection
Most financial companies have "vast gaps" in their privacy and data protection programs, according to a study released this week by security firm Compuware and Ponemon Institute, a research company.
The survey found that 83 percent of companies use real customer data in development and testing - and 51 percent of those who do so, do not mark or anonymize or otherwise protect this data.
"This is something that would really surprise people, especially at the C-level," said Compuware product manager Mark Schettenhelm, who was involved in the study from the beginning. "Some people would say that the data is old. But even data one or two years old can be very valuable on the open market."
The researchers interviewed chief security officers, chief privacy officers, chief information security officers and similar executives at 80 multinational financial corporations.
According to Schettenhelm, the survey results were similar for both the large and medium-sized organizations, though the larger firms "seemed to do a little better" but not significantly better in most areas surveyed.
"These are difficult problems, and they take a long time to fix," he said.
And they also take funding.
Of the 60 percent of organizations that have a chief privacy officer, half report that they don't have the resources they need to meet their objectives, he said.
According to TowerGroup analyst Rodney Nelsestuen, the privacy officer function can be combined with other duties, such as that of a senior risk officer or under a chief operating officer.
"I think that privacy can be accomplished without being a C-level position," he said. But the lack of resources is only to be expected for a new function.
"We actually saw this pretty broadly in Europe, when Europe was putting in operational risk officers," he said. "They didn't have the resources, the connections to IT, to other lines of business. It took a couple of years to put it all together, and sometimes these folks are looked at as threats to the business."
This article can also be found at SecuritiesIndustry.com.