CRN: How can vendors help with all of this?
John Reeman As an example, we have been working with Fujitsu at a number of events to get the awareness out to their customer base of what the Act means and what they need to do to get ready. Then we’ve been enabling Fujitsu to be able to go out and deliver that first engagement, through a pre-sales process to make those organisations aware. Then there’s a strategy around how to mitigate the risk, not just to meet the data privacy requirements, but to reduce risk across the entire enterprise around data privacy. We do that by providing them with our collateral, our IP and knowledge that we’ve used over the last 10 years around doing a risk-based approach on a business level: the processes that are in place, as well as any underlying technology.
Let’s face it, most of this isn’t about technology – it’s about educating the organisation as a whole from the top down.
Then there’s technology behind that. We spoke around things like data loss prevention. If you take DLP, most DLP is not technology. Ninety percent is about how you respond and handle incidents.
That’s the kind of messaging that we’ve been driving. If you get the right frameworks in place for those policies to be then able to mediate and educate your workforce, then the technology is going to be effective, but not a be-all and end-all.
CRN: How about McAfee?
Andres Schmid On the awareness, we do that with various collateral: brochures, people, graphics, you name it, just to bring that aware-ness. I think awareness is still a bit lacking in the SMB space, whereas the enterprise customers are very well aware.
Some of our larger customers operate under the assumption that they have already been breached. That is not in question any more – when or will it happen. They operate under the assumption that it has happened, and they need to find out now what does it mean to them and how to mitigate those risks.
Ronnie Altit I’m curious to know how many people are actually having success in getting customers to do something?
Romain Rallu, Bridge Point As with any sales, it depends on the approach that you have. Our business obviously is to sell product, but we have a consultancy arm just like Loop has, and when you are in the consultancy space and you become their trusted adviser, this is when you can convert them from “I’m interested” to “Here’s the PO [purchase order]”.
Nick Verykios I think the answer, Ronnie, is “very low” because most people are, in the real world, under-insured. But if you’ve got an asset to protect, you’re over-insured. So it’s a matter of, “Do they have an asset to protect?” If they have an asset to protect, then there is no sell required – it’s a matter of “technology solves that issue”. But most people don’t see their data as an asset to protect.
CRN: If the customer was to say, “Sign me up, I’ll have the works” – which we’d all love – what would that technology be?
Chris Munro You’ve got the standards, like AV [anti-virus] and DLP and IPS [intrusion prevention systems] and all these other things, but a holistic approach is required. It’s probably difficult to pin down exactly, for an organisation, what are all the technologies you need. I’d probably be calling Nick up and saying, “Back the truck up, we’ve got a live one”. It’s always a multi-faceted approach.
Declan Ingram If you create a matrix of all the technology that’s rolled off around IPS and AV and firewalls and all that sort of stuff, and then you looked at it in terms of where your information assets actually live in real life, they’re all up there in the data. An IPS that’s looking for specific network-level attacks is not really where you have to be focused. In terms of what specific controls are needed, it’s specific controls that can look at the data. An IPS is not going to know the difference between someone sending themselves a spreadsheet of all of your customers details, or accidentally or deliberately sending it to someone else.
CRN: Would you like to see the Privacy Commissioner come out and come out hard to really get people moving on this?
Romain Rallu Yes, absolutely.
Nick Verykios A customer is not going to give a damn unless he realises that he has a problem and that problem can be solved through technology and the services associated to it. The best thing that ever happened to the security industry was the ethical hack because it showed people what is already happening to them that they didn’t realise, and suddenly things like money started getting spent.
The smartest thing the Commissioner could do would be to choose their ethical hackers and do a mandatory assessment of every business. Wouldn’t that be wonderful?
Chris Gatford Nick for government!
Declan Ingram I’ll go with that.
Chris Gatford Something I’ve seen many times is that we sit on tons of vulnerabilities that effect hundreds of thousands, perhaps millions of Australian citizens, and I cannot get the vendor to fix the vulnerability. I have no leverage. I have the customer who knows about the vulnerability, I have the vendor who made the software and I’m sitting here telling them, “You need to fix this, thousands of Australians’ information is exposed”.
I’ve got one banking vendor who refuses to fix a vulnerability until the customer will pay for an upgrade where the fix is included. Trying to charge the customer for a critical security breach – it’s craziness.
CRN: How do you expect the Privacy Commissioner to start engaging with organisations?
Daad Soufi [Privacy Commissioner Timothy Pilgrim] has been very clear in his intentions about how he’s going to use his new powers. I honestly shared the same view as everyone else around the table.
[However] Senator Brandis has put forward a media release that he’s asking the Privacy Commissioner to take a light-touch approach, because they want to make sure that privacy compliance isn’t a burden for industry. So I think there’s probably a clear message in the Privacy Commissioner’s office, knowing that a lot of organisations aren’t ready.
I don’t think that’s on the agenda of the Liberal government. The Liberal government has a “reduction in red tape” agenda.
CRN: What else do you expect to see once the Act comes into play?
Lyncoln de Mello There are habits that need to be incorporated into day-to-day behaviour. Things like putting passwords on files that are zipped with customers’ data, that kind of thing. That will take a little while, but that’s what needs to propagate through.
There’s a big piece of this that is missing. People keep talking about “Compliance with the Privacy Act”. What compliance? What certification?
Martin Choluj The problem we’re facing is business, for some reason, believes we can achieve a level of compliance, that they could be compliant with an Act or legislation, which as Lyncoln rightly said is not possible. Security is not a yes or no. It’s not black and white. There’s a lot of grey happening in security.
I don’t necessarily believe that there’s going to be a standard which is a yes-no checklist. It’s going to be reasonable steps I’ve taken to secure this information internally and externally in my business.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
