• United States




Sorry, we lost your data

Nov 02, 20174 mins
Data and Information SecuritySecurity

We strive to prevent data loss and security breaches in our own environments. What do we do when someone else loses our data?

I can still picture the stack of paper sitting on the table. There had to be at least eight reams worth of printed data, a fraction of what was lost. It was a startling visual, seeing so much data presented in physical form. It belonged to my organization, and that huge stack and so much more still in digital form was simply gone. The data stolen during a massive breach that lasted for months, an attack that seemingly survived at least one cleanup attempt, and an attack that would have a dramatic impact on the organizational security team.

Not at my company, and not on my team, but for the organization that lost our data.

No matter how we secure our own environments, many of us will experience the effects of a breach that occurs when a trusted partner or third party loses our data. Perhaps this happens because our own defenses prove too challenging, or hackers know about a business relationship and the partner’s defenses are weak, or maybe the third party is a large data aggregator and offers a target-rich environment too tempting to resist.

I have had to call my peers in other organizations to inform them that someone in their mailroom sent records containing visible PII in a clear FedEx envelope, or that someone sent vast amounts of sensitive data unencrypted by email. I have had to counsel people within my organizations over the years for similar behavior, trying to convey how serious the ramifications can be for everyone involved when someone violates security policies and protocol.

Breaches and data loss continue to make headlines despite a surge in governance, standards and regulatory requirements.

Well known within industry, the second or third party risk is part of the rationale behind indemnity and liability clauses in contracts. Agreements may include insurance policies to mitigate some of the risk, and standards like SSAE-16/18 result in SOC reports intended to characterize a service organization’s level of risk and operational maturity. Frameworks developed by ISO, NIST, PCI, and so many others help organizations implement security controls. These measures are proposed to ensure solutions are safer, data is more secure, and partners can be trusted, but failures continue to pile up despite who controls the data or resources.

These examples of third party data loss are not isolated issues, as recent disclosures from Equifax, Domino’s Pizza, and South Africa all illustrate. Data loss is becoming so routine that one could be justified in believing that future protections may be pointless. The truth is far from it. For scientific advances, business success and consumer confidence to grow, partnerships, contracts, business associations and third-party agreements need to incorporate stronger terms, language and penalties for data loss and breach.

Can market forces correct security behavior?

Loss and compromise will remain a risk for as long as we need to access and use data. The key to changing the pattern of failure is through accountability. Individuals and industry alike need to punish negligent failures with a loss of future trust and business, and reward those with a record of responsible care and diligence with a vote of confidence and more business. When the consequences of a breach become significant enough, it will force changes to our behavior and the conduct of those entrusted with our data.

Instead of treating financial and technology threats as business vs IT problems, we need to see them holistically. Data is the currency of modern business, and mitigating threats that compromise its value is a business risk, not a technology issue for IT to solve. Once security is as integrated into business practices and solutions as any other risk, I suspect we will see far fewer news headlines about data compromises. Until that day, we need to do a better job of educating others about these issues as business risks and be mindful of who we entrust with our data.


Brent Hutfless is an experienced CISO and technology leader. He is currently the founder of Cannon Reef, an IT and IT security consulting company focused on providing business leaders with insight and recommendations for technology and security challenges, projects and solution implementations.

Brent led the information security programs in his last three roles at a Top 100 U.S. Federal contractor and two U.S. Navy headquarters-level commands. A U.S. Navy veteran with more than two decades in manufacturing, healthcare, defense, aviation and training industries, his knowledge and leadership experiences have provided him an uncommon level of insight into technology and cyber-security in particular. He has successfully implemented security initiatives that align to NIST, ISO and HIPAA compliance frameworks, and advises organizations and industry groups on these and other GRC frameworks and regulatory requirements. He is comfortable presenting business, technical and security-relevant risk topics to executive leadership and board-level directors, and has a successful record of completing challenging security, technology, and core business projects and programs.

Most recently the IT Director at Austal, an Australian-headquartered shipbuilder and Top 100 U.S. Federal contractor, employing over 4000 US personnel in support of the Independence class Littoral Combat Ship (LCS) and Expeditionary Fast Transport (EPF) ship programs. Austal recruited Brent during a period of rapid growth to establish and manage a cybersecurity program that could meet strict DOD requirements as well as the tough restrictions imposed by the U.S. government due to foreign ownership. He later assumed the role of IT Director and the responsibilities for the network, system and asset teams in addition to the security personnel. The Austal security program has received six consecutive superior ratings by Defense Security Services, the highest score a company can achieve.

Brent holds a BS in computer science from Troy University, a MS in software engineering as well as a certificate in medical informatics from the University of West Florida, and is a Certified Information Systems Security Professional (CISSP). His publications include contributing to three editions of a Health Informatics textbook, a peer-reviewed study published by AHIMA, and numerous online articles. He has served as president, board member and cyber chair for the Gulf Coast Industrial Security Awareness Council, as a CIO panelist, presenter, and planning committee member for ITEN Wired, and held positions within the Gulf Coast Technology Council, the (ISC)2 Florida Panhandle Chapter, as well as maintaining membership in other industry organizations.

The opinions expressed in this blog are those of Brent Hutfless and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.