If the recent classified data disclosures by whistleblower organization WikiLeaks can be said to have officials in the U.S. other governments in a scramble, then it would be fair to say that the pending release of confidential records from private enterprises should have executives and shareholders in a serious pucker.
In an interview with Andy Greenberg of Forbes in early November, fugitive activist Julian Assange revealed that his next target is the private sector, and the implications for the future of enterprise information security efforts is unprecedented.
Assange made clear his intentions to release damning documentation of improprieties by at least one major US bank. Also pending release are documents from pharmaceutical companies, financial firms and energy companies.
"We have one related to a bank coming up, that's a megaleak," Assange asserts. "It will give a true and representative insight into how banks behave at the executive level in a way that will stimulate investigations and reforms, I presume... For this, there's only one similar example. It's like the Enron emails..."
The Enron emails revealed a calculated culture of corporate corruption and an ethical void so vast that the disclosures spurred one of the biggest regulatory reforms in American history, yielding the passage of the Sarbanes-Oxley Act, which nearly ten years later is still finding its ultimate reach.
Information security professionals, both inside and outside the corporate structure, have long been fighting an uphill battle in their efforts to bring assurance to the forefront of enterprise management activities.
The widespread dependence on information technology and the dynamic nature of the challenges inherent in the protection of sensitive and proprietary data make security efforts difficult to justify to executives with a return-on-investment mindset that was drilled into them in business school.
Information security is seen as a cost-center proposition, where risk is most often evaluated in the absence of a breach event, leaving security professionals in the awkward position of proving a negative in order justify an increased need for resources to counter burgeoning threats.
This information security paradox becomes readily apparent to all involved in the aftermath of a catastrophic data security event, and WikiLeaks is pursuing just that.
The crux of the problem for enterprise security is the fact that increased regulation has not resulted in increased security, in fact the contrary may be true. Mandated audits and the threat of regulatory sanction too often appear to be greater threats to the company bottom-line than does the risk of a data loss event.
In a recent interview, Larry Clinton, President of the Internet Security Alliance said, "in short many organizations are now devoting their cyber security resources primarily to audit compliance which does not necessarily correspond to improved security. Indeed by drawing resources away from actual security to focus on regulatory compliance we may well be weakening our security."
The focus on compliance also gives the executive class a false sense of security. When all of the checklist boxes are filled in, the required certifications are in place, and the audit teams have given enterprise security efforts the green light, their focus turns elsewhere.
The pending release of thousands of pages of confidential information by WikiLeaks will undoubtedly shock corporate management out of their state of complacency.
So what is at stake? Well, a lot.
Potentially, the revelations could shake shareholder confidence across multiple sectors, and we could witness a sharp decline in the stock prices of enough companies to negatively affect any hope of an economic recovery for some time.
It could also, as Assange predicts, be the catalyst for even more regulatory reforms that, while well intentioned, will again ultimately do little to increase enterprise security while further raising the cost of compliance - a cost ultimately borne by consumers.
But on the positive side of things, it could be the impetus that the information security sector needs to finally garner the resources required to optimize security efforts, ultimately reduce the risk of data loss events, and realize long term savings for businesses.
This utopian feat will be evident when security best practices finally become "baked-in" to the enterprise at every stage of operations, in sharp contrast to the "we built this, don't let anyone break it" mentality that is currently the status quo.
Unfortunately, but predictably, it takes an event of such catastrophic magnitude to cause a sea change on the level we will witness after WikiLeaks decides to pull the trigger on the private sector.
Get ready to see how the sausage is made.
