Culture of data security must begin at top, expert says

Ed Stroz, of Stroz Friedberg, speaks to a monthly gathering of the CIO Roundtable at Fordham University's Lincoln Center campus.

Ed Stroz, of Stroz Friedberg, speaks to a monthly gathering of the CIO Roundtable at Fordham University’s Lincoln Center campus.

A culture of data security at a company must begin at the top levels of management and must be taken seriously if a firm is to deal proactively with online threats, a security expert told an audience of information specialists recently.

Ed Stroz, founder of the security firm Stroz Friedberg and a Fordham University graduate (GABELLI, BS ’79), told the monthly CIO Roundtable group at Lincoln Center that policies, procedures and training need to be in place from top to bottom in companies.

“We walk into a lot of companies … where the senior-most people, guys with more gray hair than I have, don’t want to use passwords,” Stroz said. ”You know what that tells people inside your company? ‘Why should I do this when you don’t do it?’ If you send that message, then the rigor that you expect to have behind it really goes down the drain.”

The CIO Roundtable, organized by Gabelli School of Business Associate Professor Aditya Saharia, brings together chief information officers and others involved in technology. March’s meeting was a joint session of the roundtable and the Society for Information Management.

Stroz, a Fordham trustee, said a lack of attention to data security can be costly. The average cost of a data breach in the United States is $5.8 million, he said, and that cost is growing worldwide at an average of 15 percent a year.

Data breaches at companies, in which systems are hacked or otherwise accessed or leaked and user and proprietary information is compromised, can also lead to class-action lawsuits. Victims can claim that a company failed to adequately take care of data.

To deal with the threat, Stroz said, companies have to prepare by conducting risk assessments, creating and practicing an incident response plan, and watching for different “triggers” that alert a firm to a potential breach.

Stroz added that companies will need to build security and testing into their budgets.

“It’s going to cost to do this right,” Stroz said.

Facebook Twitter Linkedin Email