Security Pros Must Guide Big Data Projects, Ensure Privacy


Security professionals are on the side of defending against attacks and responding to security incidents, but as business units experiment with big data analytics projects, chief information security officers and other security professionals should be helping guide decisions, according to a panel of security experts.

Safeguarding data and defending against a barrage of continuous attacks attempting to penetrate the corporate network will continue to be the primary role of information security professionals. But, big data analytics projects, which involve collecting and analyzing data from a myriad of sources, could increase their responsibilities, according to the panel.

Security professionals need to offer guidance and ensure the long established trust with customers isn't breached, said Pat Foley, director, technology compliance at Stamford, Conn.-based Starwood Hotels & Resorts Worldwide. Big data projects could impact the security industry significantly in ways that have not been anticipated, Foley said.

[Related: 7 Ways The U.S. Dept. Of Veterans Affairs Tackled Its Big Data Big Challenges]

"People share their information because they get rewarded for it, and we collect some data passively," Foley said. "It's a serious hindrance if we are not wise enough or thoughtful enough about what we plan to do with this data that we collect. If we use it poorly it will come back to bite us."

Foley and other security executives shared their views on how privacy will be impacted by big data analytics projects at the conclusion of the MIS Training Institute's Conference on Big Data Security in Boston on Thursday. The two day conference explored the potential consequences of big data projects as well as the security risks and other issues that big data imposes on business.

Putting together data sets from multiple sources could reveal details about individuals that they didn't intend to share, said Jim Hickstein, an IT executive and administrator at Roseland, N.J.-based Automatic Data Processing. Legal and ethical decisions are going to need to be raised, he said. Regulations currently focus on specific data sets such as personally identifiable information, but big data analytics creates a whole new set of outcomes that is not addressed by any standards or regulations, Hickstein said.

"When you combine information and you take two pieces of data and rub them together, you could create an outcome that is a security risk," Hickstein said. "Society has not caught up to what can be done now, and I don't know that technology can solve these problems."

The security experts said organizations have been collecting data for a long time. Supermarkets collect vast amounts of data through rewards cards. Hotels track guests from the movies they purchased to the room service food items that are ordered. Combined with data from other sources, a picture begins to develop about an individual that is extremely valuable to marketers and advertisers but may not be what a person intended to be public, said Anthony Meholic, senior vice president, and chief security officer of The Bancorp Inc., a Wilmington, Del.-based financial holding company. The issue becomes increasingly difficult for security pros because business executives believe the competitors are busy with big data projects, Meholic said.

The stuff in there may not be [personally identifiable information], but the steps you are starting from and the place you end up could result with something that resembles information that needs to be protected," Meholic said. "How are we going to do our jobs if information is not correctly characterized?"

PUBLISHED JULY 19, 2013