Earlier today, Ventiv Technology announced that the role of chief information security officer (held by yours truly) has been elevated to direct-report status to Ventiv’s chief executive officer, Kathy Burns. I encourage you to read the news release (on our website and on the newswire where we distributed it). In the release, we explain exactly why we’ve made this move and why we think it’s so important for our customers in the risk, insurance and safety community.
In this blog post, I’d like to give a little more background on why we’ve made this organizational change. In a nutshell, information security has always been important to Ventiv; we are the only provider in our market with a CISO, and this move takes us to the next level.
I’m frequently involved in sales presentations to prospective clients (as well as to existing clients), who usually ask some very good questions about data security/privacy and Ventiv’s cloud-based application and data hosting. We often hear similar questions at industry events and meetings, in the trade press and on message boards. The 3SIXTY blog seems like a good place to share some of these questions and Ventiv’s answers to them.
When a discussion turns to data security and privacy, risk and insurance managers often challenge us along these lines:
I understand the advantages, in theory, of Ventiv’s RIScloud technology infrastructure. Ventiv owns and manages RIScloud in its entirety and is fully accountable for the security and privacy of the data it hosts for my organization. In practice, however, does it really matter what cloud solution I choose? Aren’t they all basically the same at the end of the day?
We at Ventiv welcome any and all questions about data security and privacy, especially those that challenge us to make the case for why the choice of cloud-solutions provider is so important. The questions we get often break down as follows; in the spirit of sparking discussion and debate, I’ll provide a condensed version of Ventiv’s position on these important questions:
Q: Is my organization’s risk and insurance data really at risk in the way that payment systems at major retailers are?
The Ventiv position: Common sense suggests that your typical risk and insurance data will not be as attractive to cyber criminals as something like point-of-sale data or payment information. Although there is a risk to hosting any risk data, wherever it is hosted, some data will be more vulnerable than other data simply because it’s potentially more valuable to cyber crooks and thus will get more attention from them.
The Ventiv position is that risk and insurance data should be managed with the same level of security as any other data. For one thing, there’s a strong case to be made that
TPAs, technology vendors and most others in our industry are subject to the regulations in the HIPAA/HITECH Acts.
We also think that it’s important for risk managers to set the right example within their organizations.
Risk managers are being asked to take on an ever-increasing share of the responsibility for cyber risk; organizations today outsource an ever-expanding share of their technology needs to third-party providers. We suggest that when risk managers choose their own
risk management information software,
claims administration systems, and safety solutions, they choose systems with the same level of data security, accountability and auditability that they’d expect others in their organization to choose.
Q: Have any of Ventiv’s cloud-based competitors reported data breaches? I mean, come on…in practical terms, is there really any difference between RIScloud and the cloud services your competitors offer?
The Ventiv position: We’re unaware of any such breaches, and we hope there are never any incidents that directly impact members of the risk, insurance and safety community. That said, we think it’s unwise to believe that such incidents could never happen to your risk and insurance data. We ask risk and insurance managers to imagine their position should their third-party application- and data-hosting partner suffer a breach:
in such a case, risk managers are best insulated when their partners are thoroughly accredited and credentialed. We contend that third-party, rigorous accreditations make for a real, relevant difference between cloud providers.
Q: In practice, how do RIScloud’s advantages benefit my organization?
The Ventiv position: We think this is a representative example of how one of RIScloud’s advantages (specifically, being a
single-source, fully accountable cloud solution) benefits our customers: Several of our cloud-based competitors outsource key parts of their infrastructure to third-party providers, like Amazon Web Services. Back in August, I was alerted to this issue discussed in a forum on Amazon cloud’s own developer board, in which
Cloud users are complaining that emails from the Amazon Web Services domain are being blocked by the major spam filters. Why is that happening? Spam filters are seeing Amazon Cloud services becoming a major source for spammers and other unsavory digital entities, so these filters block the whole domain. If you go to
the Amazon forum, you’ll see that there is still no resolution to this issue, nor is there likely to be a solution. It’s simply a problem inherent in non-selective outsourcing on the part of some of our cloud-based competitors.
These are just a few of the questions we get when we talk in depth about data security and privacy with members of the risk, insurance and safety community. What do you think?
David Black is chief information security officer with Ventiv Technology, based in the Atlanta office. Contact David at david.black@ventivtech.com.
