Implementing Data Security Is Like Eating An Elephant

We all know how to eat an elephant. One bite at a time at a time, of course. Implementing a comprehensive data security program is no different – for many it’s a monumental task. It can only be accomplished by setting out a manageable, step-by-step plan. Easier said than done? Probably, but that doesn’t mean a process that is impossibly difficult.

The new Massachusetts data security regulation goes into effect on Monday, March 1. If you have not yet begun to plan for the deadline, then likely either you are unaware of the requirements, or you are feeling overwhelmed by them. And who would blame you in light of the seemingly endless list of tasks:

• Develop a written information security plan (WISP);

• Identify all foreseeable risks in your organization by examining every nook and cranny where data enters, leaves or is stored;

• Implement security policies and procedures and train your employees

• Secure all paper and electronic records; provide encryption

• Obtain written assurances from all vendors that they are compliant

• Regularly monitor and review to insure compliance

You know that it is vitally important, both because it’s legally required and because it’s the right thing to do to protect your customers. But where to begin? Do you need professional assistance – a lawyer or specialized IT firm to accomplish this task? That really depends on the size and nature of your business, the data that requires protection and how much time and energy you are willing to devote to the process. Many businesses are probably capable of accomplishing a lot on their own. For the most part, the regulation is a straightforward recitation of the tasks needed to comply. But is that the best use of your time? Noted author and business consultant Andy Birol would caution business owners to judge very carefully those tasks that they choose to do by themselves and those that are properly delegated.

Consider the learning curve required to become proficient in an area that is not a part of your core business. While security is an ongoing and continuous process, monitoring and maintaining a plan is far less cumbersome and time consuming than creating it in the first place. Most businesses will prefer the comfort and efficiency of working with outside professional assistance at least to get the plan created and implemented. Even if you hire professionals, you will still need to be involved in the process. They cannot do it without your participation and that of your senior management and department leaders. And responsibility will not stop there; security needs to be an integral part of your corporate culture from top to bottom, which means it must become the responsibility of everyone in the organization.

So pull out the regulation, review it, create an action plan and start in on the list. Otherwise, hire the professionals. Either way, the time is now.