Four Questions with Jasper Ossentjuk — TransUnion’s Chief Information Security Officer

TransUnion
Article05/30/2018

In light of recent events and the growing gravity of information security, we interviewed Jasper to hear his thoughts on this subject’s current and future state — and what your business can do to protect itself and its customers.

Q1: How would you describe the information security climate today?

Threats to personal data are rampant and coming from many angles. Attackers are increasing in sophistication — using bots, scripts and soon, artificial intelligence, making it hard to keep up effective defenses. As innovations continue in areas like cloud computing, social media, mobile and big data it is actually putting more pressure on cyber defenders. And the catch is, finding enough qualified candidates to perform the enormous volume of duties is a tall order. Beyond that, the myriad attackers only have to be right one time to wreak havoc, while your company’s security strategies must be iron clad — every single time.

Information security threats are projected to cost the world economy $6 trillion by 2021.1 And the attacks are getting more widespread and serious. Cyber espionage, hacktivism and ransomware have risen dramatically and can severely damage governments, economies, systems and more, creating huge risks. And the lines are blurring between run-of-the-mill cybercriminals and sophisticated nation states. Then there are physical cyberattacks that can cause network outages and disruption to public utilities and transportation cultivating an environment of danger.

And just because the aforementioned seem to be larger scale instances, the reality is cybercrimes can still affect businesses just like yours at the root level. Your business and customers are not immune to a gap or weakness in security. So, having a solid information security plan and powerful solutions in place is critical to the safety of your and your customers’ data — and that won’t be changing anytime soon. It all may sound very ominous, but that’s where Information Security programs come in to defend against bad guys.

Q2: Are there indications of a shift in consumers’ priorities regarding information security?

In the past, when data breaches were happening but perhaps not as talked about, it seemed consumers were not as fazed. Take for instance the TJ Maxx data breach of 2006 when Albert Gonzalez and his crew stole 94 million credit and debit card numbers. Curiously, sales were hardly affected that quarter and actually rose by 9% the next quarter. And there are many more similar instances from years prior when consumers accepted the inconvenience if affected and just moved along, basically without missing a beat.

Fast forward to 2018 to the Facebook data governance incident where consumer data is said to have been used for political purposes. With this event, people noticed, and based on a survey of 1,000 Facebook users, 9% actually cancelled their accounts. While that may not sound significant, with 2 billion accounts, that represents a potential cancellation by 180 million consumers who care about what happens to their data. Think of it this way, what if 9% of your customers were to flee your business in a short period of time… you’d definitely feel that in your bottom line.

So, yes — there does seem to be a slow shift by consumers. I think people are getting more wary of where their data lives and who’s harvesting it and for what purposes. I’d say this trend will only continue as fraud expands and evolves and consumers become a little more plugged in to the risk.

Q3: Why should businesses care?

We’ve entered the consumer first era. People are more empowered than ever with access to information and the means to pursue options that best fit their needs. Businesses must cater to consumers more than ever and deliver safe, seamless experiences to ensure success. And while providing the most relevant services, offers and products is critical, ensuring consumer data is safe and secure will be paramount too. And consumers don’t always make it easy — they flood social media and other platforms with their personal info and preferences. Yet, they still expect your business to protect them from harm. In truth, it’s a two-way street with shared responsibility on both sides.

Consumers are becoming more attuned and aware of their data and its security. And society can’t deny that breaches are more prevalent these days. So, I definitely believe decision-making and loyalty based on information security will also become more common. It stands to reason that businesses that put stringent security strategies in place and show their customers they take data security very seriously will be more attractive. And as mentioned, I believe this type of action is going to become more table stakes as we move forward. Consumers are going to require the highest level of security — despite the fact that they themselves often willingly share their information online.

Q4: What are the attributes of a strong information security program?

A robust, multilayered security strategy is imperative. I’m talking about the kind of framework that ensures if one layer is compromised, backup controls will help to avoid catastrophe. Old school thinking that if you protect the perimeter you’ll prevent all attacks is no longer effective. It’s important to recognize the perimeter is blurred by multiple business relationships and innovative technology like mobile and cloud.

Consider an approach that includes controls to predict, prevent, detect and respond. Robust preventive and detective controls are fundamental, but businesses must be prepared to act when these controls fail. Enhanced and continuous monitoring is essential to identify anomalies and alert that something is amiss. It’s then that responsive controls must also be in place and well-rehearsed so your organization can respond quickly with muscle memory — from plenty of practice through exercises that simulate attacks. If you wait for a real attack to exercise these skills, you may not be confident or fully prepared to respond under pressure with the effectiveness and poise that’s built through extensive communication, training and practice.

Because our mission at TU is to always use Information for GoodSM, protecting data and information security are of the utmost importance. It’s a business priority and an implicit promise to ensure our data doesn’t get into the wrong hands.  We invest in our people, processes and technology to maintain pace with the evolving threats. We work hard to have a well-trained, well-resourced team of security professionals to meet the high expectations we set for ourselves and that we know are shared by consumers and our customers.

1 https://cybersecurityventures.com/cybersecurity-market-report/