Here’s the scenario: in its latest Cost of a Data Breach report, IBM tells us that the average global cost of a data breach has hit a new high, $4.88 million per instance in 2024. Spooked, your CEO calls your security team in and asks if your company and your clients are adequately protected.
“You bet,” your head of security says. “We just upgraded our automated security system to include generative AI, the latest and greatest technology innovation.”
“That’s terrific,” your CEO says. “I’ll tell our board we are all set.”
Except in most cases, you may not be.
Generative AI capabilities are an important component of a solid, holistic approach to data security required in a digital world that is at risk from increasingly sophisticated, malevolent actors. But it isn’t automatically the end game. I know. At my company, we design and deploy gen AI-powered systems. We love gen AI, what it allows companies to do, and how it can enhance a company’s security.
Your Secret Security Weapon
At the same time, a component of an overall data security approach that can be a game changer for companies whose security responsibilities extend to client data (and today that applies to most of us) is a comprehensive Client Data Protection program (CDP).
For the most part, client data protection has been swept into a company’s general data protection protocols. That is no longer enough.
Take, for example, technology consulting companies, whose work requires them to venture deep into a client’s operations and data repositories. These consulting companies work side by side with client company personnel inside client firewalls, deploying technology to improve operations, update customer experiences, or almost anything in between.
In situations like this, even an innocent mistake can leave an opening that a hacker can burrow through to access company data, and client data and from there move into associated vendors and beyond.
It doesn’t happen often, but it’s a risk we can’t take.
If a consulting company doesn’t have a program like Client Data Protection that applies controls to everything they do, that is a huge risk to their company and their clients.
The type of comprehensive Client Data Protection program I recommend is a standardized approach to client data protection that includes a defined set of management processes, controls, and metrics. It outlines and documents specific client data protection activities throughout the course of the project, from the start of an engagement to its conclusion.
Working in concert with a company’s other security programs, the Client Data Protection program demonstrates a company’s solid commitment, backed with concrete actions, to protecting client data. It is why clients can feel comfortable entrusting their sensitive information to a technology partner in an ever-changing, complex digital world.
But how would this type of program operate in the real world? And what are the chances that anyone would follow such an elaborate system?
Client Data Protection at Work
Each step in the CDP program is documented and confirmed by an Information Security Lead, the person designated as responsible for accurate and recorded completion of the CDP program. That record becomes an important part of project metrics that are reported to the CEO and can, ultimately, become part of a board of director dashboard.
At the heart of a comprehensive CDP program is accountability, outlined in five primary steps:
- Directed security. The CDP program is governed by company policies that outline requirements, roles, and responsibilities to ensure a consistent approach to protected client data.
- All projects. A CDP plan that outlines a specific roadmap for delivered services is created for each client engagement. The plan, which could include steps as comprehensive as coding instructions by language or as detailed as proof of multifactor authentication use, is maintained by project resources throughout each client engagement, under the guidance of the project’s Information Security Lead.
- Training. All project resources complete general and specific security training. All company employees complete mandatory general security programs that, together, instill a company culture committed to security.
- Auditable proof. CDP plans to document how the company is meeting its contractual, regulatory, and policy requirements.
- Corporate metric. CDP compliance is continuously measured and reported to corporate leadership, up to the CEO and/or the company’s board of directors.
Sooner Rather than Later
When I talk about this gold standard of client security with companies, responses tend to fall into three categories:
- Most think it is great. They understand and appreciate a commitment to documented CDP safeguards.
- Some assume their technology partners are secure and don’t care how they do it.
- Some want a particular action or requirement added, which is easily integrated into CDP.
If current projections hold, the cost of data breaches will continue to rise. Some of the largest data breaches – and keep in mind that so far in 2024 security experts estimate that one billion personal information records have been stolen, a number that continues to rise – point to the risk companies take with a “we assume your protocols are secure” approach.
More and more, whether because of legislation, greater awareness about the responsibility to secure client data, or because it is required to comply with international standards/regulations, companies will require their partners and vendors to demonstrate and verify their comprehensive client data security programs.
The best time to prepare was yesterday, the second-best time is now.
Read more cybersecurity-related articles:
Enhancing Large Language Model (LLM) Security and Risk Management through SASE and ZTNA
AI Governance: A Practical Guide for Business Leaders
As CISO at Avanade, I’m responsible for overseeing information security, client data protection, incident management, asset protection, and business continuity initiatives. Reflecting Avanade’s dedication to data security, my team and I work closely with clients to ensure that we meet all information security requirements.
I also lead Avanade’s client account for Accenture, one of our largest North American accounts. Before stepping into the CISO role, I served as CIO, where I grew Avanade’s security strategy in alignment with the increasingly critical role security plays in our clients’ success. Earlier in my career here, I held the position of Vice President of Infrastructure Services and Global Operations, accountable for Avanade’s enterprise infrastructure, including security, end-user enablement, collaboration, hosting, and network services worldwide.
My career began at Accenture, where I spent 14 years, most recently as Director of Unified Communications and Collaboration Services. Academically, I hold a degree in information decision science from the University of Illinois, along with advanced leadership certifications from both the Foster School of Business, University of Washington, and the Haas School of Business, University of California, Berkeley.
