David Robillard, the President of Multilatin, spoke at our recent FreeBalance International Steering Committee (FISC) conference about the reputational risks of physical and network security.
We recently asked David for insights that we could share with the broader Public Financial Management community with this abridged interview from his offices in Mexico City.
Q: Is information security a compliance issue?
A: It absolutely is. The US was the first country to legislate about security breaches and make accountable those people in charge of gathering and safeguarding private data. Such laws allow their owners to complain if there is improper use, destruction or theft of sensitive data. Since the 2000's when the state of California legislated upon this matter, 46 more states in the US have followed suit, as well as several countries in Europe, Asia, Africa and Latin America (particularly Mexico, Colombia, Argentina and Uruguay).
Q: What is the weakest link in information security?
A: It depends on the kind of information you are administrating and the type of security systems you would need. For instance, if you keep personal information at the entrance of a building, the information would not need to be collected on the web, so a breach via hacking would not be a risk. In this case, the weakest links would be the person in charge of security, a thief or the loss of information. However, for every case you are only as strong as your weakest link, so according to your specific situation and the one from its owner, you would be able to identify the major threats to your information security. There is a school of thought that people are the weakest link in information security because people make poor decisions like writing passwords on sticky notes or failing to install security patches.
Q: How does poor information security cost governments?
A: Breaches in information security have high costs on reputation, both for governments and companies. If your country does not have a clear legislation on information security, it would be a bigger risk for companies to invest in that country because they cannot be sure what would happen if their information is not protected (i.e. industrial secrets), which affects the country itself and the government income. In addition, if the authorities cannot proceed against security breaches a possible theft or destruction of government's information, it could mean the no recovery of the information and big economic loses.
Q: Have you seen any good practices in Latin America?
A: Mexico has legislation where the Instituto Federal de Acceso a la Información y Protección de Datos (IFAI) can start an investigation in case a security breach occurs in order to determine who was responsible for it, as well as to guarantee that, if this happens, the owner of the information is notified and advised about what to do and how the person responsible will restore the damage.
Q: How has the thinking about "trust" changed in the error of government transparency?
A: Open government information is now considered as a right. Governments make decisions that directly affect citizens. Also, it is now considered that information access is one of the best ways to avoid corruption, as people are watching how the public funds are being used. In this sense, trust is something that governments have to earn through transparency. This means transparency access to information at the same time that legitimately sensitive information is kept secret.
Q: Some economists see corruption as a "second order" problem for growth. What's your view?
A: Corruption is one of the most important problems for growth, firstly because it is a misappropriation that impedes that the funds (private or public) get to its destiny, which in a lot of cases would benefit directly or indirectly a social sector with needs or that would help to impulse local or regional economy. So instead of benefiting a community, it goes to the hands of only a few people, which affects growth Secondly, because it affects the reputation of the company/government that is rumored to be corrupt, which probably make it difficult to invest on it or the investors would ask more money to carry out any project, so the risk may be worth to be taken. However, it may be even worse, as the investors could give bribes and the corruption circle will expand, affecting more and more the growth as more money is needed to carry out any project that could benefit the local/regional/national economy.
Q: Do you think that the media is too obsessed with the "demand side" of corruption rather that the "supply side"?
A: Yes. For corruption you will always need the two sides. I think that it was a good thing at first to "be obsessed" with the "demand side" because normally the "supply side" has no option but to give in if they want to do business. However, we have now reached the point where both sides are in balance and little is done to attack the corruption on the "supply side" because all the efforts have been focused on the other side.
Q: Have governments become more sophisticated in risk management over the years?
A: It is a tricky question because governments have become more conscious about risk management and have introduced several practices in order to handle it, as happened with security protection. Nevertheless, risk management has become more and more difficult to handle, as risks have increased dramatically since computer technologies have become more sophisticated. Probably more important, information has become the main conduit for commerce, which means that information risks are much higher than years ago.