Ten Questions With… Gant Redmon, Co3 Systems (Part Two)
added: 10.29.2013, by Mike Spinney
Co3 Systems, based in Cambridge, Massachusetts, helps organizations define, manage, and optimize their cyber security and data breach incident response programs. Security incidents like data breaches, hackings, industrial espionage, and even physical compromises are highly disruptive for companies. They cost a lot in terms of time, money and reputation. The number and variety of international, federal and state laws and regulations that apply to data protection (not to mention industry standards) means compliance is a complex undertaking. Preparing for and responding to security incidents is no small task, and missteps can compound the already daunting challenges involved. Co3 helps make it faster and easier.
Gant Redmon serves as vice president and general counsel for Co3. I’ve known Gant for a few years and respect his background, approach, and opinion on the topics of data privacy and information security. I recently asked Gant a few questions and he graciously agreed to let me share the answers with you in what will is the first of my new “Ten Questions With…” series of blog posts. Here is part one of that conversation.
HoGo: Why do companies call Co3 and how far do they typically move from their initial motivation to the final nature of their engagement? For example, do they call to establish a security response plan to comply with Mass 201 CMR 17, but end up realizing they face much greater threats and have much deeper needs?
Gant Redmon: Folks call Co3 because they’ve been using the wrong tools for the job, and they know it. They've had to keep up with breach notice laws themselves and manage distributed denial-of-service [DDOS] attacks and malware outbreaks with trouble ticketing systems made to track failed hard drives. Counting on this archaic approach to combat the current threat environment is not a recipe for success; they need a better way to prepare for, assess, and respond to incidents.
HoGo: Apart from the resources available, what are the biggest differences between the way smaller and larger companies approach their information security/data privacy programs?
Redmon: Small companies have it tough in part because their regulatory burden isn’t necessarily that much smaller, yet they don’t have the same level of sophistication or resources. So they can’t just avoid it, but they can’t afford a monster solution, either. Large companies have more resource to work with, but need to compartmentalize incident response. For example, you wouldn’t want to run your incident response solution on the same infrastructure that is suspect because it’s the subject of the breach. And while a large firm might want help desk staff to complete various tasks in an incident response plan, you almost certainly don’t want general help desk staff to have accounts in your IR platform.
HoGo: Do you find that smaller companies tend to be more innovative in their approach to data protection, or is there a sense of resignation that they simply can't compete and try to fly under the radar (of both the regulators and the hackers)?
Redmon: Small companies don’t have the same legacy tools and thinking that large ones sometimes do, and this can be an advantage. We have certainly seen small companies that had next to nothing leapfrog the incident response capabilities of much larger organizations.
HoGo: If you've encountered any innovative approach to data protection, can you provide an example that might help readers in their own programs?
Redmon: Privacy and security professionals must make their companies conscious of threats, and knowledgeable as to solutions in a way that isn't preachy. The greatest innovation remains the ability to deliver a memorable message in a novel manner that is fun for the recipient. This is another place new tools exist to make simulated incidents come alive.
HoGo: You are on a rooftop with a megaphone and you can shout one piece of data protection advice to the world. What do you say?
Redmon: Know what personal information is and then find it, segregate it, restrict access to it, and encrypt it.
HoGo: What have we not discussed that you think needs to be said in this forum?
Redmon: Success is a combination of the right folks with the right tools delivering the right message in a way that will be well received.
DISCLAIMER: This post does not constitute an endorsement of HoGo by Co3 Systems or Gant Redmon. Nor does it constitute an endorsement of Co3 Systems or Gant Redmon by HoGo. It is merely a conversation between two entities concerned with advancing awareness over issues of data privacy, information security, and the protection of intellectual property.