Organizational risk continues to climb as data breaches overwhelm today’s information security technologies and practices. Despite billions expended on information security every year, highly motivated cyber gangs, organized crime and nation states are winning the cyber-arms race. Once networks and systems are breached, sensitive data seems to be pilfered at will.
And organizations acknowledge their vulnerabilities; hundreds of publicly traded companies detail that sensitive information is at risk and no assurances can be made about the safety, privacy and integrity of their sensitive information. According to research by Informatica and Ponemon Institute, titled “The State of Data Security Intelligence,” organizations perceive more risk as they have less confidence about their understanding of their sensitive data. They have low confidence in having a current and accurate accounting of sensitive data location, risk, value and protection. And organizations struggle to track data use and movement to ensure they comply with the byzantine landscape of privacy laws and regulations.
This situation will continue into the foreseeable future. First, with the monetization of sensitive data in cyber black markets, attackers have huge monetary motivations. Second, data continues to grow and proliferate, driven by analytics, cloud, mobile and web enabled business services; there is more to steal in more locations. Organizations should assume that eventually, attackers will be successful. The key is to reduce the impact and magnitude of an attack.
To improve breach resiliency, it is imperative organizations understand their sensitive data risk; where the data is, how it is being used, where it is going, its value and how it is protected. Moreover, data protection needs to start with the data itself and network/cyber security investments should be mapped to information resources that create and/or consume sensitive data. This provides a “Data Centric Security” approach to improving overall information security.
Data Centric Security does not provide immunity to cyber-attacks, insider threats and data breaches. However, by focusing on data risk and protection, breach impact and overall risk can be reduced. The primary components of data centric security provide this result; data security intelligence and data protection.
Data Security Intelligence allows organizations to view an enterprise sensitive data landscape; calculating sensitive data risk on an ongoing basis. The risk score is illuminated by views of sensitive data creation and consumption, department and geographic distribution, value and data protection applied. Decision makers can understand if risk factors are improving or deteriorating with security strategies and adjust on a continuous basis. Practitioners are provided actionable details on risks so that data protection and other remediation is prioritized for the highest value and at risk assets.
Data protection includes data encryption, masking, tokenization and access controls. As none of these are silver bullets, a layered approach is needed to ensure that data being used by LoB, administration, partners and contractors is tightly controlled. With these controls, sensitive data access can be blocked, limited or eliminated to prevent broad-scale data theft.
With data centric security providing sensitive data risk reduction, organizations reduce the associative business risks of today’s data breaches; revenue loss, brand damage, regulatory fines and business disruption. While some organization have partial and/or manual approaches, data centric security needs attention and funding, to provide the resources, automation and tools necessary to identify and protect the organization’s must valuable asset; its sensitive data.