Increasingly, the ability to effectively secure corporate and customer information and assets is a conversation that has moved from technologists up to C-level executives and the board. At the same time, approaches to corporate security are quickly evolving beyond the traditional infrastructure-based approach.
When I talk to CIOs and CISOs about security, they share a common concern: they don’t know what they don’t know. The most recent study we conducted with Ponemon confirms that protecting data remains a mystery to many executives. The most revealing fact from the study is that among thousands of organizations around the world, an overwhelming majority don’t have any sense of their data risk. For customers who are experiencing increased pressure about their potential data vulnerabilities, I recommend first getting a sense of their data footprint.
Among the 10 petabytes or 50 petabytes of data, start by identifying how much of the data is sensitive. Know where that sensitive data is located, and where the sensitive data structure is. Then, start tracking that data and the flow of data, with the goal of understanding every move it makes. Find out who touches that data and who accesses that data with each and every hop it takes. This data footprint establishes a starting point for developing an informed point of view on an organization’s security, privacy, governance, or risk.
Since the new data security landscape is unknown territory for many executives, here are three important things to keep in mind as you develop your approach to security.
1. Come to Grips with the Data Layer
Probably the single most important thing to understand in order to protect your business is this: security has moved away from the infrastructure layer and out to the data layer. Traditional, infrastructure-based security took a perspective from the perimeter, or what comes from outside, towards the company’s network, server, databases, or even applications. Organizations have operated from this vantage point for a long time, and in practice, some have done a good job protecting themselves.
But, we have evolved to viewing the data itself – the valuable assets at the source and how they travel on the infrastructure – as the primary point of protection. It’s taking time for this shift to fully sink in. However, more and more individuals, decision-makers, and corporate entities are coming to the realization that security has moved to the data layer. More importantly, they are acting on that realization.
2. Tools Have Limits
Acknowledging the need to shift security to the data layer has important implications for identifying effective approaches for protecting an organization’s assets in their many forms. Companies have often bet on a one-trick pony; a tool-based approach in which encryption or masking or tokenization is the star of the show. However, this can be incredibly challenging and have limited effectiveness when a company tries to encrypt every piece of data they generate and exchange. By definition, it’s an approach that reduces access to data for users by requiring the need to encrypt, then decrypt, or mask, then unmask. Essentially, you are taxing the user and dramatically inhibiting productivity (of the individual and the organization).
3. It’s a Big Picture Issue
Unfortunately, security is a broader and more far-reaching issue than many people would like to think. Wherever it lies across time zones and business units, your organization is only as secure as its weakest link. And, your weakest link is the most risky aspect of your business.
Take one of the big banks as an example. They have offices and operations of different sizes in New York, London, Singapore, and Hong Kong. There are probably thousands or even tens of thousands more locations, but those are the major hubs.
For an effective approach to security these days, the bank has to ask itself, who accesses its data in London? How is the data getting there? Where does it move from London? And, beyond the question of security, what is the privacy risk? Having this high-level, data footprint view is more important than having the best infrastructure and assuming you are safe.
In an age when minimizing data risk has become a board-level discussion, one that is inherently connected to an organization’s ability to protect its brand, its revenue streams, and therefore the business itself, these are critical considerations.