A lot of information security today is focused on compliance and is very tactical. You would expect more of a proactive approach, since there are so many more people involved in data control, data governance, security and privacy in many organizations.
Unfortunately most organizations approach data security in a very reactive way and often do not have a clear understanding of the value of their data.
Things are beginning to shift as more CEOs and boards are held responsible for the consequences of a data breach. Executives are now looking at cyberthreats as a major risk to their businesses.
Compliance is still a major driver in many industries, but compliance does not equal security. Organizations that drive data security efforts based on compliance put the business at risk by neglecting to take a more holistic and proactive approach to their data security strategy. I can lock the front door of my business and meet the letter of the law, but if the back door is wide open, I am still at risk.
Another major problem is not understanding what data is sensitive. How do you define sensitive data and how do you decide who should access it? Does the entire organization share a common understanding of what constitutes sensitive data? For one organization it may be the intellectual property associated with a new product. For another it may be the financial information of its clients. Some organizations may not keep financial information and others may not keep intellectual property. You must know and understand your data to be able to protect it.
Once you know what to protect, you can decide how to protect it. Some companies believe that implementing technology is the only thing required to proactively manage the security of your data. Technology is only one part of the equation. You also need to manage people and processes. Data security requires coordination between your employees, customers and partners to successfully address these concerns. You need to understand your data first and that takes cooperation among people.
As you look at the information security technologies in your organization you may notice that many of them are focused on protecting the network and your devices. While it is important to protect these infrastructure components from destruction or disruption, protecting the data itself is the ultimate goal. Transitioning from a perimeter-centric approach to a data-centric security model is clearly a significant shift in thinking, but a necessary step in maturing as an organization.
Once you determine what is sensitive data and how to protect it, you need to measure the success or failure of your data security initiatives. If you experience a data breach, clearly you have a failure. But what was the cause? Was it a technology issue, a problem with your processes or were people unaware of what they were doing?
The good or bad news is that as a direct result of a data breach, many organizations actually implement new security controls and policies. This is not a good approach to business, but is unfortunately the reality in many cases. Installing a sprinkler system after you had a fire is not a good approach to managing risk.
As is seen in too many cases, a data breach causes a lot of disruption in an organization. When Sony Pictures experienced its recent data breach, the company almost came to a standstill for weeks. Email and other systems were turned off or services reduced and many employees had a very hard time doing their jobs. Most companies have business continuity plans for network outages and physical disasters, but they don’t address cyberthreats in the same way.
Take a hard look at your data security and be proactive about protecting your most valuable assets and your business. Understanding what you have and how to protect it is the first step.
Photo credit vancouverfilmschool