As data costs have decreased, data retention and complexity have grown. Organizations have identified the need to capture data and retain it in response to legislation, regulation and opportunity. Has the value of our data increased relative to the growth in data volume?
Growth and Types of Data
There are a growing number of data types. As the complexity grows, so do the data types and ways the data can and should be identified and used. The new ISACA white paper, sponsored by Microsoft, Achieving Data Security and Compliance, takes a great look at how we should be managing our ever-growing data and the lens we should be using. It looks at how organizations are responding to privacy and risk demands from states and governments, and how compliance is not necessarily the path to security. Regulation is ever-growing, and as demands for privacy rise, regulation starts competing with security.
Businesses are pushed to monetize their data and realize a return on their investment. The growth we have seen in our data has not been equal to the growth we have realized through efficiencies. As the push for monetization occurs, organizations with a risk-focused perspective must consider where the responsibility and ownership of the data lies. If monetized, will privacy become an issue as the data ownership continuum grows?
Once again, we come to the point that compliance does not necessarily equal security, so we must search out another method to strengthen the security and privacy of our data. The new white paper seeks out a new method and way to pursue accountability by intertwining identity access management into the fibers of the security function.
Quickly Changing Environment
Development has been refined to allow organizations to meet quickly changing needs and demands. This has assisted business in meeting operational requirements but has also led to erosion of security measures and increased risk exposure to businesses. These risks are going largely undocumented and are included in the risk appetite of the enterprise.
Data growth has been matched with the growth of data breaches over the past five years and, as the potential target area for organizations grows, so does the opportunity for a breach.
Frameworks and Regulation
While frameworks strive to meet dynamic requirements, they will always trail activity in responding to impacts from today. As with regulation, they are based on historical information. Bad actors do not care about historic-facing regulation, as those opportunities have been eliminated or shrunken significantly by the time the regulation has taken effect. Breaches will seek new weaknesses, and with an ever-changing environment, there is no place for a static solution.
Regulation today is being created by people who do not understand the technology they are seeking to regulate. Briefs and extended explanations will only work for so long, as our technology environments and their complexities grow. Regulation in place today requires “reasonable security.” What does that mean and how will it be defined when you are notified of a massive breach to your organization? Will your stance on what you thought was “reasonable” stand up as a defense?
A New Path Forward
Data privacy alone does not provide meaningful risk mitigation. Can organizations bring data security and data privacy together? According to the data, social engineering and the human element are major gaps in today’s environment and need to be addressed. Are current training requirements meeting and reducing human risk?
Is the next stage of data security and privacy finding a way to give ownership to individuals and make accountability an enterprise-wide exercise rather than the job of a few? The promise of on-premise hardware being eliminated with cloud services has fallen short and we are seeing more organizations adopting a hybrid strategy to meet the demands and requirements that business divisions require.
Opportunity Meets a Solution
Finding a solution that couples a data security and privacy program will be key to the organization of the future.
Prior and current thoughts have been to protect data and push people to the outskirts of the environment and gate their access. However, if we act with a zero-trust posture, we will have to identify who has access to all our data internally and externally. An identity-centric approach to security and compliance acknowledges the importance of the human element in our environment and the greatest weakness we have today.
Neither frameworks nor regulations place people at the center of security and compliance, yet they remain one of the top reasons for breaches. We must understand the human element.
Maturity in this area has been seen in organizations that have created security-focused directory templates and through extensive internal coordination. Monitoring this access with a command center and a new directory will require drastic changes and immense leadership.
We must increase our focus on the identity access component of the environment and how we tie ownership of data and privacy directly to individuals throughout the organization. This only occurs when a thorough data discovery project is undertaken. Data must be identified, classified and tagged to an owner. Creating bins or categories for data, training staff and setting up automation on the classification of data will better shape data retention needs, decrease costs, tie ownership to data and build the company of the future. Make users a security component, not an outsider to the security and privacy strategy.
Policies and procedures are based on regulations and operate in a vacuum. Our fight-or-flight instinct can be used as a security component: “See something, say something.” Make users a key part of the defense strategy, leverage your data in a more powerful way and reduce your potential for a breach.