Do you know where data is, what data is with whom and what they are doing with it?
This is a post originally published on LinkedIn and prompted by a Business Value Exchange discussion “What’s the correct approach to personal data?”
An an InfoSec professional my response naturally focuses on security and data protection. More specifically the fact you can’t do do well at either if you don’t know where data is.
The potential business value to be gained cannot and should not be denied. The Yottabytes of data freely shared via social media and with companies
presents an incredible opportunity to understand and engage with customers. The security function should support the business to reap those benefits, but reap them compliantly and securely. One of the biggest challenges is a longstanding one and it is notoriously hard to tackle. To quote my recent article on cloud security governance;
“If you don’t know where data is, have no useful unique identifiers for records and can’t filter all your data based on age and confidentiality, neither you nor your suppliers can comply with current data protection laws.”
Lack of a definitive handle on this has probably come up in more than one discussion with audit, security, or (if unlucky), the Information Commissioner’s Office.
Q: Which customers do you need to notify of this server breach?
Q: How much customer data do all your suppliers have?
Q: How do you identify customer records in backups that should be deleted under Data Protection retention rules?
Ummmm….
You are not alone. All businesses, to some degree, are scared about this.
Network perimeters, supply bases and end user tools have all become dramatically extended and are increasingly exposed. While at the same time data protection law and regulation gets ever more more rigid.
Securely keeping pace with your commercial data use ambitions
All businesses should catalog types and quantities of data involved during change and supplier governance. I proposed one way of doing that here. Who’ll be given what, by what means and for what purpose. It allows tracking of data to keep pace with business development and sheds light on where most security is needed. At the same time demand the means to retain that control from suppliers.
You also need to get your definitions of risk owner, data owner, data controller and data processor straight (the ICO helps here). Some of these definitions need careful analysis in a social media and cloud supply context.
Make sure everyone understands where responsibility and accountability stops and starts and formally put role holders in the frame. It encourages sponsorship for work to improve things and someone has to own the risk of a breach while problems persist.
But what about the lakes of data previously accumulated?
Everyone is familiar with the concept of an Asset Inventory (knowing what kit you have where is a no-brainer), many understand the term Information Asset Inventory, but almost no-one has one in place.
Here’s where you could share an investment bandwagon with something that has the board’s attention: Big Data taming solutions. Look carefully at functionality and soup up that RFI with an ask to identify, categorise and catalogue personal data. Here, Datamation takes a look at 20 of the leading vendors and their offerings.
The partner to this is the security led approach. Tools to detect and alert when there’s unauthorised movement or amendment of confidential data. Otherwise known as Data Loss Prevention. Not a new term by any stretch. Tech Target looks at lessons learned from real world DLP implementations here (scroll down to read without registering) .
Three things both of these technical approaches have in common;
- They don’t work if you haven’t defined “confidential”
- They are no substitute for good, encryption, access management and data governance practice.
- They come with a big enterprise price tag
So how do you secure spend for this?
You could say, from the board’s point of view, that this is not a profit making investment and you would be right…and wrong. It is a profit protecting investment and increasingly offers a competitive advantage. Encouraging customer trust by enabling secure and compliant use of their data. As this Fortune article calls out;
“Breach-weary consumers don’t know who to trust with their personal information”
“…businesses need to treat privacy as far more than a compliance issue. Approximately one-third of the executives in charge of defining security strategy view this as a potential competitive differentiator—a number that will grow next year, according to a new report by Forrester Research“
Not just that. I have recently been party to an actuarial analysis of health industry data breaches and newsworthy retailer incidents. There is evidence of a strong correlation between the quantity and type of data, the number of employees in a firm and the costed impact of any breach (more on this soon). Knowing your data therefore opens the door to finally having a quantifiable way to assess security risks. That means you can efficiently target assessment efforts and build a credible business case for spend on security controls.
Whichever way you start to solve this problem (and you must), your first steps should include understanding your environment and closing glaring access and data management loopholes, both in-house and in dealing with 3rd parties. If you don’t, regardless of the brightness and shininess of tools, you will forever be playing catch up.