Cybersecurity and the massive, never-ending stories of data breaches have captured headlines around the world—beginning with Edward Snowden and continuing through government agencies, credit card companies, banks, telecommunications, and cloud providers. This media attention has led to increasing consumer awareness that their personal data has become the target of these cybercriminals, social hacktivists, and innocent or adversarial insiders.
"Security and data protection are not just the job of your CISO and Chief Privacy Officer (CPO)—it is everyone’s responsibility every day"
Consumer awareness and data breach fines under new legislation, like the EU General Data Protection Regulation, now at a potential figure of up to 4 percent of global annual revenue, have thrust the role of Chief Information Security Officer (CISO) and Data Protection Officer (DPO) into the spotlight of board-level scrutiny. Significant breaches may be career-ending for company executives, and as this level of attention rises, so does potential reputational as well as financial damage to these organizations.
Prioritizing Data Protection and Information Security
So how does a CISO prioritize their data protection and information security program in the context of a global organization and rapidly evaporating perimeters, employees accessing data from everywhere, business owners focused on the misguided conception that more is always better when it comes to data, and that security blocks productivity in a data driven economy?
In my experience, the most common mistake all businesses make when it comes to cybersecurity is focusing their data protection strategies on only keeping the outsider out, when, in fact, many breaches come from an attacker who is already inside. Either intentional or unintentional, insiders may cause the greatest threat to your data protection program—but fortunately, this is the threat you can do most to alleviate.
Security is about mitigating risk at some cost—and it can be expensive! This means that in the absence of metrics, we tend to focus on risks that are familiar or recent. Unfortunately, that means that we are often reactive rather than proactive, and it does become very important to understand how data, people, and location weave together to create patterns within your organization. Only by understanding the data you hold, can you effectively protect it! Monitoring websites and web applications for potential hacks and exploits is now as commonplace as virus scanning, but this may lead some organizations to improperly rely on existing scanning technologies— forgetting that the costliest breaches come from simple failures, instead of from attacker ingenuity.
1. First, you should start with continuous and ongoing education of your employees. This education cannot be a once-a-year training course—it must be pervasive throughout the culture of your company. In the absence of security education or experience, employees, users, and customers naturally make poor security decisions with technology. This means that systems need to be easy to use securely and difficult to use insecurely.
This is a critical point and probably one of the single largest opportunities for security programs to be revamped—make it easier for your end users to do the right thing than the wrong thing.
2. Second, know your data and know your employees. Every organization has sensitive data, including customer information, employee records, intellectual property, and medical records. In order to appropriately protect it, you must understand the lifecycle of data in your business. Determining what the data is, how the data is being created or collected, how it is maintained, stored, and shared while it is being used, and how it should be disposed are the key steps toward implementing better practices that will protect these valuable assets.
3. Third, implement practical and operational policies that delineate between work-related data and personal data. Social engineering and insider threats are on the rise because attackers usually don’t get in by cracking some impenetrable control— they look for weak points like trusting employees. Organizations must start by making it easier for business users to do the right thing than the wrong thing, and must make it attractive for them to use approved company systems to do their jobs. At the same time, they must both trust and verify that they are doing so.
4. Finally, marketing is not just for your marketing teams! Security officers and their staff need to evangelize and educate all business employees on the importance of security and data protection policies. One classic problem that has led to many breaches is the assumption that someone else is responsible for protecting data at different stages of its existence. Security and data protection are not just the job of your CISO and Chief Privacy Officer (CPO)—it is everyone’s responsibility every day. If security practitioners get a good sense of what the business is doing today and know how users are interacting with data as part of their jobs, they can better determine security policies. Thinking about what kind of responsibility your users can have and how technology can help will drive better security practices.
Work hard for your IT colleagues and business users to think of privacy and security controls in the same way as data protection teams. Rather than stopping the business from doing its job, the proper controls will allow you to realize the full potential of the data you have so that you can achieve all of the business objectives you’ve set out.