Technology Insights HOME | Perspectives from Our Experts on Technology Trends and Risks

Technology Insights HOME

Perspectives from Our Experts on Technology Trends and Risks.

Search

ARTICLE

4 mins to read

Tech Leaders Rephrase the Conversation to Proactively Detect Sensitive Data and Apply Controls

Derek Dunkel-JahanTigh

Associate Director - Security and Privacy

Chip Wolford

Managing Director - Security and Privacy

Jonathan Trillos

Director - Security and Privacy

Views
Larger Font
4 minutes to read

In the technology world, it’s common to hear leaders talk about the three-legged stool to success: people, process and technology. But we often see CISOs and CIOs  tasked with protecting sensitive organizational data  focus most of their attention on the latter, not giving enough attention to the people and process pieces of the puzzle. Protecting data is hardly a new concept. But with the ever-evolving mix of forces in the market – including increasing sprawl of sensitive data, increasing data migration to the cloud and the impact of increasing regulatory pressure – we see tech leaders struggling to meet demands relying solely on technology.   

In fact, there are more tools available now than ever before, and we see more tech leaders acknowledging they have a variety of solutions, processes and technologies in place, often deployed without a clear, unified missionNow, it’s time to rationalize what’s available and create a true enterprise strategy for protecting data. Doing this drives a wealth of benefits and supports downstream efforts, including privacy, security, cost savings, regulatory compliance and more. But all this is driven by people and processes. We recommend tech leaders begin by leveraging key business leaders to define their mission statement, from which everything else will flow.  

A Seat at the Table: Define and Document Key Data Protection Program Roles, Responsibilities and Reporting 

Many CISOs and CIOs we work with, who all agree that data protection is critical, struggle to find an acceptable way to justify the necessary spend to their C-suite colleagues. The reality is it can be difficult to demonstrate how a data protection program drives revenue. We believe that data protection is not just about implementing a traditional data loss prevention (DLP) tool We prefer to rethink DLP from a perimeter-focused data loss prevention to a more inward focus of data lifecycle protection, a concept that will be more readily accepted by other leaders in the organization and changes the conversation to cover the full lifecycle of sensitive data, as opposed to focus on protecting data as it moves outside the bounds the organization has loosely defined 

The first thing any organization needs to do is to define and document program roles, responsibilities and reporting. To accomplish this, technology leaders should work in partnership to create a true governance that is not just driven by the CISO, but includes finance, treasury, operational business units, operating companies – whatever reflects the organization’s structure. Create a Data Protection Committee made up of these critical leaders. Help them understand the data being protected is not solely owned by IT, but is driven by the business’ needs. Help these leaders understand the regulations and risk. In turn, they will help the technology team understand what needs to be done with the data to enable adding value to the business. 

Without such a partnership in place, the CISO is essentially approaching major spending conversations alone — and it is going to be a challenging conversation. But imagine saying, “here are the findings of the Data Protection Committee, made up of all parts of the business, and we agree this is what’s necessary.” That’s a much more compelling argument. That’s why it’s critical to establish that overall governance is an important early step to enable long-term success. 

Identifying stakeholders as part of an initial phase rollout also makes a much easier transition to implementing controls or policy changes that are going to impact the status quo. When business unit stakeholders have a seat at the table, they are much more receptive to change. Making them aware of the risks associated with data processing activities helps leadership come to agreement on the best data protection optionsThe conversation should be focused on what each C-suite leader can do to protect the company’s “crown jewels.” Organizations do not have unlimited security budgetsSo, the question becomes, “how can we most efficiently use security dollars and security controls to protect the information that’s most valuable to the organization?”  

Looking Inward: Right-size Data Protection Controls Based on Company Culture and Regulatory Requirements 

As we touched on above, companies often approach data protection from a traditional Data Loss Protection (DLP) lens. What happens if our data gets into the hands of bad actors? We believe it is important, however, to move the question to begin the discussion on protection controls when data is createdAs soon as a record is created or interfaced with, the data protection lifecycle begins, and detection / protection controls should be established 

Getting to know the data at the point of ingestion or creation is critically important. Organizations must know what the value of the data is in order to apply the appropriate protections. As the data traverses the network and is utilized by the business, either on-premise or through a provider platform, it is imperative to follow the data journey to ensure proper protection is provided throughout the cycle. From the origin endpoint, to the network layer, to cloud provider or an external entity, all paths need to be evaluated to ensure no control gaps exist 

It  may be challenging to gain visibility throughout the entire data protection lifecycle, but it is important to recognize an organization’s ability to design data protection controls that protect the Crown Jewels and meet business requirements, as defined earlier by the Data Protection Committee.  It isn’t necessary to boil the ocean on every piece of data, but it is imperative to know what’s important to the organization’s success and have the lifecycle processes in place to follow and protect critical data, wherever it goes.  

Additionally, when building enterprise-wide data protection programs, it is important to have a clear understanding of all applicable regulations and where specific controls are being defined by external entities. Whether that’s PCI for payment data, GDPR for European citizens’ data privacy or a newer regulation like the California Consumer Protection Act (CCPA), or the recently-enacted Virginia Consumer Data Protection Actunderstanding the regulatory landscape will define some of the necessary data protections. 

Know the business. There is not necessarily a light switch that can be turned on to provide instant data security. Know how the organization uses data and where the expected flows and transactions will occur. Know when and where there will be a need to use data to make the business run and to ensure availability of critical processes. Without this knowledge, it is virtually impossible to define enterprise-wise controls. Remember that collaboration is key to understanding the appropriate level of data sensitivity, how to limit and monitor data sharing and ultimately, build a program that meets the business where it is, while also meeting regulatory requirements without exceeding the business’ risk tolerance. Finally, ensure that processes are in place to monitor and respond to the business as data protection controls are deployed. A learning period is needed to ensure that controls are right sized for how the business uses their sensitive data on a daily basis.   

To learn more about Protiviti’s enterprise-wide data protection controls capabilitiescontact us 

Was this article helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Find a similar article by topics

Authors

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

This blog was originally posted on The Protiviti View. Like companies in other industries, energy and utilities (E&U) organizations want...

Article

What is it about

This blog was originally posted on Forbes.com. Kim Bozzella is a member of the Forbes Technology Council. Here’s a problem...

Article

What is it about

The HITRUST Alliance Common Security Framework (HITRUST CSF) is a cybersecurity framework that helps organizations manage risk and meet regulatory...