In the technology world, it’s common to hear leaders talk about the three-legged stool to success: people, process and technology. But we often see CISOs and CIOs – tasked with protecting sensitive organizational data – focus most of their attention on the latter, not giving enough attention to the people and process pieces of the puzzle. Protecting data is hardly a new concept. But with the ever-evolving mix of forces in the market – including increasing sprawl of sensitive data, increasing data migration to the cloud and the impact of increasing regulatory pressure – we see tech leaders struggling to meet demands relying solely on technology.
In fact, there are more tools available now than ever before, and we see more tech leaders acknowledging they have a variety of solutions, processes and technologies in place, often deployed without a clear, unified mission. Now, it’s time to rationalize what’s available and create a true enterprise strategy for protecting data. Doing this drives a wealth of benefits and supports downstream efforts, including privacy, security, cost savings, regulatory compliance and more. But all this is driven by people and processes. We recommend tech leaders begin by leveraging key business leaders to define their mission statement, from which everything else will flow.
A Seat at the Table: Define and Document Key Data Protection Program Roles, Responsibilities and Reporting
Many CISOs and CIOs we work with, who all agree that data protection is critical, struggle to find an acceptable way to justify the necessary spend to their C-suite colleagues. The reality is it can be difficult to demonstrate how a data protection program drives revenue. We believe that data protection is not just about implementing a traditional data loss prevention (DLP) tool. We prefer to rethink DLP from a perimeter-focused data loss prevention to a more inward focus of data lifecycle protection, a concept that will be more readily accepted by other leaders in the organization and changes the conversation to cover the full lifecycle of sensitive data, as opposed to focus on protecting data as it moves outside the bounds the organization has loosely defined.
The first thing any organization needs to do is to define and document program roles, responsibilities and reporting. To accomplish this, technology leaders should work in partnership to create a true governance that is not just driven by the CISO, but includes finance, treasury, operational business units, operating companies – whatever reflects the organization’s structure. Create a Data Protection Committee made up of these critical leaders. Help them understand the data being protected is not solely owned by IT, but is driven by the business’ needs. Help these leaders understand the regulations and risk. In turn, they will help the technology team understand what needs to be done with the data to enable adding value to the business.
Without such a partnership in place, the CISO is essentially approaching major spending conversations alone — and it is going to be a challenging conversation. But imagine saying, “here are the findings of the Data Protection Committee, made up of all parts of the business, and we agree this is what’s necessary.” That’s a much more compelling argument. That’s why it’s critical to establish that overall governance is an important early step to enable long-term success.
Identifying stakeholders as part of an initial phase rollout also makes a much easier transition to implementing controls or policy changes that are going to impact the status quo. When business unit stakeholders have a seat at the table, they are much more receptive to change. Making them aware of the risks associated with data processing activities helps leadership come to agreement on the best data protection options. The conversation should be focused on what each C-suite leader can do to protect the company’s “crown jewels.” Organizations do not have unlimited security budgets. So, the question becomes, “how can we most efficiently use security dollars and security controls to protect the information that’s most valuable to the organization?”
Looking Inward: Right-size Data Protection Controls Based on Company Culture and Regulatory Requirements
As we touched on above, companies often approach data protection from a traditional Data Loss Protection (DLP) lens. What happens if our data gets into the hands of bad actors? We believe it is important, however, to move the question to begin the discussion on protection controls when data is created. As soon as a record is created or interfaced with, the data protection lifecycle begins, and detection / protection controls should be established.
Getting to know the data at the point of ingestion or creation is critically important. Organizations must know what the value of the data is in order to apply the appropriate protections. As the data traverses the network and is utilized by the business, either on-premise or through a provider platform, it is imperative to follow the data journey to ensure proper protection is provided throughout the cycle. From the origin endpoint, to the network layer, to a cloud a provider or an external entity, all paths need to be evaluated to ensure no control gaps exist.
It may be challenging to gain visibility throughout the entire data protection lifecycle, but it is important to recognize an organization’s ability to design data protection controls that protect the Crown Jewels and meet business requirements, as defined earlier by the Data Protection Committee. It isn’t necessary to boil the ocean on every piece of data, but it is imperative to know what’s important to the organization’s success and have the lifecycle processes in place to follow and protect critical data, wherever it goes.
Additionally, when building enterprise-wide data protection programs, it is important to have a clear understanding of all applicable regulations and where specific controls are being defined by external entities. Whether that’s PCI for payment data, GDPR for European citizens’ data privacy or a newer regulation like the California Consumer Protection Act (CCPA), or the recently-enacted Virginia Consumer Data Protection Act, understanding the regulatory landscape will define some of the necessary data protections.
Know the business. There is not necessarily a light switch that can be turned on to provide instant data security. Know how the organization uses data and where the expected flows and transactions will occur. Know when and where there will be a need to use data to make the business run and to ensure availability of critical processes. Without this knowledge, it is virtually impossible to define enterprise-wise controls. Remember that collaboration is key to understanding the appropriate level of data sensitivity, how to limit and monitor data sharing and ultimately, build a program that meets the business where it is, while also meeting regulatory requirements without exceeding the business’ risk tolerance. Finally, ensure that processes are in place to monitor and respond to the business as data protection controls are deployed. A learning period is needed to ensure that controls are right sized for how the business uses their sensitive data on a daily basis.