By investing in point products enterprises are focused on threats rather than their data, says a new study.
By investing in point products enterprises are focused on threats rather than their data, says a new study.

A new study released on Tuesday revealed that enterprises are focusing on threats rather than the protection of their data.

The study from Varonis Systems, “The Data Security Money Pit: Expense In Depth Hinders Maturity,” conducted by Forrester Research, illustrates that by investing in point products enterprises are focused on threats rather than their data.

What is the value of data security?, the study posits. Most enterprises assess in terms of risk, cost and regulatory compliance. “However, at a time when the biggest source of competitive differentiation comes from how businesses exploit digital technologies to create new value for customers, increase their operational agility to serve customers, and form digital ecosystems that generate entirely new revenue streams, data security and privacy is so much more than cost reduction. It is, in fact, a driver of revenue and growth,” the study explains.

Highlights of the Varonis study include: 

• 62% of respondents have no idea where their most sensitive unstructured data resides 

• 66% don't classify this data properly 

• 59% don't enforce a least privilege model for access to this data 

• 63% don't audit use of this data and alert on abuses

The challenge, according to the Varonis report, is that businesses today are dependent on an amalgam of security tools to defend their networks, lower costs and streamline operations. But, data security is still fragmented, the report found.

Varonis commissioned Forrester in September 2016 to examine the landscape to assess the need for a data security platform. Forrester surveyed 150 data security decision-makers across a wide variety of industries in the U.S. and Canada and found that "changing strategies from a product to a platform will transform data security for companies."

The study revealed three key findings:

Investing in data security products does not translate to maturity. Most organizations have implemented a variety of technology solutions to help with data security. But a high security investment does not translate to high maturity with data security, nor does it mean a unified security strategy.

Low maturity with data security manifests itself through challenges. Despite claims of high maturity, an overwhelming majority of companies face technical and organizational challenges with data security, are focused on threats rather than their data, and do not have a good handle on understanding and controlling sensitive data.

There is an appetite for a unified data security platform. A unified data security platform will improve data strategy by helping to provide the data visibility and governance that firms desire, while controlling costs and addressing integration concerns.

"A unified data security platform offers core capabilities to help organizations not just establish a robust technology foundation for their data security strategy but also create conditions that help to push firms toward greater security maturity and value-add to the business," the study concludes. "Integration with existing infrastructure is the key. "It's time to put a stop to expense in depth and wrestling with cobbling together core capabilities via disparate solutions." 

"In the wake of headline breaches, we've seen a lot of reactive, emergency spend that fails to yield success in improving overall security," David Gibson, vice president of strategy and market development for Varonis, told SC Media on Tuesday. "You can invest in a lot of point solutions that mitigate specific threats or perform specific tasks, but they often don't directly protect the data itself."

Data needs to be viewed more consistently as an asset, and therefore, Gibson said his firm takes a more mindful approach to protecting it – asking what data is collected, created and stored, where is it, who has access to it, how is it being used, and can an admin know when someone destroys, tampers with, or steals it? 

"Organizations that take a more thoughtful approach are focusing on their data, and approaching its security more like they approach the security of their financial assets – putting them in secure places, granting access to only those who need it and monitoring all the 'transactions' to detect fraud or misuse," Gibson said. 

It's easy to get caught up in focusing on the threats and attack vectors. This is what helps to make headlines when companies get breached, Forrester analyst Heidi Shey told SC Media on Tuesday. "To protect your data, you have to understand what it is you're trying to protect and why and how that data needs to be used, in order to determine the how when it comes to security."

A data-centric approach starts here, Shey said, and gives data an identity based on sensitivity, criticality and other contextual information. This way, users can figure out what controls are needed and bring those controls closer to the data in order to protect it wherever it needs to go through that data's lifecycle, she added.