A few thoughts on data protection

Data protection is top of mind for many in the information security industry. Despite continued investments in technologies and increasing regulatory pressure, every year brings more stories of data thefts and security breaches. We are living in an era where private financial data is traded as a commodity in the underground market. The size of this data-trading economy now parallels that of the illegal drug trade.

Some argue that companies are not doing enough to protect data. In economics parlance, the cost associated with a data breach includes both private (internal to a firm), and external expenditures that other entities are forced to pay due to the breach. Traditional cost models rarely take into account any external costs. As such, the investment in protection technologies rarely matches the true cost of a data breach. It is time for us as a community to face up to these costs and look for alternative solutions, perhaps even ones that are traditionally deemed too cost-prohibitive.

One reason that fraudsters target data is that it carries value. What if we devalue the data, hence take away the incentive for data theft? One way to devalue data is to restrict what you can do with it. Take the case of credit cards. If we reduce general credit limits and make it difficult to obtain cards of high limits, we would significantly curb the appetite for stolen cards, and as a result reduce the volume of data theft incidents. Clearly, this approach goes against the modus operandi of those who are in the lending business. But if the recent credit market crash taught us anything, it is to exercise caution before extending credit. As data theft incidents become more common and the cost of protecting data rises further, financial institutions will, at some point, re-evaluate the true value behind data. Why not do it now?

One common pitfall of many security systems is the confusion of authentication with identification. Names, credit card numbers and birth dates are identifiers. The process of verifying identifiers is authentication, which should not equate to the simple possession of the identifiers. Imagine a payment card whose number is a one way hash of the spatial geometry of a person's face and a PIN of some sort. A transaction is only authorized when a facial scan and the PIN verify the card number; the card is otherwise useless.

Also, compliance is a big driver in the adoption of security technologies today. However, compliance serves a penalty-centric role – if you are not compliant, there will be a price to pay. There is very little incentive structure set up to reward good behavior. The impact of reward structure on improving performance is well understood. It is perhaps time for the information security community to stop relying solely on compliance and start investigating how we can improve the overall data protection competency by rewarding good behavior. This should include rewards for good behavior internally within an organization, as well as across organizations at a society level.

In addition, just as "greenness" measures the company's commitment to the environment, we need an analogous metric that measures the company's maturity in its data handling operations. And just as greenness can help a company achieve social goodwill, a good data security reputation should result in customer loyalty and heightened trust. With such a metric and reputation framework in place, perhaps firms would be more inclined to internalize some of the external cost, if it will help them garner a more favorable reputation.

Clearly, implementing some of these ideas would require a thought shift and, in some cases, a complete overhaul of infrastructures, which can be an expensive undertaking. But if we do not change drastically the way we do things and the way we approach the problem, count on it, we have not seen the last of such cases as Hannaford Bros. and TJX.


Chenxi Wang

Dr. Chenxi Wang is the Founder and General Partner of Rain Capital, a Silicon Valley-based venture fund focused on Enterprise Software and Cybersecurity investments. A well-known operator, technologist, and thought leader in the Cybersecurity industry, Dr. Wang is a member of the Board of Directors for MDU Resources, a Fortune 500 company. Previously, Chenxi was Chief Strategy Officer at Twistlock, VP of strategy for Intel Security, and VP of research for Forrester. Chenxi was recognized as a Women-of-Influence by the SC Magazine, Women Tech Founders, and Cyber Risk alliance.

Chenxi’s career began as a faculty member at Carnegie Mellon University, where she helped found the Cybersecurity Lab of Carnegie Mellon. Chenxi is a trusted advisor to IT executives and a sought-after keynote speaker. She has headlined events worldwide and been featured by top media outlets for her thought leadership work. Chenxi is a Forbes contributor and writes a column for Dark Reading. Chenxi holds a Ph.D. in Computer Science from the University of Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.