No one sets out to do security triage rather than developing and instituting processes that would enable real and continual security. But when people are pressured for time and buffeted by an onslaught of issues sometimes it seems that the only way to cope is to respond just to the problem of the day.
But we all know that reactive efforts aren't the right way to protect data. We have to move beyond dealing with the crisis of the moment and focus on securing data holistically. And while it may be difficult to free up the time and the budget to institute a comprehensive data security plan, ultimately a unified approach will be far more effective, increasing security and saving both time and money.
Over and over we find that many businesses who suffer a serious data breach had deployed good protective technology systems but didn't have a data-driven security plan. Recently the Enterprise Strategy Group, a research firm, surveyed 109 security professionals to discover how they protected data. The survey revealed that the biggest threat to the security of critical data was the lack of that solid security plan. ESG senior analyst Jon Oltsik noted that "without a standard set of policies and processes, there is simply too much room for abuse and human error."
We can't rely on applications to do all the work for us and we can't just throw money at the data security problem and hope it will go away. Smart policies, procedures and people are just as important as choosing the right security solutions. This holistic approach to security is far more powerful than the fragmented practices present at too many companies.
Broadening the focus
Data flows through a company, into and out of numerous applications and systems. This flow, in its entirety, is the focus of a holistic approach to data security.
Think of your network as a municipal transit system – the system is not just about the station platforms. The tracks, trains, switches and passengers are equally critical components. Many companies approach security as if they are trying to protect the station platforms, and by focusing on this single detail they lose sight of the importance of securing the flow of information.
A critical first step in any data-driven security project is to conduct a full audit of the entire system and identify all the points and places where sensitive data is processed, transmitted and stored. Not an easy task in a sprawling distributed system, but an essential one: you can't protect data if you don't know where it is. Audits typically reveal sensitive personal data tucked away in places that you'd never expect to find it, unprotected in applications and databases across the network.
Once you know where the data goes and lives, you can develop a plan to protect it – a plan that is very specific to your business needs. The plan should address such issues as data retention and disposal, user access, encryption and auditing. As you devise this plan you must take into consideration that business needs will often trump security requirement, an effective security plan must take all of the stakeholders needs into account or it will fail. People will always find a way to thwart security measures that they don't understand or that impact negatively on their productivity.
It is best to develop the plan and its ensuing policies in tandem with representatives from departments throughout the company. Many of your employees are stakeholders in security and should feel as if they are a valued participant in protecting company data. People's concerns about data security interfering with business processes and productivity must be respected and taken into account when developing security policies and processes.
Build a collaborative culture centered on security
A recent report from Ponemon Institute, based on a survey of 3,600 IT security and marketing executives, found that people in charge of collecting, protecting and managing sensitive information inside large businesses rarely collaborate in their efforts to protect data, and these broken business processes are the cause of many data breaches and leaks.
Additionally people working within one company often have entirely different ideas about data security; for example 53 percent of the polled IT staff surveyed said their companies have well-coordinated data protection policies, but only 32 percent of workers who actually handle the information believed that data was adequately secured.
While it's amusing to compare IT and marketing's answers – about 50 percent of the information security professionals said they believe that protecting consumer data is crucial for business success, but only 18 percent of marketers believed this was true – the concluding statistics of the Ponemon study are sobering. Seventy-four percent of those organizations indicating that collaboration among security and privacy professionals was poor reported one or more data breaches in the past 24 months. Only 29 percent of those indicating that collaboration was adequate to excellent reported one or more data breaches in the past 24 months.
Collaboration across the enterprise is critical to holistic security. It's obvious that effective security has to be everyone's problem, and the processes that support real security need to be embraced by all. But simply devising policies isn't enough. Given the differing feelings that may be present about data security, policies and procedures should be enforced by technology controls such as role-based access, data encryption, and auditing tools to ensure that everyone is following the rules and to protect data from misuse or exposure even if the rules are broken.
One of the most positive steps an enterprise can make is to institute ongoing security awareness training for employees. Ensure that all employees understand how to identify confidential information, the bottom-line business importance of protecting data and systems, how to choose and use passwords, acceptable use of system resources, email, and the company's security policies and procedures. Security training should not be generic but should instead be targeted to an employee's role in the company with refresher courses bi-annually, or more frequently depending on the person's role in the company and their access to sensitive data.
Processes and policies also need to evolve. Consider instituting a weekly meeting with senior department members to talk about upcoming data security and regulatory concerns. Look at what's starting to happen, what tools people are using, what threats are out there, and consider what policies the company may need to enact to deal with these issues. Except in emergencies, adjustments should be made to policies on a quarterly basis rather than bombarding people with constant changes.
The key thing to remember is that data security is not just a technical issue. In fact it is primarily a business issue. It's critical to take time-out from managing the crisis of the moment to look at the bigger picture. One size doesn't fit all in security so assess the data flow and risk environment within your company and devise a comprehensive plan to manage information security that dovetails with business needs. A data protection-driven holistic plan is the only way to truly secure data – it allows you to think strategically, act deliberately and get the absolute best return on your data security investment.
-Gordon Rapkin is CEO of Protegrity