After nearly two decades of data privacy compliance regulations to satisfy mandates such as Sarbanes-Oxley and HIPAA, privacy breaches remain a leading business concern. It is evident that regulated data remains challenging to protect and compliance “checkbox” tools such as DLP is less data loss prevention and more data loss watch. Likewise, the valuable intellectual property (IP), confidential business strategies, and sensitive board communications that are critical to companies’ competitive strength and directly contribute to the corporate revenues have far less focus and resources. Yet, more and more, these are the crown jewels that nation-states and cyber criminals are looking to steal and monetize.
If it’s so challenging to protect well-defined, regulated data with clear accountable roles, where do we even begin with these more complex data sets that remain vulnerable and at risk due to the business’ immature capabilities? How can we identify where critical data is stored and continuously confirm they are being effectively protected by the cyber controls?
And if these two challenges aren’t discouraging enough, data hoarding is another data issue plaguing companies. Enterprise data is often retained well beyond its useful life and companies have gotten into the bad habit of keeping everything forever. This risky data strategy allows companies to keep kicking the can down the road, but with data volumes doubling every two years, their attack surface and data risks are growing even more out of control.
More cyber controls will not fix this problem
So how did we get here? Sure, cybersecurity teams are charged with data protection, but how can they protect what they didn’t create, don’t understand how and when it’s used, who should have access, and where it should flow outside the company to generate value? Data protection tools aren’t broken. They are programmed to secure what they are told to protect. However, if the business rules of what critical data looks like and who should have access is not defined by the various business leaders, cyber teams have to deal with the business backlash. Whenever they take a best-effort approach of putting these controls in contain-mode, the business complains that “…you’re impairing key business functions…” and demand that they stop. The result is noisy or false alarms as valuable data remains more vulnerable than necessary to being breached.
Take a data first approach
NIST, Zero Trust, and ISO security frameworks all start with first identifying critical data that could create unacceptable business risks if breached. Before controls are acquired and implemented, the data asset must first be understood to ensure we’ve captured the technical and operational requirements of where these controls will be installed and how they will be configured to reduce the data risk to an acceptable level. As the business owns the data, CISOs have a key dependency on their support to get data protection right.
Let’s examine this further. You’re probably thinking, “… don’t our new privacy compliance tools solve this issue?” Not quite. Privacy compliance tools do a good job of helping to identify privacy data or sensitive financials as the regulations provided them the necessary business context of what to look for in terms of credit cards numbers, SSNs, drivers’ licenses. However, these tools cannot tell you what IP or business strategies look like. Even with advanced ML/AI technologies, the business needs to be involved to ensure that whatever data models are being created to help classify critical data, that they actually work and not create more false alarms.
Team with business to gain control of data risks
It’s impossible for cyber and privacy leaders to take an enterprise approach to data protection without teaming with the business. They simply don’t have the knowledge or authority to determine what data, across a vast distribution of applications and storage repositories, is most important while also determining who should have access. These are business decisions that simply cannot be delegated. However, it’s also impractical to assume that the business leaders just need a tool to allow employees to properly tag, index and file their digital documents. Behavior modification is hard, patience is short and people feel overwhelmed as they have tried so many times before with very limited outcomes.
What is possible is a more pragmatic approach that empowers the business data owners with their own data analysis without requiring expensive and hard-to-find data scientists to inventory and, classify their data. Not some of it, but all of it. This crowdsourcing approach simplifies how these integrated teams work together and provides a single, global view of what data may be at risk and why. Once the business shares their data classification inventories and data maps with cybersecurity teams, data protection controls can quickly be reconfigured to more effectively protect the corporate crown jewels and strengthen the security of regulated data.
Automation that fuses critical business data with cyber intel from cyber controls to enable business and cybersecurity teams to closely partner in their data protection efforts is what we call data risk intelligence (DRI). This proactive and efficient approach easily identifies valuable, regulated, and non-regulated data and continuously monitors if the controls are in the right places with the right business rules. This is what we do at NVISIONx and we’d love to show you how.