When it comes to data security, you don't need a silver bullet, you need a framework
In the case of data security, there is no silver bullet.
Published 17:16, 17 September 12
- Build a relationship with executives and secure budget. Proving security ROI and garnering the necessary budget isn't always easy. However, if you educate execs about the real risks to PII and intellectual property and work side by side with them to define, dissect, and defend this data, your business case for budget will be more compelling. In our framework, the process itself will also force you to understand the value of data in concrete terms, such as whether or not it generates revenue or helps maintain a competitive advantage.
- “Kill” your data and render it useless to potential cybercriminals. Once you've defined (discovered and classified) your most sensitive data, the best way to protect it is to "kill" it. "Killing" data through encryption, tokenisation, and other means renders the data unreadable and useless to would-be cybercriminals. The process of defining your data also helps you target your security efforts - rather than attempting to kill every byte of data across your extended enterprise, you prioritise your limited budget to protect your organisation's high-value, high-risk assets.
- Address regulatory compliance and privacy concerns. Killing data also helps you address regulatory compliance and data residency issues. In the digital age, data residency mandates (such as the EU Data Privacy Directive) that restrict the movement of data across national borders are difficult to implement and enforce. By encrypting restricted data, organisations facing this type of challenge have an effective tool within their reach. In many cases, breach notification laws will exempt an organisation from notification requirements and fines if they had encrypted the compromised data. In other cases, organisations have found ways to take advantage of desirable cloud services because the provider encrypted the data but the organisation maintained the keys.
- Discover: Build the business case and assess your maturity. In between all the hyped stories about military-grade malware like Stuxnet and Flame, business execs miss the real threats to their business — that cybercriminals are targeting intellectual property and that an erosion of customer confidence in your brand affects your reputation. Once you've reset executives' understanding of the data security challenge, you can then assess your current capabilities against our DLP maturity model and identify your weaknesses. You'll address these gaps in your long-term strategy and road map.
- Plan: Create a strategy using our Data Security And Control Framework. We break the problem of securing and controlling data into three areas: 1) defining the data; 2) dissecting and analysing the data; and 3) defending and protecting the data. In addition to the framework, we provide security pros with a data privacy heat map for understanding the privacy laws from around the world that will affect their security policies, and we list all the technologies and services that you'll need in your arsenal to kill your data.
- Act: Hire the right staff, define policies, and implement security controls. To deal with constant changes in privacy laws, many organisations will need to hire a CPO. If your organisation has one, you'll need to work with him or her to define and enforce privacy policies. And depending on the mix of security controls you implement to enforce those and other security policies, it's possible that you'll need staff with specialised expertise in areas such as encryption and key management.
- Optimise: Measure, monitor, and communicate your results. The board of directors and your CEO will constantly ask you questions such as "Are we secure?" or "How do we compare with our peers?" To answer these questions and secure more budget, you'll need some way to measure the effectiveness and value of your data security efforts and to benchmark these metrics to peers.