Glen Day is the founder and CEO of NVISIONxthe data risk intelligence platform that helps companies manage their business data.
getty
With the increasing prevalence and sophistication of cyber attacks, chief information security officers must remain vigilant for new attacks that threaten their business. However, the new level of attacks, the amount of data and the complex proliferation of controls require a data-first approach to better defend a company’s most important digital assets.
Why is this? Companies Hiring Cyber ​​and Privacy Professionals Still Struggling With Real know their data. They find themselves discovering data reactively rather than having a reliable system to find it on demand. The problem of verifying data is more challenging than ever. Cyber ​​and privacy professionals have done their best to defend and remediate data risks. The journey now requires closer collaboration with business leaders who are familiar with the data that matters most.
So how can business leaders work with their CISOs to systematically audit data and mitigate risk? Use a framework that can best assess the level of control for all data, from creation to final disposal, because the better you know your data, the more efficiently you can manage it. These seven questions address the lifecycle of each dataset to help companies determine what data poses a risk and what measures need to be taken to properly protect it:
1. What data do we have?
I’ve learned firsthand that the data-first approach starts with a collaboration between the CISO and the rest of the company to prioritize, scope, and ownership of important data. It’s what you don’t know that can put you at risk. Therefore, it is critical that all data is accounted for correctly to avoid blind spots. It is not acceptable to account for only some or most of your data.
2. Where do we store that data?
Whether your data resides in your data center, corporate cloud, or multiple shared cloud services, it must be taken into account. Business, cyber and IT leaders must work together to proactively assess their data ecosystems to minimize the excessive time, cost and risk associated with reactive discovery or searches. Make sure you can find what you need when you need it.
3. Who has access to the data?
For all data classified as sensitive, CISOs must work with business leaders to clarify access controls. This means making sure that only those users and groups who need access have access (and only for as long as they need it). In my experience, this is one of the first rules of data protection, but this process often provides more access than necessary.
4. Is the data properly secured?
Once business leaders understand what data is critical and where it is stored, the CISO can better evaluate whether all the right controls are in place and whether they are effectively mitigating risk. You may want to consider using solutions that combine corporate data with cyber intelligence. (Full disclosure: My company offers these types of solutions, as do others.) This allows cybersecurity teams to focus on more specific, sensitive data to deliver a true risk-based approach to data protection that results in reliable results with minimal human effort.
5. Can we find the data when we need it?
In the event of a security incident or in response to a legal matter, you need to find exactly what you need quickly and reliably. If you’ve applied the first two principles of knowing what you have and where you have it, these time-sensitive functions can be performed in a way that reduces cost and risk to minimize the potential impact and damage to the company’s brand. It’s unfortunate that some companies can take weeks to determine what data can be released and how it might affect the business. The longer it takes, the greater the impact on the brand and its customers, patients or partners.
6. Do we only keep the data we need?
It may be hard to admit, but I see it all the time. Almost every business has data hoarding practices. They often adopt the philosophy of “keep everything forever, just in case.” But I see data volumes doubling every two years and the daunting impact of ‘right to be forgotten’ privacy rights, so hoarding data can no longer be tolerated.
Good data hygiene means keeping what you need for as long as you need. Keeping data beyond its useful life, including record retention requirements, may seem easy because storage is cheap, right? Storage may be cheap to buy, but not cheap to keep. More data results in wider compliance ranges, larger attack surfaces, higher e-discovery costs, and excessive storage costs. The longer you store data, the more costs and risk your business faces.
7. Do we throw away data that we no longer need?
Once available data has been identified, there must be a plan to assess, approve and dispose of redundant data in a defensible manner. Some platforms, including mine, may inform interested parties about what data can be deleted. This allows data to be queried against records, retention schedules, and legal retention processes. Here you will experience cost savings for purging useless data, which can result in substantial and recurring ROIs.
Data protection is not the sole responsibility of the CISO. It is a business-oriented function that requires joint support and coordination between different stakeholders. Those who do well reap the rewards and are transformed into proactive data guardians, not reactive data firefighters.
businesskinda.com Business Council is the leading growth and networking organization for entrepreneurs and leaders. Am I eligible?
Janice has been with businesskinda for 5 years, writing copy for client websites, blog posts, EDMs and other mediums to engage readers and encourage action. By collaborating with clients, our SEO manager and the wider businesskinda team, Janice seeks to understand an audience before creating memorable, persuasive copy.