The new CISO imperative: Solving the information management paradox
In the drive to become more cyber resilient in 2017, organizations are extending risk management that is traditionally based on parametric measures (i.e., data loss prevention and firewalls) towards information stewardship – the proper identification, categorization and deletion of their own content, regardless of where it is saved.
It is commonly accepted that for better or worse, we are creating 2.5 quintillion bytes of data each day; yet it’s estimated only about 0.5 percent of all digital data is ever analyzed and used.
The proliferation of data whether stored on-premises, in non-integrated solutions, or in the cloud poses significant compliance and security threats (consider, for example, the Dropbox hack of more than 68 million users’ data). A major breach of metadata – data about data – is also just around the corner. Earlier in 2016, a hack of the U.S. OPM (Office of Personnel Management) compromised the identifiable data (including the biometrics) of several hundreds of thousands of U.S. government employees.
CISOs have traditionally focused their protocols and budgets around protecting all the “stuff,” whether it be through hypersecure firewalls, locking down USB ports, and deploying data loss protection (such as active packet inspection technologies) at the perimeter. However, Gartner says spending in areas such as endpoint protection platforms is starting to see commoditization.
Companies today recognize security must extend beyond traditional countermeasures. The rise of digital business equals a new era of threats. In 2017 and beyond, there will be a more deliberate movement toward first identifying what exactly is to be secured, and assigning security levels to that content.
To keep data proliferation problems from spiraling out of control, content must be correctly identified, categorized and deleted (where appropriate). Rather than simply locking down potentially risky data, it’s important to make data usable by designing pervasive, invisible governance around it.
Establish a repeatable, scalable data inventory process
Expecting individuals to consistently follow tedious data inventory processes is not scalable. A recent study of U.S. State Department files from the 1970s found that even highly trained workers had inadvertently declassified the majority of the content. Humans tend to do what comes easiest and fastest (e.g., a Google search for data, or saving files to/from their desktop) for them personally, versus what’s best for the organization.
Fortunately, today’s artificial intelligence and cognitive computing engines offer the solution: these platforms can inventory billions of files efficiently. They can automate rules-based security protocols to create, receive, maintain, manage and dispose of records across their lifecycles.
Ensure an open, collaborative approach
Just like physical products, digital data must also have a lifecycle – but data decisions must be made in agreement between Business Owners (the data custodians and the ones who most need the solution), CISOs, CIOs and other high-level executives. ECM and records management initiatives typically have a failure rate of more than 50 percent precisely because the business owner is never consulted. Include these stakeholders in each step of the process. They will be the ones creating, collaborating, sharing, consuming – and intimately interacting with data.
Start to address the implications of future privacy laws – now
The U.S. political environment remains uncertain when it comes to digital privacy. However, the recent terms of the General Data Protection Regulation (GDPR) – and other international privacy laws – must be addressed, even if you are not yet doing business in those countries. The efforts overseas are already seeing “trickle-down” effects here; legislators in certain states are already considering new bills to address privacy concerns.
Curate the data that doesn’t belong to you in the first place
In 2011, an unencrypted, password-protected laptop containing the health information of nearly 10,000 individuals was stolen from a vehicle belonging to a North Memorial Health Care of Minnesota (NMHC) contractor. NMHC ultimately had to pay more than $1.5 million to settle charges that it potentially violated HIPAA. The takeaway? It’s not enough to just know what the data is and who has access to it – you need to confirm that it belongs in your possession.
Collaborate openly with employees to get them the information they need (the data that belongs to you/them), at the appropriate time, through automated and scalable business processes, instead of them searching for it on their own. Offering a frustrating corporate experience in the name of compliance only leads to more frustration, not adoption.
Typically, the adoption of shadow IT apps such as Box, Dropbox and other file-sharing offerings is caused by a company’s inability to deliver IT solutions to employees in a timely manner. Workers may be frustrated they cannot use email to collaborate due to file size restrictions, or have cumbersome content management systems that get in the way of daily work. However, freemium technologies and other ad hoc ways individuals find to store and move data around outside the firewall are classic security risks (as illustrated by the aforementioned Dropbox hack).
Governance around data ultimately must be combined with data custodians (the people that interact with data) consumable, intuitive systems and interfaces designed to humanize the worker’s information management experience. Together, these are what make it possible to achieve more secure information that is also more usable.