Data guides the new security perimeter
A recent Kaspersky Lab report finds data breaches now cost enterprises more than $1.2 million. The report also finds that the success of digital transformation projects are being stalled by the fear of the impact and rising costs of breaches associated with “data on the go.”
When thinking about recent data breaches, Facebook, Equifax, Uber and Yahoo immediately come to mind, but these are just the ones that created the most buzz. Numerous other organizations have suffered not only the financial costs of losing or mishandling data but also hits to their reputations, which are “priceless.”
Reputation management has always been important to businesses, but because information flows so quickly and freely today, they are more fragile than ever. And with the European Union’s General Data Protection Regulation (GDPR) now in effect, a significant data breach will be both a PR/reputation nightmare AND super costly with steep fines of up to €20 million or 4% of annual turnover, whichever is greater.
The new data trinity: Governance, security and privacy
An assessment of the data breaches that crop up like weeds each year supports the conclusion that companies, absent data governance, wind up building security architectures strictly from a technical perspective.
Such incidents may be the result of not having a true data governance foundation that makes it possible to understand the context of data – what assets exist and where, the relationship between them and enterprise systems and processes, and how and by what authorized parties data is used. That knowledge is critical to supporting efforts to keep relevant data secure and private.
Without data governance, organizations don’t gain visibility into the full data landscape – linkages, processes, people and so on – to propel more context-sensitive security architectures that can better assure expectations around user and corporate data privacy. In sum, they lack the ability to connect the dots across the data trinity – governance, security and privacy – and to act accordingly.
This new data trinity addresses these fundamental questions:
1. What private data do we store and how is it used?
2. Who has access and permissions to the data?
3. What data do we have and where is it?
Data is everyone’s business
Here’s one example of how a company that shares its users’ data with others could connect the dots to sustain a data-safe business model. It starts with a data governance strategy that sets security and privacy limits about what data can be exposed to other entities and how: Customer information can be shared only after IT reviews and risk-analyzes the enterprise architecture to understand the data’s sensitivity, locations and linkage points. That way, IT can pinpoint vulnerabilities, such as gaps in data encryption or anonymization, and set up sanitation layers that limit third-party access across all of its enterprise systems only to authorized and sanitized data, thus protecting against mishandling or other vulnerabilities.
Given that any company has in its possession important information about and relationships with people based on the private data they provide, every business should be keen to more intelligently and better understand related risks and protect against them under the banner of data governance – and avoid the costs and reputation damage that data breaches can inflict. That’s especially true as the data-driven enterprise momentum grows along with self-service analytics that enable users to have greater access to information, often using it without IT’s knowledge.
Indeed, with nearly everyone in the enterprise involved either in maintaining or using the company’s data, it only makes sense that both business and IT begin to work together to discover, understand, govern and socialize these assets. This should come as part of a data governance plan that emphasizes making all stakeholders responsible not only for enhancing data for business benefit, but also for reducing the risks that unfettered access to and use of it can pose.
Getting a handle on data governance
Multiple components must be considered to effectively support the data governance, security and privacy trinity. They are:
1. Data models
2. Enterprise architecture
3. Business process models.
What’s key to remember is that these components act as links in the data governance chain by making it possible to understand what data serves the organization, its connection to the enterprise architecture, and all the business processes it touches.
Creating policies for data handling and accountability and driving culture change so people understand how to properly work with data are two important components of a data governance initiative, as is the technology for proactively managing data assets. Without the ability to harvest metadata schemas and business terms; analyze data attributes and relationships; impose structure on definitions; and view all data in one place according to each user’s role within the enterprise, businesses will be hard pressed to stay in step with governance standards and best practices around security and privacy.
As a consequence, the private information held within organizations will continue to be at risk. Organizations suffering data breaches will be deprived of the benefits they had hoped to realize from the money spent on security technologies and the time invested in developing data privacy classifications. They also may face heavy fines and other financial consequences.
When all parties are alert to the need to pay close attention to data elements and inventory, and when the business embraces the idea of understanding data across the enterprise architecture and knowing how it feeds into operational business processes, it becomes possible to take a granular, offensive approach to securing and privatizing sensitive data. Finally, the dots will be connected.