Despite the recent surge in interest towards information security, we consistently see organizations unable to proactively determine what information requires protection, much less how it is used and whether or not the associated risks are known. For individuals charged with protecting an organization’s data, the statistics are disturbing. According to the latest research, only 51 percent have an accurate inventory of personal data and only 56 percent have an overall information security strategy. That is from a study of over 9,500 executives in 112 countries. So, in summary, thousands of organizations are pretty confident they don’t understand the information usage.
Our experience shows that companies who do feel confident in their understanding of data usage typically have an important operational component that we loosely define as a data protection program. It is a proactive, purposeful team that not only throws tools at the problem but has a strategic objective of collaborating with business partners and data owners to improve operations to be more secure. These successful teams apply a customer service mindset to the pursuit of business process risk mitigation. We have not seen a complex organization manage their data risk effectively without some form of this capability. The first step in building a data protection program is to set the goals and objectives of this critical program.
Data protection program objectives
What should my data protection program actually provide as a service to the business?
A data protection program should provide the business the ability to identify, visualize and manage the data breach risks that exist as a result of how they have chosen to do business.
A healthy program will direct its energy towards driving the enterprise’s business objectives forward, making recommendations that help business leaders keep data breach risk at realistic and sensible levels. Doing so requires a detailed understanding of how business processes work.
Example initiatives that a data protection program would facilitate:
- Identification and inventory of sensitive data to manage compliance requirements
- Removal of unnecessary sensitive data to mitigate data breach and consumer reputation risk
- Periodic business process re-engineering in light of threats and cybersecurity best practices
- Enforcement of retention policy without impacting existing business processes
- Responding to changing compliance/regulatory requirements impacting sensitive data
Once you figure out what your data protection program needs to do, the next step is to determine the capabilities necessary to execute the program in a way that will make progress towards these goals.
Data protection program capabilities
What capabilities does my program need to provide services to the business and achieve our objectives?
As introduced above, the data protection program provides the business with visibility into the data breach risk inherent to how they have chosen to operate. Moreover, the data protection program provides realistic and sensible recommendations on reducing or eliminating these risks.
Doing this consistently and sustainably requires some semblance of the following components or capabilities:
- clearly defined data classification scheme and guidance from policies and standards
- methodology to understand how and why sensitive data is stored, processed, transmitted, and destroyed
- regular identification and business-aligned measures of associated risk
- framework for prioritizing and executing mitigation activities, such as cybersecurity solution implementation
With business priorities, regulatory compliance, and threats continually changing, all of these components must be revisited periodically to promote continued alignment.
As organizations begin making progress towards their data protection goals, they will find that many of the requisite people, processes, and technology components already exist. Implementing the program is as much about relationships with stakeholders, as it is about building new solutions. Not to mention, you simply can’t do it all yourself.
Common stakeholders and partners
Who needs to be involved to ensure maximum effectiveness and collaboration?
This depends highly on the structure of your organization, but we commonly find ourselves partnering with the teams mentioned below:
Policy and compliance
Policy and compliance define the policies and standards which define what is and is not permitted. The data classification tiers, definition and classification of data types commonly used by the business, and acceptable handling and interaction are critical to clearly and consistently protecting your sensitive data. Policies which support your data protection requirements also enable internal and external audit to drive the identification of risks.
Legal determines the interpretation of relevant regulation, privacy concerns, scope and application of litigation hold, etc. This also may include ownership of privacy requirements and classification, or at least the terms of data retention and removal. Legal is also integrally involved in contracts, a critical governance junction for managing third party risk.
Training and awareness
Training and awareness owns the very significant responsibility for the general education and institution of policy for the enterprise, including third parties. Of specific relevance are the data classification and handling requirements, acceptable use, and may also include training modules specifically required by various regulatory compliance standards and frameworks. They may also contribute to remediation by designing modules to target and mitigate prevalent, but high-risk associate practices.
HR is a downstream consumer of data protection services but owns or strongly influences disciplinary action and performance reviews. The data protection policies and standards should be designed with an understanding of the expected disciplinary action in response to (repeated) infractions. HR is a significant stakeholder for the employment contract, as well as relevant processes such as onboarding, role changes, and terminations.
Data protection is a team sport, and there are many other groups that should be involved and informed as the program continues to grow.
Outside of the capabilities owned by others or co-owned with others, the rest will be the responsibility of your team. Depending on your goals, you will need to update, expand, or build these capabilities from scratch. You may even find that your teams need restructuring, or technologies may be scaled down or retired completely.
How do I close the gaps in my program capabilities with the limited resources available?
With limited information security budgets and headcount, we find many of our clients looking for capital investments to enable the existing team and program provide better value with the solutions they have available. It is also common for existing data protection components to be “siloed,” independently providing a capability, but failing to further program or business objectives.
Data protection leaders will benefit greatly from having a clear set of tactical and strategic objectives, and aligning their existing capabilities to these objectives. New solutions should only be implemented where a clear gap stands in the way of achieving your objectives.
A common example is data loss prevention (DLP). Many companies have implemented DLP in order to obtain visibility into a subset of sensitive data, and the ability to block exfiltration. Beyond this, DLP does not further the program’s data protection goals and objectives, nor is it used to better educate the data protection team on how the business operates.
The first step in data protection is understanding the business and how it interacts with data. Blocking credit card data leaving via email is important, but greater value is found in understanding why this was being sent in the first place. Understanding the end-to-end process will reveal a broader and more complete understanding of data breach risk, and it will also enable your program to design a solution that is mutually acceptable.
A business-centric data protection program will shift your reputation from one of being a hindrance, to being a strategic partner in identifying and reducing business risk.
This article originally appeared on CSOOnline.com