The Pervasiveness of Data and Data-Centric Security Strategy
Regardless of what business you are in, a data security breach is an increasingly likely scenario that all businesses must mitigate. With escalating cybercrime, the widespread growth in Cloud computing, and the explosion in mobile devices and varying tech and app use amongst employees and partners; key aspects of enterprise security are now, and will forever be, beyond our control.
In fact, Gartner has forecasted that security and risk management spending worldwide will grow 12.4% to reach $150.4 billion in 2021. Even with that investment, the number of data breaches is increasing.
The pervasiveness of data and the complexity of the underlying environment continues to increase by orders of magnitude, and increased vulnerability around sensitive data is here to stay for all businesses. But for CISOs, is it merely a question of continually bolstering an organisation’s core defenses—the systems, applications, devices and networks that enclose data?
The fact is that with more apps, more data, more networks, and more logins than ever before, sensitive data may be at risk out of sight and beyond the reach of security teams. Gaps in security policy and process will always exist and a policy of ‘building walls’ with strong perimeter-based security, authentication, encryption and more will sometimes fail.
The Four Key Gaps In Information Security Architecture
There are four key gaps in information security architecture that revolve around employee and external partner behaviors, and can only be remedied with data-centric security practice (and by engendering a solid security culture within the business). For CISOs these pain points pose serious risks in terms of maintaining compliance and can create a reactionary environment of playing continual catch-up.
The Behaviour Gap: Usability poses a major challenge to CISOs. People simply want to find the fastest, most convenient way of doing something. In fact, human error is still the number 1 cause of data breaches in 2021. Sensitive files will be added to USBs or data copied to unsecured documents, secure FTP servers may be bypassed, and people may not always adopt the security processes in place.
The Visibility Gap: Sensitive data travels. Average employees send emails in their tens of thousands per year and many receive files they were not meant to see. IT Governance lists a staggering number of serious enterprise data breaches in March 2021 alone.
Who accesses data once it’s shared beyond a business’s devices, networks, and applications and how it is used is beyond your control and lies outside of your monitoring, auditing, and tracking technologies.
Where files and data are shared outside your organisation, the nature of the information within them cannot be tracked or audited once it leaves your server.
The Control Gap: Lost files or leaked information can go beyond an organisations control. Identity and Access Management, Mobile Device Management and Data Loss Prevention (DLP) systems, all help to monitor and control employee access to data. But data that leaves the systems and networks within your sphere of influence is effectively out of your control.
Lost or leaked information can bear serious consequences with no way to shut down the information once leaked, and potential violations that must be reported with implications around compliance.
The Response Time Gap: There is a time lag between uptake of a new application or behavior and the ability of CISOs to understand and respond. It's what puts security teams into reactionary mode and can take weeks or months to identify, during which time you don’t know what’s happening with sensitive information.
Technology changes quickly and in many organizations employees bring their own devices, applications, and expectations of how to work. Departments purchase applications and devices, which in turn generate more sensitive, proprietary information.
In the rush to get business done, security is often left to play catch-up and security breaches may be the unintended consequences of this gap.
Security needs to operate at the speed of business, with flexibility to adapt to the unknown. Your Response Time Gap may be measured in days, weeks, months, or quarters. The longer it is, the greater the risk of people taking measures into their own hands, or of sensitive data going untracked into new applications.
Closing the Data Security Gap with Data-Centric Security Strategies
Collaboration, innovation, partnerships, and business development are the behaviors that drive business growth and all are dependent on trusted exchanges of vital information.
When these new unforeseen breaches take place, CISOs must respond by evolving from infrastructure-centric security measures with multiple layers of defense, to data-centric approaches that protect what really matters: the data itself.
Data Loss Prevention (DLP) solutions, data encryption solutions and Digital Rights Management (DRM) tools often take a limited view of the data to be protected, for example files on a server or emails leaving the network, and they still depend on the idea of walls—systems, devices or networks that enclose data.
Businesses need to be able to guarantee file-level security—to secure, track and share any kind of data, no matter where it’s stored or located, with robust policy enforcement, strong encryption, and strict access controls. Data-centric security solutions also enable employees to collaborate freely while ensuring a high level of security and visibility, and even revoke access to sensitive data that has been shared by email mistakenly. Further, by adding a cloud-based tether, access to data can be managed with access rights and the data decrypted if the person is approved.
Data is the lifeblood of business and, by locking it down too tightly, business slows down and potentially diminishes its value. CISOs should adopt a data-centric security solution that secures sensitive data through its entire life cycle; everywhere it travels, no matter who has it or where it’s stored. By adding in this additional layer of security, data is protected in motion, in use, or at rest, inside or outside the organization.