If data is the life blood of organizations, how are businesses protecting it. Michelle Finneran Dennedy in her book, the Privacy Engineer’s Manifesto, describes five stages of protecting data in the information age:
The question is, where are CIOs in this progression of protecting data? This was a recent topic of discussion at our weekly #CIOChat Twitter chat session.
Should CIOs be focused on creating better fortresses? Or securing data and whom can access it?
There are clearly two distinct views amongst CIOs. Some believe that while the fortress is a past mindset, it is still important. They believe the fortress represents the first line of defense, but restrictions on access rights and usage need to be part of the mix.
These CIOs assert that you shouldn’t surrender your boundaries entirely, if only to keep junk traffic and DDoS traffic out. They suggest boundaries are foundational. These CIOs think data security and access rights are the next thing IT organizations needs to get better at. They go onto say that while the fortress must be strong, the people part of the equation is the weakest link to protecting the enterprise. If someone has acquired an employee’s credentials especially if they have their phone and broke a weak password, they can handle Multi-Factor Authorization. Here the fortress is broken.
Other CIOs, however, suggested fortress thinking is similar to the “French Maginot Line”. These CIOs say that fortress style security is doomed to fail. They think traditional security models are like eggshells. They are strong when pressed from the ends, but they fall apart from squeezing or stretching. They suggest, for this reason, historically fortresses have proven to be failure.
These CIOs say that we should no longer be concerned with the fortress walls. While they recommend good perimeter hygiene, they say the focus needs to move to pattern and behavior-based security. They suggest that IT leaders move away from current static security methods and evolve towards a more active and continuously evaluated posture. These CIOs think data security is tied to categorization and usage characteristics. They favor “security by design” with the application the data supports.
These CIOs see identity and access management as boundary brokers. They say, for this reason, it is important to focus on securing data with an awareness of access layers and exterior entry points. At the same time, they think it is time to move away from holding on to data tightly. We need, they say, to protect data while at the same time as we make it available to appropriate folks through appropriate APIs. They believe the tighter you make the protections; the more data will slip through.
Governance and cybersecurity related to data clearly are hard. But this is what makes it so interesting and challenging. These CIOs think we all accept that there is no way to keep everyone out all the time. For this reason, protecting data in an insecure world comes down to how well you control access by those with access credentials.
Given this, it is important to manage risk appropriately. CIOs, in general, say they feel comfortable with different tier level encryption approaches along with a security cop/monitor at each layer. Also, they agree that different users – partners, users or consumers – should have variable trust levels and have rules for data engagement. In passing, one CIO said that they heard about a CIO who is starting to remove firewalls in lieu of more sophisticated solutions. They suggested this step is counterintuitive, but interesting nevertheless.
Can CIOs protect data better through policing endpoints?
CIOs say that it is important to adopt a zero-trust stance and begin with the thought that everything is possibly compromised and go from there. They suggest that things like BYOD and the ability to extract data via inappropriately means current approaches stretch only so far. You’ll have to design around accessibility and flexibility constraints versus security requirements at each design or policy decision.
CIOs believe that you can’t ignore endpoint security. They say efforts need to be persisted but should be based on a what-you-can-afford-to-lose strategy. They say to start by protecting data at the source and then work your way back to the transport and device levels. IT organizations need to do endpoint security basics (override administrative passwords, put them on separate VLANs, etc.), but “policing” beyond this can get costly especially for smaller organizations.
CIO say that endpoint security (and encryption in transit to/from) is a requirement. Vetting SaaS and COTS to see what are the caches/saves/secures that data can have on the endpoint should be part of that process. One CIO suggested traditional policing isn’t the answer, active-active policing is a better solution. Start with least-privilege but always verify the heck out of traffic, says one CIO.
Other CIOs say that unless 100% of the customer base and technology suppliers and applications are all behind the same firewalls, policing endpoints won’t by themselves stop breaches. You need digital rights management, encryption, and access controls. However, to be clear if data can be viewed on a screen, it can be captured with only a smartphone.
CIOs say most compromises these days come from phishing and social engineering and not from technical vulnerability. For this reason, new approaches are needed. CIOs say that endpoint policing doesn’t prevent social engineering attacks. For these, the ability to protect via encryption and tools that aggregate and refine risks are of increasing importance. An educational CIO said here in businesses there might be more control of user devices, but in higher education, most endpoint devices are BYOD. For this reason, they say protect at access/permissions layers. In sum, CIOs say police endpoints, but securing data is separate from this.
How should CIOs bring about the data governance to truly protect data?
Data governance, CIOs say, is at the heart of this. They say as well that it can be one of the most difficult areas to get a lasting workable, solution. With governance, however, it is possible to set the requirements to make design and architecture work.
CIOs believe that it is important for IT leaders to understand their organizations. They need to regularly assess their organization’s needs and ability to handle change. This involves planning, executing, and evaluating. CIOs need to be cheer leaders for reinforcing and improving governance and stewardship. They, also, need to understand that data governance is not an overnight thing–it is a journey. CIOs importantly believe that the business must own data governance and stewardship. Otherwise, the CIO will fail for this initiative.
The best way to start the conversation is to ask the business to define what is and isn’t critical and to what lengths they want IT to go to protect it. IT organizations shouldn’t decide this on their own. As well, CIOs say that IT leaders should get the business’ take on data stewardship roles and building processes to get good data quality established. CIOs can show their value by providing smart analytics capabilities on the data.
There is generally a good case for prioritized cleanup processes where appropriate. CIOs say get rid of social security numbers in all but approved business processes and these should be reviewed every year. They suggest that IT leaders look for opportunities to optimize old processes. Meanwhile, it is critical to expose data issues, select data owners, and then implement data governance.
A higher education CIO said the strength of governance is dependent upon industry culture. They envy those of you who can tell users what they can and cannot do and what devices they can and cannot use, but they say this is not the way things work in higher education. Another CIO, at this point, said that data governance ownership is the biggest hot potato they have encountered during their career. They said, unfortunately, if you lead the discussion, you could end up leading the initiative. CIOs need to have a plan to get the business units to take a leadership role because data governance is critical.
In general, CIOs say the data governance discussion can involve a lot of techno jargon. This needs to be avoided if you want to get business leaders on board. CIOs say you need the right people at the table to identify what is needed and what exists. Legal team, records management, DBAs, product owners, and HR need to be involved. CIOs believe it is important to put in place an information governance professional who knows data and content and can lead the organization through the journey to identifying and securing data assets.
CIOs say data inspection is important especially if leadership claims their data house is in order because someone likely has stuff stashed away. Given this, CIOs need to facilitate a business conversation about data definitions, types, and risk profiles. CIOs need business leaders who have some basic understanding of the issues.
One CIO said here something surprising at this point. They said, in many industries, very little data is proprietary. Given this, they said it is important to focus the business on what needs secured. CIOs say as well that IT leaders should keep in mind that data protection isn’t a binary–you have it or don’t have it. There is always another row, field, hierarchy, or usage context that needs to be factored into data governance.
CIOs say usability and convenience drive behavior patterns. If data security is it too hard, they say alternative approaches will emerge. It is important to make sure data owners are part of the solution from the beginning. For some CIOs, the move to the cloud represents an opportunity to make things better. They see it as well as an opportunity to more fully use security functions and encryption that are increasingly built in. They see it as well as an opportunity to create better end-to-end security by design.
At the same time, it is important to have transparent process. Many organizations discover data protection issues and don’t report them. One CIOs said in exasperation that at every security review they have done recently, they have uncovered breaches that were silently fixed by IT without business leadership even knowing.
How about privacy, how can CIOs ensure that its protection and engineered into data?
CIOs say that as part of data governance, you often need to design around the systems and applications that use the data. You need policy and good awareness and training to have a fighting chance. One CIO said here if only we had decent privacy laws in the US.
CIOs insist privacy should be designed into the application experience. While it is semantics, GDPR is independent from the data itself and more related to its use, storage, and availability. For this reason, privacy is in the approach, process, and technology, not in the data itself. CIOs suggest that it is important that applications have a security model. One CIO said that they appreciate the intent and concepts of GDPR but implementing them has been a challenge. It has demanded solution design for any new capability to make it manageable.
CIOs believe that it is important to start with a philosophy that if they don’t need it, don’t collect it and always provide a way for users to see and delete their own data. Clearly, privacy is a much more manageable thing if you don’t have bunches of data laying around. At the same time, CIOs say it is important to do a good job at role-based design in applications design. You need increasingly to have internal trusted roles moving out to partners and then to consumers or outside. The hard part is making sure your partner privacy integrates with your own policies. This can involve contractually managing with partners and audit.
At the same time, you shouldn’t be sloppy by allowing all the keys to be held by the DBA. Hackers have gotten smart and started doing social engineering aimed at these folks. We need to change the mindset that data protection and privacy are baked in by using a security framework by default. In summary, don’t collect/save it if you don’t need it. And share the knowledge of ‘the why’ it is collected openly and persistently.
CIOs had a lot of items on their lists. Here were the top 10:
- Employee education and training
- Inventory and audit of your data, an understanding how it can be accessed, and an evaluation of the risk
- Executive sponsorship, championship, and ownership
- Great internal communications
- An assessment of what’s working well including governance, policies, and team member skills
- A governance chair who is responsible for incorporating and applying on-going changes and risks
- A focus on privacy out of the gate
- Great tools for aggregating risks to narrow focus of response and spend
- Great tools for protecting data (data encryption, network pattern analysis, device protection, threat detection, malware removal at the network edge, endpoint protection w. DLP, and multi-factor login for everything)
- Secure coding training for your staff plus a Zero Trust posture
CIOs are clear headed about the need to protect data through good people, process and technology. They realize that they cannot do this on their own. It reguires a village including business leaders and all employees. Armed with this and good policies and governance, IT organizations can help their businesses do better at protecting data in an increasing insecure world.