If data is the life blood of organizations, how are businesses protecting it. Michelle Finneran Dennedy in her book, the Privacy Engineer\u2019s Manifesto, describes five stages of protecting data in the information age:\n\nFirewalls\nNets\nExtranets\nAccess\nIntelligence\n\nThe question is, where are CIOs in this progression of protecting data? This was a recent topic of discussion at our weekly #CIOChat Twitter chat session.\nShould CIOs be focused on creating better fortresses? Or securing data and whom can access it?\nThere are clearly two distinct views amongst CIOs. Some believe that while the fortress is a past mindset, it is still important. They believe the fortress represents the first line of defense, but restrictions on access rights and usage need to be part of the mix.\nThese CIOs assert that you shouldn\u2019t surrender your boundaries entirely, if only to keep junk traffic and DDoS traffic out. They suggest boundaries are foundational. These CIOs think data security and access rights are the next thing IT organizations needs to get better at. They go onto say that while the fortress must be strong, the people part of the equation is the weakest link to protecting the enterprise. If someone has acquired an employee\u2019s credentials especially if they have their phone and broke a weak password, they can handle Multi-Factor Authorization. Here the fortress is broken.\nOther CIOs, however, suggested fortress thinking is similar to the \u201cFrench Maginot Line\u201d. These CIOs say that fortress style security is doomed to fail. They think traditional security models are like eggshells. They are strong when pressed from the ends, but they fall apart from squeezing or stretching. They suggest, for this reason, historically fortresses have proven to be failure.\nThese CIOs say that we should no longer be concerned with the fortress walls. While they recommend good perimeter hygiene, they say the focus needs to move to pattern and behavior-based security. They suggest that IT leaders move away from current static security methods and evolve towards a more active and continuously evaluated posture. These CIOs think data security is tied to categorization and usage characteristics. They favor \u201csecurity by design\u201d with the application the data supports.\nThese CIOs see identity and access management as boundary brokers. They say, for this reason, it is important to focus on securing data with an awareness of access layers and exterior entry points. At the same time, they think it is time to move away from holding on to data tightly. We need, they say, to protect data while at the same time as we make it available to appropriate folks through appropriate APIs. They believe the tighter you make the protections; the more data will slip through.\nGovernance and cybersecurity related to data clearly are hard. But this is what makes it so interesting and challenging. These CIOs think we all accept that there is no way to keep everyone out all the time. For this reason, protecting data in an insecure world comes down to how well you control access by those with access credentials.\nGiven this, it is important to manage risk appropriately. CIOs, in general, say they feel comfortable with different tier level encryption approaches along with a security cop\/monitor at each layer. Also, they agree that different users \u2013 partners, users or consumers \u2013 should have variable trust levels and have rules for data engagement. In passing, one CIO said that they heard about a CIO who is starting to remove firewalls in lieu of more sophisticated solutions. They suggested this step is counterintuitive, but interesting nevertheless.\nCan CIOs protect data better through policing endpoints?\nCIOs say that it is important to adopt a zero-trust stance and begin with the thought that everything is possibly compromised and go from there. They suggest that things like BYOD and the ability to extract data via inappropriately means current approaches stretch only so far. You'll have to design around accessibility and flexibility constraints versus security requirements at each design or policy decision.\nCIOs believe that you can't ignore endpoint security. They say efforts need to be persisted but should be based on a what-you-can-afford-to-lose strategy. They say to start by protecting data at the source and then work your way back to the transport and device levels. IT organizations need to do endpoint security basics (override administrative passwords, put them on separate VLANs, etc.), but "policing" beyond this can get costly especially for smaller organizations.\nCIO say that endpoint security (and encryption in transit to\/from) is a requirement.\u00a0 Vetting SaaS and COTS to see what are the caches\/saves\/secures that data can have on the endpoint should be part of that process. One CIO suggested traditional policing isn't the answer, active-active policing is a better solution. Start with least-privilege but always verify the heck out of traffic, says one CIO.\nOther CIOs say that unless 100% of the customer base and technology suppliers and applications are all behind the same firewalls, policing endpoints won't by themselves stop breaches. You need digital rights management, encryption, and access controls. However, to be clear if data can be viewed on a screen, it can be captured with only a smartphone.\nCIOs say most compromises these days come from phishing and social engineering and not from technical vulnerability. For this reason, new approaches are needed. CIOs say that endpoint policing doesn't prevent social engineering attacks. For these, the ability to protect via encryption and tools that aggregate and refine risks are of increasing importance. An educational CIO said here in businesses there might be more control of user devices, but in higher education, most endpoint devices are BYOD. For this reason, they say protect at access\/permissions layers. In sum, CIOs say police endpoints, but securing data is separate from this.\u00a0\nHow should CIOs bring about the data governance to truly protect data?\nData governance, CIOs say, is at the heart of this. They say as well that it can be one of the most difficult areas to get a lasting workable, solution. With governance, however, it is possible to set the requirements to make design and architecture work.\nCIOs believe that it is important for IT leaders to understand their organizations. They need to regularly assess their organization's needs and ability to handle change. This involves planning, executing, and evaluating. CIOs need to be cheer leaders for reinforcing and improving governance and stewardship. They, also, need to understand that data governance is not an overnight thing--it is a journey. CIOs importantly believe that the business must own data governance and stewardship. Otherwise, the CIO will fail for this initiative.\nThe best way to start the conversation is to ask the business to define what is and isn't critical and to what lengths they want IT to go to protect it. IT organizations shouldn't decide this on their own. As well, CIOs say that IT leaders should get the business\u2019 take on data stewardship roles and building processes to get good data quality established. CIOs can show their value by providing smart analytics capabilities on the data.\nThere is generally a good case for prioritized cleanup processes where appropriate. CIOs say get rid of social security numbers in all but approved business processes and these should be reviewed every year. They suggest that IT leaders look for opportunities to optimize old processes. Meanwhile, it is critical to expose data issues, select data owners, and then implement data governance.\nA higher education CIO said the strength of governance is dependent upon industry culture. They envy those of you who can tell users what they can and cannot do and what devices they can and cannot use, but they say this is not the way things work in higher education. Another CIO, at this point, said that data governance ownership is the biggest hot potato they have encountered during their career. They said, unfortunately, if you lead the discussion, you could end up leading the initiative. CIOs need to have a plan to get the business units to take a leadership role because data governance is critical.\nIn general, CIOs say the data governance discussion can involve a lot of techno jargon. This needs to be avoided if you want to get business leaders on board. CIOs say you need the right people at the table to identify what is needed and what exists. Legal team, records management, DBAs, product owners, and HR need to be involved. CIOs believe it is important to put in place an information governance professional who knows data and content and can lead the organization through the journey to identifying and securing data assets.\nCIOs say data inspection is important especially if leadership claims their data house is in order because someone likely has stuff stashed away. Given this, CIOs need to facilitate a business conversation about data definitions, types, and risk profiles. CIOs need business leaders who have some basic understanding of the issues.\nOne CIO said here something surprising at this point. They said, in many industries, very little data is proprietary. Given this, they said it is important to focus the business on what needs secured. CIOs say as well that IT leaders should keep in mind that data protection isn\u2019t a binary--you have it or don\u2019t have it. There is always another row, field, hierarchy, or usage context that needs to be factored into data governance.\nCIOs say usability and convenience drive behavior patterns. If data security is it too hard, they say alternative approaches will emerge. It is important to make sure data owners are part of the solution from the beginning. For some CIOs, the move to the cloud represents an opportunity to make things better. They see it as well as an opportunity to more fully use security functions and encryption that are increasingly built in. They see it as well as an opportunity to create better end-to-end security by design.\nAt the same time, it is important to have transparent process. Many organizations discover data protection issues and don't report them. One CIOs said in exasperation that at every security review they have done recently, they have uncovered breaches that were silently fixed by IT without business leadership even knowing.\nHow about privacy, how can CIOs ensure that its protection and engineered into data?\nCIOs say that as part of data governance, you often need to design around the systems and applications that use the data. You need policy and good awareness and training to have a fighting chance. One CIO said here if only we had decent privacy laws in the US.\nCIOs insist privacy should be designed into the application experience. While it is semantics, GDPR is independent from the data itself and more related to its use, storage, and availability. For this reason, privacy is in the approach, process, and technology, not in the data itself. CIOs suggest that it is important that applications have a security model. One CIO said that they appreciate the intent and concepts of GDPR but implementing them has been a challenge. It has demanded solution design for any new capability to make it manageable.\nCIOs believe that it is important to start with a philosophy that if they don\u2019t need it, don\u2019t collect it and always provide a way for users to see and delete their own data. Clearly, privacy is a much more manageable thing if you don\u2019t have bunches of data laying around. At the same time, CIOs say it is important to do a good job at role-based design in applications design. You need increasingly to have internal trusted roles moving out to partners and then to consumers or outside. The hard part is making sure your partner privacy integrates with your own policies. This can involve contractually managing with partners and audit.\nAt the same time, you shouldn\u2019t be sloppy by allowing all the keys to be held by the DBA. Hackers have gotten smart and started doing social engineering aimed at these folks. We need to change the mindset that data protection and privacy are baked in by using a security framework by default. In summary, don\u2019t collect\/save it if you don\u2019t need it. And share the knowledge of \u2018the why\u2019 it is collected openly and persistently.\nWhat 10 things should immediately make the CIOs investment list for data protection?\nCIOs had a lot of items on their lists. Here were the top 10:\n\nEmployee education and training\nInventory and audit of your data, an understanding how it can be accessed, and an evaluation of the risk\nExecutive sponsorship, championship, and ownership\nGreat internal communications\nAn assessment of what's working well including governance, policies, and team member skills\nA governance chair who is responsible for incorporating and applying on-going changes and risks\nA focus on privacy out of the gate\nGreat tools for aggregating risks to narrow focus of response and spend\nGreat tools for protecting data (data encryption, network pattern analysis, device protection, threat detection, malware removal at the network edge, endpoint protection w. DLP, and multi-factor login for everything)\nSecure coding training for your staff plus a Zero Trust posture\n\nCIOs are clear headed about the need to protect data through good people, process and technology. They realize that they cannot do this on their own. It reguires a village including business leaders and all employees. Armed with this and good policies and governance, IT organizations can help their businesses do better at protecting data in an increasing insecure world.