The more I cover compliance — which is a lot these days — the more I realize that organizations still have work to do in discovering and protecting sensitive data. I actually think the problem is a simple one, and it follows that old adage: “Too many cooks spoil the broth.”
In this case, the broth is data security, and the cooks are department heads trying to individually address mandates. For instance, someone in charge of retail sales might be concerned about protecting credit card numbers in accordance with the Payment Card Industry’s Data Security Standard. Meanwhile, a benefits manager in human resources worries over disclosing personal health information, which would violate HIPAA.
But all the fretting happens in discrete silos, forcing IT to dispatch simplistic tools that identify and secure specific data. As even the smallest of businesses has to pay attention to multiple laws and industry regulations, this one-off approach to data protection is incredibly flawed.
A siloed approach to meeting requirements prevents the development of a universal standard for what constitutes sensitive data across the business. Instead of pooling resources for a sophisticated tool that can automate the creation and enforcement of policies that target sensitive data, departments or IT wind up with insufficient software that leaves gaps in protection.
It shouldn’t take splashy headlines like those screaming the loss of data at the Veterans Administration, Heartland Payment Systems, and TJX Cos., for CFOs to see that they just might be the ones to take the lead. The finance chief often is most familiar with laws, mandates and corporate governance, and belongs a member — if not the leader — of a cross-functional team uncovering the sensitive data that exists throughout the organization.
Once it is clear what data is sensitive, then that data can be examined closely — to determine what type security would best match not only the rulings, but also the organization’s own expectations. Perhaps the CFO could recommend that whole disk encryption be used for all finance teams and human resources as the information they interact with and store is too risky. Or, the finance chief might conclude that secure email gateways are necessary to ensure that intellectual property such as patents aren’t leaking out of research and development.
The CFO also is the best person to weigh in on the reporting that should accompany security tools. Finance knows what the auditors are looking for and what they need to respond if a breach does happen. That might not be something that another department head would have insight into.
By centralizing sensitive data protection at the CFO level, with input from data stewards in each department, a business can create a better strategy for stopping leaks and answering compliance and regulatory demands.