Like all risk, breach and data loss needs to be managed, and prioritized, and in fact it can be managed and consequences limited. Of course vulnerabilities overall need to be managed, there are threats other than data theft to be addressed, but managing risk of data loss requires more than addressing vulnerabilities. Effective management requires a better understanding of the consequence of loss for different classes of data to better target breach mitigating investments. This requires greater visibility and a clear understanding of what we have, where we have it, how we use it, how long we retain it and how we protect it. This even more so for regulated data and for companies operating overseas.
Another approach may be required. With the pervasiveness of threats and despite the availability of very powerful tools, overall enterprise vulnerability can be complex, difficult and expensive to effectively address for all but the largest companies, and most don’t manage it well. For many effectiveness may be near impossible to achieve given limited budgets, scarcity and cost of skilled staff and the complexity of changing business cultures. In the course of doing business we use data, transport, share and expose it, and whether a laptop left in a taxi cab, or a lost flash drive, a click on a malicious link, or confidential data improperly secured or shared inappropriately in the cloud, loss, breach or theft, whether malicious or simply inevitable is something we all deal with. A risk based approach that accepts the inevitability of failure and positions for it focuses on protecting networks and systems of highest priority, and building inherent self protection into the most sensitive and consequential data, reducing the impact of loss, breach or theft, and may prove a protective strategy for most. Limiting breach requires that our most important data be made less obvious, harder to steal, disrupt or damage and made less attractive to theft. Limiting consequence requires decrease in the impact of the loss itself by rendering the data less exposable, vulnerable and less exploitable through the use of encryption, file expiration, digital wrappers, etc.. Limiting breach accepts inevitability, limiting consequence diminishes damage.
It is about capabilities and priorities. Prioritization does not mean that investment in detection capabilities, technical safeguards, investigative capabilities, threat management or intelligence for the enterprise overall should be given any less attention if the organization is able to leverage that investment and support it with appropriately skilled staff, ongoing staff development, or an effective managed service. But not all organizations are prepared to take this on well and the investment is significant, and where resources are limited, and the data is valuable or sensitive, risk based decisions governing effective protective investments are and need to be an effective success strategy.
Prioritization of risk is a discussion in business terms, a discussion with business stake holders on effecting a strategy and carefully defined policy for data usage and care, and for making targeted and data specific protective investments. It is a discussion executive management and line of business management understand well and can find common ground even in discussion of matters as complex as technical threat. Most importantly it is a discussion of shared ownership of risk mitigating decisions and practical investments, and the acceptance, or provision of insurance for that which remains. Data at risk, whether owned by the business, legal or elsewhere, ultimately is managed by technology and technical operations. Personal ‘PII’ data, ‘company confidential’ data, and critical ‘crown jewel’ intellectual property all fall to the CIO and CISO to protect.
Ultimately, mitigation of data risk requires appropriately targeted protective investments, but we as CIOs or CISOs are often not as intimate as we need to be with the data we collect and store across our lines of business, where that data resides, and how it is or needs to be protected, or for that matter, the consequences or measurable impact of loss, breach or theft to the business. This is even more an issue as access to the cloud permits the capture and storage of data by varied lines of business without IT involvement, so called shadow IT.
For all the exceptional benefits of cloud and cloud services when used correctly, mobility, cloud and storage virtualization has moved our data beyond our physical control and challenged our ability to effectively monitor and protect many of our data assets. Cloud providers themselves use cloud services downstream, as do their providers in turn, making contractual assurances of compliance and protection less binding and enforceable, and the ecosystem on which we depend less visible. Failure to select the appropriate cloud provider to house specific types of data (a PCI compliant provider for PCI data for example), or to activate or properly configure offered cloud security controls increases exposure.
Whether data ownership rests with the business, risk policy with legal, or storage and data management with the cloud service, on breach with data loss, regardless of how or where it occurs, the consequence to be sure is a company exposed and embarrassed, brand tarnished, press that is unpleasant, angered investors, costs and potential liabilities, and the CIO and CISO are foremost in the line of fire. It is still a bad day, but a better day, and a better story if preparedness minimizes all of the above.
There is no approach that eliminates all risk or the possibility of attack, breach, or compromise of systems or data. Success is measured by the minimization of consequence and the brief and uninteresting press if any which follows.
Copyright Martin Gomberg (Dec. 2014)- Do not copy, excerpt or distribute without authorization. Contact firstname.lastname@example.org
Property M J Gomberg Associates, Executive Risk Advisors