The right combination

9 May 2007

Why do we constantly read stories about security breaches, data theft and customer lawsuits stemming from confidential information getting lost or falling into the wrong hands?

I say it’s because enterprise managers view security as the method for protecting their information infrastructure, rather than focusing on the protection of the data itself. Organisations are better served when management and staff establish a culture of security, protecting valuable data and infrastructure resources.

Corporate executives, for the most part, continue to be more reactive than proactive when it comes to securing critical corporate and customer data. When security breaches make headlines, the mandate “keep us out of the press” is handed down to security managers. The mandate frequently carries no additional budget to deliver the security that is required for the task at hand.

Security managers continue to report that the regulations and security policies are not translating into behavioural change. If anything, security managers report only sporadic enforcement of security policies and growing confusion related to the ownership of the data protection problem in some larger enterprises. In some organisations, there are many different departments that own some part of the data security/privacy problem, the result being difficulty in reaching decisions and deploying technology and process change.

It is time to acknowledge that security policies and technology alone, without buy-in from staff and enforcement by management, will not resolve the needs for regulatory compliance, and for the safety of customer, partner and employee information. It remains the task of management to make real-world assessments of risks to data, how those risks are best mitigated and how these assessment decisions are promulgated and enforced throughout the enterprise. But ultimately, as I see it, the real challenge is in establishing a genuine ‘culture of security’ where staff and management view their data resources as central to the health and success of their organisation.

So, one should develop an enterprise-wide security architecture, and a shared set of software tools and procedures, matched to the regulations in-play and the levels of control effectiveness required for effective compliance. When managers matrix regulation requirements against actual business functions, and eliminate security redundancies, they ‘right-size’ data security management to the actual needs of the organisation. They also gain the best control of the costs incurred for meeting legislative and regulatory compliance dictates.

First steps

To foster a culture of security, managers and employees must understand that protecting sensitive data is central to the firm’s, and their own professional, success.

Determine if you have a data-asset problem:
Can you trace the ebb and flow of data around your division or company over a 24-hour period?
Do you have multiple and/or redundant data-access standards across your company?
Does staff speak openly about ‘workarounds’ used to circumvent access standards for the sake of greater efficiency?

If these conditions exist, a potential data security problem exists as well. There are other tests, but these are three critical proofing points.

Once an organisation knows what to protect, and how to comply with applicable regulations, compare the steps that need be taken to meet the actual dictates of the compliance regulations. You can wring out cost when you know exactly what you must do to comply with specific rules for specific kinds of information.

Establish simple data inventory metrics to determine the level of confidentiality for sensitive information. When managers view compliance from this perspective, enterprise security is no longer an ‘add-on’, but a contributing element to overall business goals.

Focus, define, act, enforce

To establish a data security culture, here are some recommended actions:
Focus on protecting the data, not just the infrastructure
Identify ‘common’ security technologies. Data encryption, identity management, message archiving and policy management tools often come into play for a wide range of regulatory dictates
Use standard language and definitions to convey the need for regulatory compliance. When the same security ‘language’ is used throughout the enterprise, results are more thoroughly accepted by staff and partners
Follow industry-developed rule sets — Payment Card Industry Data Security Standards, Open Web Application Security Project, for example
Clean up your data ‘toxic waste dump’. Delete low-value/high-risk data, if permissible, and actively reconcile conflicting regulations
Develop a ‘penalty matrix’. It may seem distasteful, but create, and publish a graph of unacceptable security behaviours to all employees dealing with sensitive data.

You recognise that your data is the lifeblood of the organisation. So to protect it, all concerned — management, staff and business partners — must agree on its value and the consequences — business and personal — that may accrue from its misuse, loss, or theft. It takes an enterprise-wide culture of security to achieve that kind of understanding.

By Mike Howse, EMEA director, Protegrity