Few business or IT leaders would question the importance of protecting data if asked directly, and the threat of a privacy or security breach has been made a real prospect in light of recent events. Whether the risk stems from the organization's own system administrators (as it did in the case of Edward Snowden) or from cybercriminals, such incidents can be costly for companies and their customers. In fact, even a single incident may leave a trail of billions of dollars in expenses if data such as payment card numbers is compromised. Most companies are likely aware of the risk, but the problem is that many do not have appropriate oversight of their own data security practices.
"To find out [who is responsible for data security], I like to ask questions," wrote former NSA inspector general Joel Brenner for Harvard Business Review. "But when I put the question to top management, well, they're busy - not their problem, that's for sure - and they refer me to the chief information officer or the chief technology officer. So I knock on their doors and put the same question to them. Our job, they say, is making stuff work. If the stuff doesn't work, that's our fault. But security?"
In large organizations, the list of people to pass security onto is rather extensive, but even when there is a clear definition of who is managing issues such as data protection, strategies may be fragmented. Numerous specialties must come together to form a comprehensive IT strategy for dealing with data breaches. Risk management must assess potential threats and effective ways of dealing with them, IT is tasked with implementation and management and then human resources needs to be able to communicate any policies that impact employee behavior. However, according to Brenner, these teams rarely communicate effectively, creating information silos when it comes to security.
Connecting the IT security dots
There are two generic issues that must be addressed before a robust IT security strategy can be realized. The first is the way in which key stakeholders view data protection and security. As Brenner suggested, many decision makers see these safeguards as a necessary "deduction from the bottom line." Instead, businesses should view IT security as a value proposition. Of course, it is difficult to quantify the return on investment of customer trust. However, there is plenty of data to illustrate the cost of breaking that trust by mishandling information. For instance, the Ponemon Institute estimated that costs associated with lost business and reputational damage added up to $3.03 million per incident. In other words, data security is an investment that preserves how customers see the business.
The second issue deals with how solutions are implemented and managed and how effectively security policies are communicated to employees. This is the issue that Brenner focused on, and it requires a level of multi-departmental collaboration that many businesses lack. Even just looking at the issue from a purely technical perspective, there are many factors that must be addressed that would make it difficult for only a handful of people to accomplish.
"I'm not sure you're ever fully-prepared to face the challenges associated with information security because the threat landscape is so dynamic," Exostar information security director George Baker told Help Net Security. "I think what's most important is a mix of strategic planning, technical, and analytical skills so that you protect the organization as much as possible proactively, and are able to respond agilely and effectively when the unexpected befalls you."
Data security: Patching the business
From the insight these two experts shared, there are two far-reaching issues that must be resolved to improve data security in enterprise environments. The first is improving collaboration between departments so that planning, implementation, policy making and communication runs smoothly. The second is to realize that cybersecurity is an ongoing process rather than something that can simply be configured and forgotten about. For example, consider the objective of protecting sensitive data. Companies may implement the most robust data-centric security solutions the world has to offer (at the time) and methodically categorize every piece of information within their systems. However, without regular IT audits and continued evaluation, the strategy would ultimately leave cybersecurity gaps for the following reasons:
- Businesses create and collect new data every day
- New threats emerge that may invalidate old strategies
- User awareness plays a significant role in mitigating the risk from attacks like phishing and social engineering
- New systems are not always configured properly
- Compliance mandates may also change over time
All of these factors mean that organizations following best practices at a given point in time may not be doing so in the future. This makes it essential to perform regular evaluations of IT systems, matching their implementation and configuration against both compliance provisions and industry best practices. It is also important to make the distinction between those two items because following mandates like those outlined in the Payment Card Industry Data Security Standard (PCI-DSS) does not necessarily mean an organization is effectively safeguarding its data. In fact, TechTarget contributor Dan Cornell argued that relying solely on PCI or other standards makes it easy for organizations to take a checklist-based approach to security.
"These standards are 'one size fits all,' and the process that creates them tends to water down their effectiveness," Cornell wrote."In addition, many organizations try to minimize the scope of their PCI exposure, and this can lead to decisions that are defensible within the strictures of the standards but do not actually address relevant risks appropriately. Checking checkboxes will not make you secure."
The first step to implementing a more comprehensive IT security strategy is to take stock of the organization's existing situation, identifying which departments should be responsible for managing the security program as well as what type of data is stored and where it is located. From there, multiple departments should come together to assess risk, identify potential solutions to each type of threat and establish minimum data security guidelines - for instance, it may be helpful to specify the minimum key length if encryption will be employed. Following implementation, it is essential to include policies for regular IT audits to ensure that all information is protected with the latest best practices and that all hardware and software is configured to meet business policies and compliance mandates.