I recently returned from the RSA Conference 2015 along with almost 30,000 security and privacy professionals from around the world. The conference was filled with technology, innovation, and discussions of the big challenges we face globally in an increasingly interconnected world. In his keynote address, the president of RSA, Amit Yoran, talked about a shift in compliance and consequences as well as a shift in technology – all of which are creating new pressures on organizations to rethink how they are implementing their governance, risk, and compliance programs as well as their data loss prevention and data protection methodologies.
A Changing View of Security
As enterprise organizations consider their strategies, they need to first understand the changing landscape. Customers – especially businesses – are increasingly using security as a discriminator. In fact, in many ways, a robust security and data privacy program has become a non-negotiable expectation of business. The evidence of this is that security is becoming increasingly woven into Service Level Agreements (SLAs), including those by cloud providers. Moreover, the average person is now more familiar with security. Breaches appear on the nightly news, and, as a consequence, consumers are more security-aware today than they ever have been in the past.
Not only is there a heightened awareness level among consumers and their concerns about theft, fraud, and security, but also there is a change in the policy and regulatory landscape. Businesses have always had to adhere to regulations, guidelines, and standards, but audits have also changed the economics of risk and create an impending event. While hackers may or may not attack you, auditors will always show up. At the same time, disclosure laws mean that the consequences of failure have increased for organizations that suffer a breach. While we’ve seen a shift in external pressures of consumers and regulators, technology has also leapt ahead – introducing a more complex and rapidly evolving ecosystem to protect, including far more data than has ever been managed before. As more applications and transactions happen over the Web, the cloud is completely changing our notion of a perimeter around which we can build protective walls. Worker mobility is also redefining the IT landscape and personal employee devices are is now becoming an integral part of enterprise IT.
So what does this mean to the economics of a security program? How can you protect everything against everyone? Mr. Yoran introduced five core principles which can help guide the thinking of most organizations, and when put into practice will allow you to strategically revamp your program or help you realize that you have been doing it right all along.
Be Less Appealing to Attackers
Most attackers are not evil or insane – they just want something. The natural extension to this is that while most organizations simply do not have the budget to protect against “evil” people, they can protect against people that will look for weaker targets. This means that if you make it harder for people to attack you and your organization or less attractive for them to do so, they will likely go somewhere else.
Know Your Data
Security is about mitigating risk at some cost. This means that, in the absence of metrics, we tend to focus on risks that are familiar or recent. Unfortunately, that means that we are often reactive rather than proactive, and it becomes very important to understand how data, people, and location weave together to create patterns – both good and bad – around and within your organization. Only by understanding the data you hold can you effectively protect it.
Simple Failures Lead to Breaches
Most costly breaches come from simple failures – not from attacker ingenuity. Bad guys, however, can be very creative if properly incentivized. Thus it is important to ensure that you are addressing simple controls and the “low hanging fruit” within your organization while placing appropriate controls around your most valuable assets at the same time.
Make it Easier on Your Users
In the absence of proper security education, people (employees, users, and customers included) make poor decisions with technology. This means that systems need to be easy to use securely and difficult to use insecurely. This is a critical point, and probably one of the single largest opportunities for security programs to be revamped. Make it easier for your end users to do the right thing than the wrong thing: Create policies, rules, and IT controls that make common sense, enabling your end users to do their jobs effectively with the systems and controls that you want them to use. Don’t set up policies that are so cumbersome and restrictive that your employees are pushed to private cloud options to be able to effectively do their jobs. At the end of the day, your employees will do what they need to do to get their job done. Join them in making it simple to use the systems you can control.
Protect from the Threat Within
Attackers usually don’t get in by cracking impenetrable controls. They look for weak points such as trusting employees. Many organizations make the mistake of focusing their data protection strategies on keeping the outsider out, but in fact many breaches come from an attacker who is already inside. Either intentionally or unintentionally, insiders cause the greatest threat to your data protection program. Fortunately, they are the threat you can do most to alleviate. Trust your end users to appropriately identify and classify sensitive data they are handling or creating, but verify that they are doing so. Using a combined or layered approach to data classification can ensure that the policies, training, and tools you are providing are being properly understood and integrated into the day-to-day tasks of your work force.
What Does it all Mean to You?
In order to have a holistic and effective data privacy and data security program, you must understand that there simply is no such thing as perfect security. Instead, you must adopt a risk-based approach to implementing your data protection program. While that often starts with the legal and compliance team and ends with the chief information security officer (CISO), it needs to focus also on a day in the life of your everyday business user. Reality is perception – it’s important to create a pervasive culture of security and privacy controls within your organization that allows and enables the business to use its information to its full capacity. Rather than slowing the business from doing its job, effective controls will allow you to realize the potential of the data you do have so that you can better achieve your business objectives without the need to live in fear of potential breaches or risks that lie around the corner.