September 12, 2012
There is truth to the meme, “data is the new oil.” Data is the lifeblood of today's digital businesses, and for economic and even political gain, highly skilled cybercriminals are determined to steal it. Meanwhile, customers around the globe have become highly sensitive to how organizations track, use, and store their personal data, and it's very difficult for security pros to stay one step ahead of changing privacy laws and demands. Plus, as data volumes explode, it's becoming a herculean task to protect sensitive data and prevent privacy infringements (today we talk in petabytes, not terabytes).
Every day, vendors introduce a new product that claims to be the silver bullet to data security challenges. Consider that DLP remains one of the most popular search terms by security pros on Forrester.com. In the case of data security, there is no silver bullet. There is no way to solve the problem without a process framework that outlines how you go about discovering, classifying, analyzing, and then ultimately defending data. Forrester has created a framework to help security pros protect data – we call it the Data Security And Control Framework. If you take a framework approach, you will:
· Build a relationship with executives and secure budget. Proving security ROI and garnering the necessary budget isn't always easy. However, if you educate execs about the real risks to PII and intellectual property and work side by side with them to define, dissect, and defend this data, your business case for budget will be more compelling. In our framework, the process itself will also force you to understand the value of data in concrete terms, such as whether or not it generates revenue or helps maintain a competitive advantage.
· “Kill” your data and render it useless to potential cybercriminals. Once you've defined (discovered and classified) your most sensitive data, the best way to protect it is to "kill" it. "Killing" data through encryption, tokenization, and other means renders the data unreadable and useless to would-be cybercriminals. The process of defining your data also helps you target your security efforts — rather than attempting to kill every byte of data across your extended enterprise, you prioritize your limited budget to protect your organization's high-value, high-risk assets.
· Address regulatory compliance and privacy concerns. Killing data also helps you address regulatory compliance and data residency issues. In the digital age, data residency mandates (such as the EU Data Privacy Directive) that restrict the movement of data across national borders are difficult to implement and enforce. By encrypting restricted data, organizations facing this type of challenge have an effective tool within their reach. In many cases, breach notification laws will exempt an organization from notification requirements and fines if they had encrypted the compromised data. In other cases, organizations have found ways to take advantage of desirable cloud services because the provider encrypted the data but the organization maintained the keys.
In Forrester's Data Security And Privacy playbook, we use our Data Security And Control Framework to help you make substantive changes to your processes and arm you with an arsenal of security technologies and services that together help you defend your data from cybercriminals. Another advantage of our playbook is that we tightly integrate it with our Zero Trust network architecture for a comprehensive view of security — data security can't be a separate discipline. Executing on this framework requires a four-step process:
1. Discover: Build the business case and assess your maturity. In between all the hyped stories about military-grade malware like Stuxnet and Flame, business execs miss the real threats to their business — that cybercriminals are targeting intellectual property and that an erosion of customer confidence in your brand affects your reputation. Once you've reset executives' understanding of the data security challenge, you can then assess your current capabilities against our DLP maturity model and identify your weaknesses. You'll address these gaps in your long-term strategy and road map.
2. Plan: Create a strategy using our Data Security And Control Framework. We break the problem of securing and controlling data into three areas: 1) defining the data; 2) dissecting and analyzing the data; and 3) defending and protecting the data. In addition to the framework, we provide security pros with a data privacy heat map for understanding the privacy laws from around the world that will affect their security policies, and we list all the technologies and services that you'll need in your arsenal to kill your data.
3. Act: Hire the right staff, define policies, and implement security controls. To deal with constant changes in privacy laws, many organizations will need to hire a CPO. If your organization has one, you'll need to work with him or her to define and enforce privacy policies. And depending on the mix of security controls you implement to enforce those and other security policies, it's possible that you'll need staff with specialized expertise in areas such as encryption and key management.
4. Optimize: Measure, monitor, and communicate your results. The board of directors and your CEO will constantly ask you questions such as "Are we secure?" or "How do we compare with our peers?" To answer these questions and secure more budget, you'll need some way to measure the effectiveness and value of your data security efforts and to benchmark these metrics to peers.
You can download the full Executive Overview for the Data Security & Privacy Practice playbook here.
So what do you think? How does Forrester’s vision of data security compare to yours? And will our playbook be useful? My colleagues – @Kindervag, @heidishey, @rickhholland, and @eferrara – and I are interested in your thoughts and feedback as we refine this playbook to help you in your job.