[BreachExchange] CISOs Must Evolve to a Data-First Security Program

[Destry Winant]

https://www.darkreading.com/threat-intelligence/cisos-must-evolve-to-a-data-first-security-program/a/d-id/1335334

Such a program will require effort and reprioritization, but it will
let your company fight modern-day threats and protect your most
important assets.

Data is the new currency. Businesses will thrive or wither based on
their ability to properly handle, protect, and utilize data. And
although the importance and potential of data is not in question, the
priority of data protection within security programs still has a way
to go.

For far too long, the fundamental thinking around enterprise
cybersecurity has circled around external threats. If we build a
strong perimeter of firewalls and scrutinize traffic crossing the
boundary, then we'll keep the "good" in and the "bad" out. More modern
security programs still have doubled down on external threat actors
with endpoint security software, antivirus sandboxes for email
attachments, and mobile device management.

In the past, these investments made sense in order to pursue a defense
against general threats and malware from "the outside." But technology
has evolved, and what matters now is different. In today's world,
fueled by rich web applications, corporate interconnectivity, cloud
systems, contract workers, and remote access, the notion of "outside"
and "inside," "us" and "them," is dead. In the world of a CISO who
can't focus on every problem, risk prioritization is king. So, instead
of attempting to thinly spread the security focus across a wide array
of externally facing infrastructure, we must ask ourselves this
question: "What do we fundamentally need to protect most?" The answer
is data.

While serving as CISO of Twitter, I instituted a "data-first" security
program. The goal of this was simple. From our risk analysis, the item
most important to our company was the protection of sensitive data
against any form of inappropriate or unauthorized access or
manipulation. Since data was the priority, we applied the focus of our
security efforts as close to the data as possible and then moved
outward. This meant asking questions like: "How is the data protected
at rest?" "What services/people can access the data?" and "How do we
authenticate the services and detect malice or deviations?"

We asked these questions even though the data was deep inside the
internal network. By inverting the traditional security model, we
focused on the controls that actually protect the data first.
Afterward, we moved outward in "concentric circles" to provide layers
of defenses across the entire stack used to access the data (that is,
the servers, workstations, humans, etc.).

The reason the data-first security thinking is so important is that
the traditional "outside-in" perimeter security approach makes too
many assumptions that no longer hold true. If the strength of your
security relies on a strong perimeter, then what happens if an
internal employee is compromised or goes rogue? Do the attackers have
full lateral movement and access to data? If so, then the perimeter
security approach is only one security failure away from a massive
company data breach.

Because of data protection regulations such as GDPR and the California
Data Protection Act, a shift to a data-first security program makes a
lot of sense. But this isn't just a movement driven by compliance.
Available data supports the need to shift to a data-first security
approach:

The "2019 Verizon Data Breach Report" shows for one of its measured
sectors that "Privilege Misuse and Error by insider account for 30
percent of breaches."
A 2019 data privacy survey conducted by Opinion Matters found that "83
percent of security professionals believe that employees have put
customer [personally identifiable information] and business sensitive
information at risk of exposure through error."
The "Insider Threat 2018 Report" from Cybersecurity Insiders found
that "53 percent [of surveyed organizations] confirmed insider attacks
against their organization in the previous 12 months."

The takeaway here is clear. There is a real threat from within the
organization by individuals who are granted some level of trust and
access. With this reality in mind, there's no choice other than to
move security as close to the data as possible.

How to Move to a Data-First Approach
First, a sound security program must have risk modeling and strategic
risk prioritization processes in place. Without such components, the
security organization will be unable to focus on the most important
issues to make meaningful changes. Second, conduct an updated risk
prioritization and assessment exercise. Be sure that the value of your
data assets and the likelihood of an internal threat are appropriately
weighted by statistics discussed above and other information specific
to your organization. In this exercise, be sure to explore different
potential paths of compromise that lead to data access and consider if
existing security controls provide any mitigating protection.

The likely output of this activity will include new prioritized risks
focused on data access controls and visibility of data use. With this
new data in hand, reach out to other business leaders to build support
for the new focus. As security leaders know, it's imperative to have
allies across the business; security is not a single org activity and
requires company support. Finally, as you embark on identifying new
security controls, processes, and technology, be sure to maintain your
laser focus in the face of other security "fires." Question whether
your and your team's time is being spent on the highest-priority risks
and most valuable activities for your company.

Implementing a data-first security program will require effort and
reprioritization, but it will also enable your company to combat
modern-day threats and protect your most important assets. In
addition, it will also enable flexibility so the business can more
easily adopt new technologies knowing that the control structure put
in place is based on protecting core assets first, independent of the
surrounding technology.