[BreachExchange] The Data Problem in Security

Fri May 17 18:55:07 EDT 2019

https://www.darkreading.com/careers-and-people/the-data-problem-in-security/a/d-id/1334660

Today's CIOs are the stewards of company data, responsible for its health
and performance as well as maintenance of the availability, speed, and
resiliency their stakeholders expect. CISOs, however, sometimes serve as
emergency room doctors for their company's data. Their role is to think
about worst-case scenarios, diagnose the severity of incidents, and jump in
when incidents happen or are likely. Their first priority is to keep
patients alive, but keeping them healthy is worth bonus points.

Like ER doctors, CISOs need rapid prioritization tied to the health of the
business to effectively triage incidents. To establish each organization's
guidelines around what data matters most every CISO must consider
reputation, resiliency, and regulatory impact.

Defining and Solving the Data Problem
A CISO must consider focus on business protection, cybersecurity breaches,
and the role of data in their organization:

● Reputation: Which data loss would hurt the business' reputation and
negatively impact a customer or investor's confidence in the business?

● Resiliency: What data outage could cause business disruption, and could
the business come back from the outage?

● Regulatory impact: What is the financial or legal liability?

With these themes in mind, the CISO's data problem is twofold: which data
most needs to be protected, and what data is needed to monitor and diagnose
an incident when protection fails?

The first step is for the CISO to get their arms around all the data that
matters. These days, data ownership is often federated, so CISOs must team
up with peers to get access and manage the overlapping ownerships. For
example, the security team may have access to one body of data, whereas
application teams have another. Lines-of-business leads would own their
business data in SAP, for example, while the CIO would manage the
infrastructure's operational data and maintain the health, performance, and
security protection of SAP and the data it contains. Underscoring this
business dynamic is the critical role that CISOs play: They need to ensure
their peers have visibility into all business-critical data, and they need
to ensure they have full access to this data and its supporting systems.

With the data in hand, the next step to solving their data problem is to
examine tool sets and ensure they have maximum visibility. Today,
environmental complexity is such that you may not know what it contains,
making visibility difficult to achieve. Organizations have on-premises
environments, workloads in multiple clouds, numerous purpose-built
applications, Internet of Things devices, and more. When combined with
organizational silos, shadow IT, rogue DevOps teams and business units
driving "digital transformation" that put speed-to-market ahead of
architectural elegance, efficiency, and application security, it becomes
even clearer that the job of the CISO is getting harder every day.

Business Impact Analysis Best Practices
Forward-thinking CISOs lead their teams with the goal of protecting what
matters most while maturing their security capabilities and posture. This
begins with a business impact analysis that explores which applications and
systems are most critical to provide the environmental visibility needed to
enable effective data protection. In any organization, this task is
daunting and time consuming; however, the larger the organization, the
higher the risk and the reward. Both the CIO and CISO have much to gain by
looking strategically at their organizations, aligning efforts, and
improving the efficiency and effectiveness of their teams and technology.

With business impact in mind, CISOs can better drive security maturity and
improve their cyber hygiene. This can start with simple but necessary
activities like vulnerability identification and management, endpoint
protection, or malware detection; even these activities can be prioritized
by business impact and informed by a view of reputation, resiliency, and
regulatory requirements.

Once CISOs have grasped the business impact of their data according to the
three pillars — defined data boundaries, access, and tool sets in use
across the organization — then it's time to review tools' effectiveness and
return on investment. Most CISOs know not all their tools are effective or
delivering as promised; what's important is determining which tools are
truly useful or necessary, and understanding the financial impact. This is
also an opportunity for CIOs and CISOs to work together — there's limited
technology budget to go around. If CIOs and CISOs can leverage system
synergies on top of common data sets, and then further align systems with
critical business units, then there is a huge opportunity to optimize
spending, operations, and protection.

Emergencies Are Preventable with Primary Care
The constant specter of a serious data breach keeps many CISOs up at night.
CISOs know how to handle emergencies, but like their ER counterparts,
they'd prefer they never happened in the first place. The modern CISO needs
to start with primary care — understand business impact, the effect of
security incidents on reputation, resiliency, and regulation, and then
address these needs with a robust security program aimed at mature cyber
hygiene.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190517/2e19a39a/attachment.html>