More data? No problem!

It’s hard to imagine a world in which everything stands still. Time, fashion, the environment; it’s all changing. How we see, access, and secure data is also changing. While our industry has worked hard to develop and refine tools to help with big data management, there are still gaps when it comes to a one-stop-shop for securely managing data. And so, a deeper look at some of the challenges in this space may offer some insight into how to be more efficient and effective with existing tools. 

Challenges of Data Security

Data preparedness: Data security tools can be costly, but breaches are worse. According to the 2020 edition of the IBM/Ponemon Institute Cost of a Data Breach Report, the average cost of a data breach in the United States is roughly $3M greater than that of the Middle East (~$6.5M) and $4M greater than that of Canada (~$5.5M). 

The challenge here isn’t so much that companies are questioning the need for security tools; it’s that tools are just one piece of the puzzle. The focus should really be on building and enforcing a comprehensive security program and plan. This commitment includes anything from investing in security orchestration, automation and response (SOAR), to minimizing complexity of IT and security environments, to protecting sensitive data in cloud environments using policies and technologies.  

Another hurdle with data security is poor or inaccurate provisioning of data. Overprovisioning of data limits who all can see and access a data set, and under provisioning limits visibility into data which can impact potential business outcomes. Just imagine one of these two scenarios, regardless of employee role or level: 

In scenario A, it’s probably safe to say the unnecessary exposure to sensitive information produces a breeding ground for insider threats and –abuse of data–even if unintentional.  

Scenario B presents another viewpoint, and the challenges of reduced intel/visibility: how might you go about packing for a trip if you only had insight into dates of travel, but not the weather forecast? Gets a little bit tricky, right?  

Although provisioning of data is just one aspect of data management, it is integral to securing an organization’s data. According to a study by Varonis, 15% of companies profiled had employees with access to over one million files, including some highly sensitive and confidential information. Looking at my own experience, I have yet to meet a file that requires every employee to have full access, and I have worked across industries at companies big and small, public and private. As Pieter Zeitko (Twitter’s Former Security Chief) once said, “It doesn't matter who has keys if there are no locks on the doors." The bottom line? Proper access management is key.

And then there’s compliance. To better understand this concept, let’s revisit the introduction, specifically the ever-growing and changing environments which have resulted from the increases in data volume, types, privacy regulations. It’s always changing, and in all ways. When it comes to compliance, companies don’t always have the resources to engage in a complete risk assessment to identify gaps and vulnerabilities, and may therefore struggle with audit and compliance requests. Whether in the US or across the globe, cities around the world are recognizing data privacy regulations are instrumental when it comes to keeping vast quantities of data safe and secure. Policy management and documentations for enforcement can also create hurdles for an organization. It can be taxing, and sometimes overwhelming, to write out and manually deliver on rules and regulations for data management. Information policies such as best practices and do’s and don’ts can be lost with each generation of new employees. I suspect it’s also quite costly to pay for all of the hours spent (re-)creating and (re-)enforcing such documentation.  

So what should we do?

We are no longer living in an exclusively on-prem world where data is easier to contain, and therefore more manageable. In fact, most organizations (if not already) are making the move to hybrid or multi-cloud environments. In turn, the shift has led to an increasing number of rules and regulations around how data types should be managed, how regions should consider managing data, and how to reduce business risk as a result. The reality though, is that managing access exclusively with identity access management (IAM) roles or private keys is not sustainable, and companies need to address a very real sense of complexity and cyber risk. It’s not enough to just put a little bit of security here and a little bit of security there; following that process guarantees one thing: no guarantee of security. 

Organizations need to invest in a thorough security offering that helps them identify who requests data, with what tools, and whether or not that request is granted. Imagine having all of that information at your fingertips and being able to optimize it for faster data-driven results? Plus, does anyone else hear bells of accelerated compliance reporting?

Effective use of this data for business purposes is still something of an unsolved challenge, in major part due to the need to provide access to this data in a secure and responsible way.