Security for Data
Credit card details for retailers. Research findings for pharmaceutical firms. Or military blueprints for defence contractors. Data means different things to different organizations.
But when it comes to data protection it doesn’t have to mean high-level IP. It could be HR records or health insurance numbers. Put simply, if it’s of value to your business (and to others) then it needs to be protected.
The introduction of EU General Data Protection Regulation (GDPR) makes this even more imperative. Especially since data loss could result in huge fines and a huge impact on brand reputation. So when it comes to your data, where is your organization on the protection spectrum?
You have started to consider a robust approach to data protection by taking the important first step: understanding what you have. By discovering where your data resides and who is responsible for it, you are creating a foundation for technical control. By categorizing this data into different levels of value you can attribute the right security controls. But how many levels will you set?
You are already making headway. But now you need to identify the cost-effective and risk-based controls to actually enable your data protection. This requires an analysis of the value of your data compared to the risk of theft or loss. Knowing this, you will add the appropriate levels of security. But it is important to be proactive. As the great Prussian general and military theorist, Claus von Clausewitz, said, “The enemy of a good plan is the dream of a perfect plan.” In other words, sometimes you just have to make a start.
So it is critical to put in place effective governance of your data. At this stage, data owners or business leaders should be brought into your process. They can help you answer key questions: Who is the responsible owner of data within the business? Where should data reside in the future? What access controls do you need to assign?
You have mastered the early stages. But what happens when things do go wrong? If you are at the later stages on the data protection spectrum you are less likely to be subject to data loss. And much better able to cope when you are. This is because you have a tried and tested incident management framework supported by a dedicated communications plan. This will include scenarios that highlight how to respond internally and externally in the event of a breach.
But that’s not all. You will have taken on board what von Clausewitz said and be applying it every day. With the security landscape continually evolving you will maintain a constant level of maturity in data protection. You will be geared to make strategic decisions based on robust risk analysis so standards don’t slip. In a commercial world, you will also see that this can help you deliver ongoing ROI from security. With an advanced data protection strategy, you direct daily intelligence into your security updates. This then determines your most cost-effective course of action tomorrow and into the future.
But whatever stage you are at, in a changing security landscape it is clear that you cannot design a perfect plan. Even if you had a perfect plan, it will need to change. The most important thing is to act, adapt intelligently and aim for continuous security maturity.