December 20, 2022
The 7 data security habits of highly effective CISOs
The CISO plays a critical role in identifying the security risks in an organization and creating a comprehensive security plan to mitigate those risks. But most of the time the focus is on mitigating external threats at the cost of ignoring the internal threats from employees or contractors who are dealing with the data day-in and day-out. In addition to breaches of an internal bad actor stealing some customer data or viewing some confidential information that they are not supposed to view, there is also the penalty of non-compliance that the organization may face by knowingly or unknowingly providing access to sensitive data to external suppliers or contractors. The myriad of regulations around data security like PCI-DSS, HIPAA, GDPR, CCPA and Cross-border data security regulations make this an ever-growing challenge.
Highly effective CISOs have a balanced view of both the external as well as internal threats and undertake initiatives that take a holistic approach of viewing the entire lifecycle of the data within the organization. Here are the seven most effective practices that the CISO can employ to take control of the data within the organization.
These effective CISOs:
- Have intimate knowledge of their data
In most organizations, getting to know the data stops with creating a data discovery platform which stores the source and lineage of all the data within the enterprise. While this is a critical first step, this alone is not sufficient. An effective data security program also takes the effort of identifying sensitive data and marking those data sources as secure. The context of sensitive data could be different for different groups within the organization, and each group could be spread out across the globe, which also brings in the need to comply with different regulations that are specific to that part of the world.
- Don’t rely on business groups to tell them where the sensitive data is located
The various business groups within the organization use the systems that are commissioned for their use in a wide variety of ways. The end users using the system are seldom aware of the classification of different kinds of sensitive data, and sometime populate the system with such sensitive information in unintended fields or files. It is not unusual for the IT team to discover customer names and social security numbers populated in a “Description” column or critical patient information stored in word documents in their local drives. Relying on the end users of the systems to identify fields or locations where critical information is stored results in an incomplete discovery process, leaving the door open for data security related risks to materialize. An effective CISO would deploy tools to periodically sample the data in these critical systems to identify sensitive data sources rather than relying on the tribal knowledge of end users.
- Know that data is a liability and how it can be converted into an asset
The simplest way to protect data within an organization is to restrict access to that data to only the specific set of eyes that need to view it. But this creates a silo-effect within the organization where data is hoarded within specific groups. Operations or Analytics teams that would want to collate data from different parts of the organization for reporting or apply Machine Learning models to predict future trends are at a disadvantage, since getting access to this data becomes embroiled in the red tape of getting multiple approvals, manual cleansing of sensitive data from the data feeds etc. A testing team that would have benefitted from getting a masked copy of the production data with all the sensitive fields masked, now must rely on creating synthetic data that might not mirror real-life scenarios. Deploying an effective set of data masking tools that would use different techniques of data encryption, data anonymization or data masking depending on the use case of how the data would be used would be the key to making effective to use of the data, while not compromising on the security aspects.
- Are aware that privacy of data is applicable not just to the end users of the system but the maintainers of the system too
In many instances, while the end users have a strict authentication and authorization mechanism to view or not view the data, these kinds of security mechanisms are missing for the administrators of such systems. A DBA querying data directly from the production database would have a complete view into the credit card numbers of the customers, or a L1 support representative sitting in India office would be able to view the logs with sensitive information which are tagged as US-eyes-only. Although there might be strict non-disclosure agreements with these parties, there could be significant risks associated with this last mile oversight. Deploying security options like database proxy level encryption and dynamic data masking mitigates these last-mile risks, at the same time ensuring that the level of service is not affected.
- Understand that security is not just about creating restrictions it is also about monitoring how effective those constraints are
Data security is not a one-time set of actions. As the threat landscape widens and the regulations evolve, it is a constant balance between going overboard in some of the aspects or under-investing in a few other areas. A simple approach would be to deploy monitoring mechanisms in the areas of under-investment so that it serves as a good early warning mechanism to identify potential security risks. For example, are users accessing the production system beyond the usual work hours? Is any user querying unusual amounts of data from a table marked as “sensitive”? If there can be a simple tool that can monitor these kinds of “unusual” usage and report it, it will serve as a quick deterrent against these malicious actors. In addition, conducting a periodic audit of the controls that are deployed across the different systems to ensure their effectiveness and currentness is key to an effectively run security program.
- Reduce the level of data that needs to be secured thereby reducing the level of effort involved in securing the data
This might sound counterintuitive, but this is the most overlooked aspect of data security in any organization. As the level of data in an organization grows, so does the efforts involved in tracking, tagging and securing that data. There are multiple robust mechanisms to extract and archive this data into a reliable storage mechanism, at the same time ensuring the business users that they would have access to this data when they need it in the future. Such mechanisms reduce the attack surface of the amount of data that needs to be secured, at the same time improving performance because of the reduced data load.
- Must maintain a delicate balance between Compliance to regulations and Usability of data
Regulations with respect to personal data protection and individual’s rights over the data that organizations maintain are on the rise and will get stricter and more granular in the coming years. This presents an ever-growing challenge to the teams that are building and maintaining the internal systems within the organization to comply with the multiple data subject access requests that could arise because of such regulations. Knowing where such personal data resides within the lakes of data within the enterprise is the first challenge. This data might be intermingled with other business data that is critical for the operation of the system and cannot be easily deleted or forgotten. Techniques like masking or redaction of personal data are key to ensure that the regulation is adhered to without compromising on the usability of the system.