From a cybercrime perspective the new year has kicked off with a bang, with numerous high-profile data breaches, ranging from T-Mobile, Nissan, and PayPal to Chick-fil-A. Smaller businesses and government entities haven’t entered the new year unscathed either, with reported data breaches on everything from the Federal no-fly list to local law firms.
With hacks and breaches like this, to say that cybersecurity is an interesting field is a bit of an understatement. Given the ever-changing threat landscape, maintaining cybersecurity equilibrium (not to mention growth and improvement) always requires continuous attention and realignment towards the evolving business risks.
In this article, I would like to revisit the cybersecurity fundamentals, with a focus on a particular point—that security programs must be built on a strong foundation. When it comes to building a strong security foundation—knowing your assets, protecting the assets, and ensuring “CIA” that is, confidentiality, availability and integrity of assets—are critically important.
Many Layers of Defense to Focus On
In an average week, a CISO has to focus on many areas, including multiple layers of defense that need to be built, maintained, monitored, and strengthened. You may ask what those areas or layers of defense are? I like to categorize these layers into five areas:
- Cloud infrastructure security;
- Application security;
- Corporate security including endpoints;
- Third-party supplier security; and
- Data security
Now the question is, which one should the CISO focus on first? And which one has a higher priority? Before I tell you the answer, I would like to give you a metaphor around data management and data security.
Think about FedEx or UPS. To manage package shipping and delivery, they have warehouses, storefronts, packaging centers, as well as a huge fleet of trucks, planes, and third-party carriers. Out of all these, delivery services like FedEx dedicate their primary focus and priority to monitoring and tracking each customer package from the first mile to the last mile. FedEx and UPS create efficiency, manage costs, and ensure their most important asset—the package—is safe by scanning and tracking the package itself, not by tracking the people driving the trucks or planes.
Now let’s apply this as a metaphor for data and data security by thinking in terms of a SaaS application and the data associated with that application. The identities using the application are like the FedEx drivers and pilots. The SaaS data storage is like the FedEx warehouses and shipping centers. And the SaaS data itself is like the FedEx packages.
Data Security Is the #1 Priority
Data is your most important asset and data security needs to be the priority. This means enterprises need to realign their cybersecurity approach to focus first on the package (i.e., the data), not what transports the package (i.e., the identities). Now, I am not saying that other types of security are not important, but I am saying that by always prioritizing the most important one—the data—organizations will enjoy better ROI and many other security benefits.
Data Protection from Cybersecurity Point of View
Let’s talk a little bit about the attack surface before we dive into data security. The number and type of corporate endpoints are expanding. Application endpoints may come and go. I agree we need to secure corporate endpoints and also come up with a process to handle incidents. For example, if there is a ransomware attack, we must have a plan to re-image the nodes remotely and make them operational. But, at the end of the day, if I know where my data assets are, who has access, and when/how they accessed the data, then most of my cybersecurity risk is contained. If you have full visibility and monitoring into my data, using tools like Data Security Posture Management (DSPM), you do not have to worry as much about whether internal or external resources are accessing the data, as long as they are approved and have the necessary rights to perform the activities on data.
How Important Is Data Protection from a Regulations and Compliance Point of View?
There is another reason why data security should be the #1 priority for CISOs and that is from a regulatory and compliance perspective Most of the regulations and industry compliance requirements are built around data protection. Let me give you examples from multiple industries:
- HIPAA—Protects health information.
- PCI DSS—Protects cardholder data and sensitive authentication information to avoid potential financial fraud.
- CMMC—Protects CUI or controlled unclassified information.
- GDPR, CPRA and other privacy regulations—Protects your personal data.
- SOX and SEC regulations—Protects the financial information to avoid any financial irregularities.
- ISO and SOC 2—Defines security practices and ensures businesses have adequate protection for the customer data collected, stored, and processed.
So data security and protection is also very important from regulations and compliance point of view.
There are two final things I would like to emphasize.
For a CISO, there are a lot of things to manage in a day. I would recommend prioritizing two things: First, figure out your important data assets and ensure there is clear visibility into who can get to them and what permissions they have. Build multiple layers of defense to defend and protect those critical data assets.
The second one is please be part of the community, be part of the information sharing forums or center(s). It could be a formal one or informal one. Your peers can often offer tremendous insight and understanding about security issues.
Learn More About DSPM and DataGuard
If you’d like to learn more about Data Security Posture Management and DataGuard, please reach out. We’d love to demonstrate how you can prioritize data security and help safeguard your most critical data assets through improved visibility, scalability, and compliance.