Scroll Top
400 S El Camino Real Suite 1050, San Mateo, CA 94402

Data Security from a Compliance & Privacy Point of View

From a cybercrime perspective the new year has kicked off with a bang, with numerous high-profile data breaches, ranging from T-Mobile, Nissan, and PayPal to Chick-fil-A. Smaller businesses and government entities haven’t entered the new year unscathed either, with reported data breaches on everything from the Federal no-fly list to local law firms

With hacks and breaches like this, to say that cybersecurity is an interesting field is a bit of an understatement. Given the ever-changing threat landscape, maintaining cybersecurity equilibrium (not to mention growth and improvement) always requires continuous attention and realignment towards the evolving business risks.

In this article, I would like to revisit the cybersecurity fundamentals, with a focus on a particular point—that security programs must be built on a strong foundation. When it comes to building a strong security foundation—knowing your assets, protecting the assets, and ensuring “CIA” that is, confidentiality, availability and integrity of assets—are critically important.  

Many Layers of Defense to Focus On

In an average week, a CISO has to focus on many areas, including multiple layers of defense that need to be built, maintained, monitored, and strengthened. You may ask what those areas or layers of defense are? I like to categorize these layers into five areas:

  • Cloud infrastructure security;
  • Application security;
  • Corporate security including endpoints;
  • Third-party supplier security; and
  • Data security

Now the question is, which one should the CISO focus on first? And which one has a higher priority? Before I tell you the answer, I would like to give you a metaphor around data management and data security. 

FedEx and UPS create efficiency, manage costs, and ensure the safety of their packages by scanning and tracking the package, not by scanning the people driving the trucks or planes. Businesses need to think the same way when it comes to securing their data. Scan the data first— not the identities.

Think about FedEx or UPS. To manage package shipping and delivery, they have warehouses, storefronts, packaging centers, as well as a huge fleet of trucks, planes, and third-party carriers. Out of all these, delivery services like FedEx dedicate their primary focus and priority to monitoring and tracking each customer package from the first mile to the last mile. FedEx and UPS create efficiency, manage costs, and ensure their most important asset—the package—is safe by scanning and tracking the package itself, not by tracking the people driving the trucks or planes.

Now let’s apply this as a metaphor for data and data security by thinking in terms of a SaaS application and the data associated with that application. The identities using the application are like the FedEx drivers and pilots. The SaaS data storage is like the FedEx warehouses and shipping centers. And the SaaS data itself is like the FedEx packages.

Data Security Is the #1 Priority

Data is your most important asset and data security needs to be the priority. This means enterprises need to realign their cybersecurity approach to focus first on the package (i.e., the data), not what transports the package (i.e., the identities). Now, I am not saying that other types of security are not important, but I am saying that by always prioritizing the most important one—the data—organizations will enjoy better ROI and many other security benefits.

Data Protection from Cybersecurity Point of View

Let’s talk a little bit about the attack surface before we dive into data security. The number and type of corporate endpoints are expanding. Application endpoints may come and go. I agree we need to secure corporate endpoints and also come up with a process to handle incidents. For example, if there is a ransomware attack, we must have a plan to re-image the nodes remotely and make them operational. But, at the end of the day, if I know where my data assets are, who has access, and when/how they accessed the data, then most of my cybersecurity risk is contained. If you have full visibility and monitoring into my data, using tools like Data Security Posture Management (DSPM), you do not  have to worry as much about whether internal or external resources are accessing the data, as long as they are approved and have the necessary rights to perform the activities on data.

How Important Is Data Protection from a Regulations and Compliance Point of View?

There is another reason why data security should be the #1 priority for CISOs and that is from a regulatory and compliance perspective Most of the regulations and industry compliance requirements are built around data protection. Let me give you examples from multiple industries:

  • HIPAA—Protects health information. 
  • PCI DSS—Protects cardholder data and sensitive authentication information to avoid potential financial fraud. 
  • CMMC—Protects CUI or controlled unclassified information.
  • GDPR, CPRA and other privacy regulations—Protects your personal data.
  • SOX and SEC regulations—Protects the financial information to avoid any financial irregularities.
  • ISO and SOC 2—Defines security practices and ensures businesses have adequate protection for the customer data collected, stored, and processed.

So data security and protection is also very important from regulations and compliance point of view.

Different regulations, mandates, and compliance types

Final Takeaways

There are two final things I would like to emphasize.

For a CISO, there are a lot of things to manage in a day. I would recommend prioritizing two things: First, figure out your important data assets and ensure there is clear visibility into who can get to them and what permissions they have. Build multiple layers of defense to defend and protect those critical data assets.

The second one is please be part of the community, be part of the information sharing forums or center(s). It could be a formal one or informal one. Your peers can often offer tremendous insight and understanding about security issues.

Learn More About DSPM and DataGuard

If you’d like to learn more about Data Security Posture Management and DataGuard, please reach out. We’d love to demonstrate how you can prioritize data security and help safeguard your most critical data assets through improved visibility, scalability, and compliance.

Related Posts
Clear Filters
Symmetry Systems Announces World’s First Air-Gapped Deployment of a DSPM Solution
outside the box

Pioneering DSPM deployment in high assurance environments sets new standard for comprehensive data protection Symmetry Systems,, the data+AI security company,…

Seven Ways DSPM Helps CISOs Buy Down Cyber Risk
business, finance, low risk investment, Risk Management, Risk wording on decreasing coins stacking with down arrow for financial banking risk analysis and management ,Low risk low return concept.

Have you heard someone indicate they buy down risk? In today’s digital economy, cyber risk is a top concern of…

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.