Looking at recent breaches and scandals, it’s not a mystery why organizations put a premium on good data security and governance practices. Yet, there is one aspect of data security and data governance that proves elusive.

Sure, organizations have data activity monitoring (DAM) solutions, extended detection and response (XDR) tools, governance programs run by their legal departments and SIEM. But discovery and classification of sensitive data — especially in the cloud — has proven difficult.

Solutions were often incomplete. They might discover structured data but not unstructured, or data-at-rest but not in-motion. Instead, many organizations resorted to pushing the identification of sensitive data onto line-of-business owners. In extreme cases, the experts we spoke to at CISO ExecNet claimed that “it is not my responsibility if sensitive data is compromised since we expect the owners of the data to enforce compliance.”

Now, this is a job for the data owners themselves to a degree. But, as one security pro asked us, “Who gets fired if a breach hits the news?” It’s a valid point. Let’s take a look at how security and IT can better understand their data.

Where Is Your Data?

First, answer some basic questions. Who actually owns the data? Who should sit at the top of the responsibility pyramid? Maybe a team outside of IT owns the data. Even so, security still needs to know where the data lives, how it moves and what to do when there’s a problem. 

There is a multitude of business reasons to understand sensitive data. How can you more easily utilize data to develop products, build better customer experiences and optimize business processes?

Compliance and Privacy Require Visibility

This is not a surprising use case. Compliance and privacy regulations — from the general to the industry-specific — show no signs of slowing. The General Data Protection Regulation, the California Consumer Privacy Act, the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act are just a selection of the growing alphabet soup of rules and requirements.

Further, sensitive data is not a monolith. It’s not enough to know, for example, that the sales department handles sensitive data. That does not mean the same compliance policies and security measures apply to every piece of data in that department.

Personally identifiable information, such as addresses or phone numbers, is different than financial transactions. These are, in turn, different than passwords or usernames. Depending on the regulation, there may be different rules for each type. Further, those rules may change depending on how people use that data and who those people are.

What Does ‘Advanced’ Really Mean?

A useful solution here is the advanced discovery and classification of sensitive data. But what does advanced mean? Consider the current approach many organizations take in meeting the first steps of compliance. It is largely manual. Success is dependent upon surveys of department data owners, who are expected to know where each piece of sensitive data lives. This is massively time-consuming and can be inaccurate and quickly out-of-date.

Compliance requires both accuracy and currency. You need to know what sensitive data you have and exactly where it lives.

To this end, advanced discovery and classification were created. It’s a more reliable way to not only discover but also understand sensitive data in a widely distributed environment. As an example, a solution like IBM Security Discover and Classify can accomplish this through continuous scanning at the data source and network level, coupled with the implementation of artificial intelligence (AI) and machine learning, to dynamically process each piece of data. This helps compliance teams understand what type of data is moving internally and to third parties. Third-party risk is a key aspect of many compliance mandates.

Advanced discovery and classification provide the visibility to craft more effective compliance policies. Security and compliance professionals can then improve their compliance posture and quickly adapt as requirements change.

Consumers Expect Better Data Handling

There is no shortage of studies finding that consumers demand better data security from organizations that handle their personal data. Major breaches perpetrated by outside malicious actors tend to make the news. But those are the result of a long chain of security and governance blind spots.

A common challenge is how to securely share data. Different parts of the business often maintain different data. These departments, for the sake of data security, often function in silos.

This siloed approach may provide confidence to customers that data is in good hands. At the same time, it limits the ability of that firm to use data cross-functionally. This issue harkens back to one of the business use cases mentioned earlier: building better customer experiences.

Share Data More Easily

How can an organization secure sensitive data at the same time as sharing data across functional boundaries? Customer success teams need to share data with product teams. They, in turn, must share data with development to deliver products and applications that delight customers. But if someone mishandles data along that chain, customers will not be delighted. Advanced data discovery and classification once again prove their worth in this scenario.

Known and unknown data sources — both internal and external — can be discovered to determine what data is being stored and processed using a variety of solutions available on the market. Once data is discovered, a solution could be used to build a dynamic data map to help teams visualize where sensitive data is located throughout the organization. This level of granularity means once data is shared, it is easy to understand where it has gone, how it is used and how to avoid data ‘exhaust’ (i.e., log files, temporary files and other items that are no less critical but are not typically documented or tracked). From there, tools such as DAM and XDR can help to secure the data in its new home as it flows across departments.

Manual Processes Slow Down Responses

All three of these use cases have a common thread. Current data discovery and classification methods rely heavily on manual processes and trust.

While trust is an invaluable resource, manual processes should no longer be the norm. Rather, automation is critical, given the explosion in the volume of sensitive data organizations collect, worsening cybersecurity skills shortages, limited time to respond to things like data subject access requests (DSARs) and an expanding data threat landscape.

Organizations frequently lack the tools and resources to respond to high-priority DSARs within the expected timeframe. This can lead to regulatory penalties. It can also create negative customer sentiment if they feel their data is not in safe hands.

There are several common themes across these three use cases. Each includes the preservation of customer data privacy, adherence to complex regulations and unlocking the value within the volumes of data. So, it is logical that the solutions are similar.

Once more, advanced data discovery and classification can achieve the speed expected in a DSAR scenario. This situation requires a combination of continuous scanning to discover sensitive data, AI to understand and contextualize it and data lineage mapping. All of these work together to build a profile for a given data subject, facilitating a quick, complete response to requests.

More to Discover

This is only a small sampling of use cases and only a brief explanation of the next generation of data discovery and classification tools. Data and data sources will continue to multiply as organizations grow and transform. More challenges will arise in terms of trying to handle sensitive data, compliance and data privacy. But it is a great place to start, especially as IBM Security and 1touch.io are partnering on the IBM Security Discover and Classify tool.

IBM Security Discover and Classify integrates with IBM Security SOAR and IBM Security Guardium to support data privacy, data threat response and zero trust initiatives. The tool is an important, timely addition to the IBM Security family. To learn more, visit the product page.

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…