Light Dark
September 6, 2016 By Daniel Kirsch 5 min read
Data Protection

There isn’t a single chief information security officer (CISO), head of compliance or chief privacy officer who enjoys rejecting a new service that could increase the pace of a business’ innovation. However, the reality is that many CISOs are forced to tell the business it needs to rethink ideas because of privacy, compliance, and security concerns and risks, especially in light of the upcoming European Union (EU) General Data Protection Regulation (GDPR).

Preparing for the GDPR

Businesses must walk a fine line when preparing for the GDPR; gathering and analyzing massive amounts of customer and prospect data can uncover new opportunities and business models, yet data must be kept private and secure from both regulatory and reputational standpoints. The latest round of regulations, including the EU’s GDPR, comes with teeth in the form of stiff financial penalties for those that fail to comply. Companies that fail to adequately prepare for the GDPR risk incurring fines of up to 4 percent of their annual revenue.

As a result, organizations around the world are scrambling to address the new rules before the GDPR goes into effect in May 2018. Any company that stores personal information regarding EU residents will be subject to the new compliance rules, even if the business has no other presence in the EU.

Read the Interactive Solution Brief: Ready, Set, GDPR

Decentralized Data

Complying with regulations such as the GDPR are just part of the challenge facing CISOs and security teams. There was a time when organizations could centralize data so that control and governance were relatively straightforward. Techniques such as role-based access control and data masking were good enough to ensure that customers stayed secure.

In recent years, however, data has been increasingly distributed across hybrid environments. Data is stored in data centers, managed service environments and public clouds. Disconnected silos of data are often stored in inexpensive cloud storage, which is more difficult to control than the traditional, tightly controlled data repositories they replaced. Companies are storing more and more data at a lower cost in the hopes of harvesting useful insights.

Unauthorized IT Casts a Shadow

Further complicating matters, many new business services are being created, used and managed outside the purview of the IT organization. SaaS applications, for example, may contain customer information, while home-grown cloud applications may house important intellectual property, customer data or product information. It’s likely that the compliance office, privacy office and CIO didn’t sign off on each of these services.

This shadow IT is causing major problems for companies preparing for the GDPR and attempting to comply with all its rules. Although shadow IT helps employees work more efficiently, it makes it nearly impossible for companies to know who has access to their data or where the data is located, and the issue is growing at an alarming rate. It’s extremely difficult to prove compliance to strict data governance regulations when employees use a mix of corporate and personal IT services and devices.

Speed at the Expense of Privacy

Storing massive amounts of sensitive data in the cloud and hybrid environments has added to data complexity. Many businesses are opening their data to employees throughout the company so that they can use that data in innovative ways.

With business leaders demanding fast results, many companies fail to maintain high levels of data privacy and governance. As data is spread across organizations, it becomes increasingly challenging to maintain the robust data stewardship and protection required by the GDPR. Additionally, data security has become a serious concern as wider groups of users access customer data and intellectual property.

Many companies are inadvertently laying the groundwork for a breach because employees require fast and easy access to data, and new services must be created rapidly, which requires extreme agility. This speed of innovation also creates a gap between a company’s privacy office and how data is being used: The compliance and privacy offices may have strong written policies and procedures, but the compliance officers may not understand what the business is doing with data. This divergence between the requirements and demands of the privacy office and the actions taken by business analysts poses enormous compliance and security risks.

Solidifying Silos

An interesting change is happening with data management: Corporate managers are increasingly inclined to leverage important data across departments to create new product offerings. It is imperative, therefore, to break down silos of data across business units.

However, this is not without risks. Within an individual department, an administrator can keep close tabs on who is accessing data and for what purpose. It is relatively easy to establish a chain of custody for data when administering a single environment. As companies end silos and spread data across the business, however, it becomes more difficult to keep track of data from a privacy, governance and security perspective.

For example, a health care company might create an application that brings together patient data with fitness tracking information and third-party data sources. While the new application provides incredible analytics value, it also exposes risks based on compliance regulations such as HIPAA. Unfortunately, adding flexibility to the business can render the data vulnerable.

It is clear that to remain competitive and offer new services, businesses must bring together and analyze massive amounts of data. The CISO must be able to support business needs while keeping this data secure. He or she should partner with business leaders to analyze the data in a way that protects privacy and complies with regulations.

Regulations and security threats are constantly evolving. As security and compliance teams work to ready their organizations for the GDPR, they must keep an eye on the future, anticipating new requirements that may impact the business.

Best Practices for Ensuring Data Privacy and Security

How can you balance the need for access to the right data while maintaining compliance with a changing regulatory and security landscape? While there isn’t one right answer, there are some best practices that can help turn the security officer into a business partner. Here are the top three:

1. Work Together

Privacy, security and project management offices must work together as a team. Many companies that proactively manage data privacy and security challenges embed privacy and security personnel within business units. Security by design should become a common strategy; this will help organizations build security and privacy provisions into projects from an early onset.

2. Assess Impact

Perform privacy and security impact assessments as part of a project’s approval process. As a project moves forward, there should be continual checkpoints to ensure that compliance, security and protection requirements are met. A project should not move forward with funding until it has been reviewed and the risk levels defined. Continuous assessments allow teams to identify and address issues in early stages of the project.

3. Identify the Data

Identify the data that will be used for a new project. Understanding the sensitivity of data being used will make it easier for companies to meet the requirements of regulations like the GDPR, and it will reduce the risk of a breach. Give business leaders and executives oversight of data based on the sensitivity and risks associated with the information. These executives should sign off on a project only once they agree that the risks of exposure are worth the benefits.

These best practices should be the foundation of an organization’s security and governance policy as it prepares for the GDPR. This foundation will help protect the business from costly fines and will help prevent future security breaches.

Combining both organizational change with technical solutions can help organizations overcome the risks posed by removing data silos, giving employees access to more data and exploring new, data-centric business models. A well-planned strategy can enable an organization to innovate safely and securely.

Read the Interactive Solution Brief: Ready, Set, GDPR

 |  |  |  |  |  | 
Daniel Kirsch
Principal Analyst & Vice President, Hurwitz & Associates

More from Data Protection
March 27, 2024

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

March 12, 2024

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature