The art and science known as risk management has been around for years. It is applied in a broad array of areas, including insurance, credit risk ratings, stock and other market risk ratings, foreign policy decisions, military responses and many others. The true irony is that, although risk management has been applied to many aspects of IT, such as change management, incident response, disaster recovery and business continuity, it has not been applied nearly as rigorously to data management and protection.

In some industry verticals, security is applied to certain types of data, but that application is often not based on true risk management. Banks protect account information, insurance and health providers protect personally identifiable information (PII), and chemical companies and soft drink conglomerates protect their secret formulas. Outside of what these companies see as their prized data, there is often a lapse in protection because they do not know what their information assets are or where they are located.

Organizations are at an increased risk level if they cannot answer foundational questions such as:

  • Which business lines carry the greatest risk?
  • What sensitive data is at risk?
  • How valuable is the at-risk data?

When Risk Management of Data Fails

Each piece of information residing on corporate networks needs to be classified, evaluated and managed. Each byte must have some level of importance or it would not have been created in the first place. Some data has only momentary importance, while other data maintains its value for many years. However, this lifespan of value is not always apparent. A good example is an email about lunch plans. That message may only be important for the hours leading up to the meeting, or it could have value for much longer if the purpose of the meeting is to discuss mergers and acquisitions or organizational restructuring.

Security employees must have basic, well-maintained controls in place to protect data as part of a security program. Though not all organizations suffer from poor practices in all areas, all suffer from some of the following to varying degrees:

  • Vulnerability management;
  • Patch management;
  • Server misconfiguration/poor change management;
  • Loose or overprovisioning of user access controls;
  • Use of overly broad firewall policies;
  • Misconfigured security logging;
  • Misconfigured incident alerting/overfiltering of alerts; and

A lack of focus on any of the above areas weakens the organization’s security posture and creates an opportunity for data leakage or theft.

The November 2014 Sony data breach exemplified this kind of risk management failure and demonstrated the possible consequences. Emails and other data files to and from executives, A-list actors and other employees were released, disclosing many private conversations. At the time each was created, the participants in the transactions did not consider the ramifications of creating and retaining that information. However, when revealed, there was significant material damage to personnel involved or mentioned, up to and including loss of employment for numerous Sony employees and actors who lost contracts.

Applying Risk Management Principles to Data Management

The application of risk management principles to data security is necessary to truly protect data from loss, theft and exposure by cyberattacks and insider threats. IT, security and privacy and risk management personnel play a crucial role in creating a programmatic risk management strategy. This requires having data management, retention, containment policies and ongoing monitoring tools in place, and employee training on the processes and procedures for data management.

Each member of the organization is responsible for understanding the value and scope of the information he or she creates and receives. This does not always require a monolithic effort or the application of some huge formula to determine a risk probability, but it does require personnel to take the time to objectively determine when and where to store it, how to protect it and how long to keep it. Data owners and custodians must be part of the risk management process. They are responsible for protecting data from accidental destruction or modification, exposure to inappropriate internal and external parties and intentional theft by external cybercriminals or wayward insiders.

Line-of-business managers and data administrators also need a means to identify structured and unstructured data repositories, both on-premises and in the cloud, and the ability to classify that data by its level of impact should it be stolen, published or destroyed. If these data stewards are unfamiliar with the data they are monitoring, they must have the ability to separate the more business-critical information from that of lesser value. After all, a core tenet of risk management is to apply more resources to protect the assets of greater value. Data is no different.

Calibrating Personal and Organizational Accountability

It’s important to apply and appropriately disseminate formal risk management processes for evaluating information assets and the vulnerabilities that threaten to compromise them. Without this amount of information being managed and presented to each level of management up to and including the board level, there is no way to determine how much money to apply to make the proper decisions to combat high risks.

Risk management is an invaluable tool for calibrating personal and organizational accountability, prioritizing actions for proactive protection and reactive response, raising and informing awareness about risks and identifying appropriate or ineffective mitigation measures.

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…