As enterprises undergo digital transformation and explore new opportunities offered by cloud technology, many lose sight of the digital risks they’ve encountered along the way. Like the pioneers who headed into the Wild West more than a century ago, companies today face a range of unseen dangers as they move unwittingly into potentially hostile territory. From developers and engineers collaborating via cloud-based, consumer-focused data sharing platforms to independent contractors retaining access credentials long after their projects are completed, the risks to critical data are expanding along with the attack surface.
Whether it’s digital transformation, cloud computing, extended supply chains or outsourcing, it’s imperative for organizations to establish a formal data risk management program that’s more than just a governance, risk and compliance program designed to check the boxes for auditors. Data risk management programs put mission-critical data — an organization’s crown jewels — at the center of the effort. Ensuring the confidentiality, integrity and availability of that data, no matter where it lives or who touches it, is the top priority.
Round Up the Posse: The Importance of Multiple Stakeholders
To be successful, a data risk management program requires the involvement of multiple stakeholders, including data owners; line-of-business managers; IT and security professionals; legal, HR and finance departments; and multiple members of the C-suite, all the way up to the CEO. All these parties have a hand in identifying the enterprise’s crown jewels, where they are located, who handles or processes them and where they flow not only within the organization, but outside of it as well.
An effective program also requires input from security professionals who can understand how the inherent risks of ownership, privilege rights, locality, sensitivity and complexities associated with third-party application integrations can be used as backdoors into mission-critical data or cause serious business disruption.
Other common challenges organizations encounter when developing a data risk management program include:
- Manual process bottlenecks that greatly impact the organization’s ability to scale;
- Siloed IT systems, each with their own data store, that lack sufficient controls and make it difficult to prioritize risk, thereby creating the potential for exposure;
- Friction between IT operations and security teams due to the lack of a common language and differing priorities, which makes it hard for them to work in concert to prioritize risks and take immediate remediation actions in the event of a serious breach; and
- The ability to distinguish between pedestrian events and those that could disrupt business operations, such as the theft and disclosure of sensitive intellectual property (IP).
Take the Reins: Developing Measurements That Actually Mean Something
Successful data risk management programs require security professionals to develop key performance indicators (KPIs) or risk measurements that actually mean something to business executives. Tactical metrics and reporting from tools designed to serve the needs of security analysts do not translate well into the language of business risk. However, by ingesting useful data from a range of security tools that can then be combined with other strategic operational metrics and contextual information, it’s possible to present such data to business executives in a way that allows them to better grasp where existing security controls are adequate and where additional resources are needed.
Such tools include security information and event management (SIEM), data loss prevention (DLP), application security, security response management, vulnerability assessment, and data monitoring systems. A dashboard that takes all that highly technical data and boils it down to sensible risk measurements can benefit multiple stakeholders within an organization as they work to mature their data risk management practices. A data risk manager with a business-centric approach can reduce the time it takes to investigate and remediate threats, and potentially avoid or minimize damages and cost.
Circle the Wagons: It’s Time for a Focused Data Risk Management Program
As enterprises embrace digitization, cloud and IT automation, most are still in the pioneering stages — if they’ve begun at all — of developing a data risk management program. With a vastly expanded threat surface, highly sophisticated and well-funded threat actors seemingly immune to law enforcement, and increasingly complex and porous organizational structures, it’s time to circle the wagons around mission-critical data assets. There’s no better time to create a programmatic approach by automating and orchestrating data risk management.