When information security is done well, it provides a wealth of benefits across the organisation as a whole.
These benefits include more disciplined operations, increased customer and stakeholder trust, and reallocation of avoided risk - all of which have an impact on costs to growth and increased time to focus on innovation.
Directors and shareholders really care about these kinds of business values. If your approach to security keeps these important stakeholders in mind, this will help to ensure the resulting programme is connected to the business overall, and not just security for security’s sake.
There are five steps to building a security strategy that keeps the business in mind:
1. Identify your ‘crown jewels’
Information governance technologies and processes can provide a detailed understanding of where your organisation stores its information ‘crown jewels’ – high-value and high-risk data – and what it’s worth. This can play a significant role in the impact a data breach will have on your organisation and your ability to efficiently and effectively respond, whether it be internal or external, deliberate or accidental.
In order to protect valuable information, your organisation should start by identifying and agreeing on which data is critical to the business and therefore worth giving the highest protection (not all data is created equally). Once you determine WHAT that data is, the next challenge is finding out where it is being stored. Reviewing your organisation’s business processes and network architecture will often highlight the fact that critical value data stored all over the place, such as in emails, email archives, development servers, file shares and employees’ computers.
2. Be a “good shepherd” of data
Once you have identified your critical information, the next step is to become a “good shepherd” of your data. You should know where all the sheep are, segregate them into separate fields, make sure the fences between fields are sound and regularly check to ensure the sheep and the fences are healthy and secure. In this way, even if a wolf manages to get into one of the fields, the risk is contained and most of the flock will be safe.
There are several tools on the market that can alert you and your organisation to potential breakdowns in security. The future of these systems, however, goes way beyond simple alerting by becoming smart systems that embed best practices and the experience of field experts into the tools’ workflows. The alerting and reports these tools create enable analyst-level professionals to achieve expert results.
3. Prioritise your data security efforts
Stop trying to build deep moats and high, thick walls. It’s simply not realistic to punish employees with overly draconian procedures just to secure an all-staff email that says “there is cake in the kitchen.”
Focus your efforts on securing the data that really needs it and protecting that data from the things it needs to be protected from. Not only will this save headaches and grumbling employees, but it will also save time, money, effort, and will enable you to use your data freely and creatively to produce business results when you know that your crown jewels are intelligently protected.
4. Ensure security starts at the source
Adaptive security technology that gives you visibility into activity at the kernel is critical. Rich Cummings, Nuix’s SVP of Cyber Product and Strategy, once said “If you can’t trust the kernel, you can’t trust anything else.” He’s exactly right.
Tools that function above the kernel layer, say at the user level, are trusting that the data they are getting has integrity. If you aren’t going all the way to the source - the kernel - then you can’t really assure security.
5. Implement security by design
The last key component of ensuring you achieve real business benefits from your data security policies is to consider them as an integral part of every business function and decision - physical buildings, which systems you employ, employee training, and the rest. You need to build an entire culture of security that understands that it is operating behind enemy lines, and that attacks are eminent.
Security isn’t just an IT concern. A security programme cannot be successful without the commitment, support, evangelisation, and participation of everyone within your organisation. Creating this culture of security, where every employee takes ownership of that responsibility, will embed awareness into every decision making process. It will allow for healthy debate about the business value and benefits of proposed security-driven restrictions, and proactively identify data that is highly sensitive so you can intentionally manage it from the start, rather than after it’s been compromised.
In a time when the security practices of companies that maintain private data are under more scrutiny than ever, taking a proactive, purposeful, design-based approach to security could very well give your organisation a competitive advantage in the marketplace. In order to implement effective data security policies, you need technologies that will give you truly transparent view into all of the facets of your data and extend your knowledge and skills with expert-built workflows.
From there, you can make smart, prioritised, business-value-driven security decisions that balance risk and reward to achieve the best outcomes for your organisation.
Chris Pogue, Chief Information Security Officer, Nuix
Image Credit: Pavel Ignatov / Shutterstock