(Note: This is a follow up to my post from earlier this month, “We Have it Wrong” – Updating Data Security for the Data-Driven Age)
As an incoming product team leader in any technology company, you know you have arrived at a good understanding of your customers’ biggest issues when many of the meetings start to sound familiar. While every customer has its unique data challenges, there are patterns. With a nod to the Mark Twain quote, “History does not repeat itself, but it rhymes,” many of these meetings feel like a new stanza being added to our customers’ collective journey of implementing a comprehensive data security strategy.
So what are biggest recurring issues we are seeing? It may surprise the reader what it is not. It’s not about technology. Technical issues and questions, product enhancement requests, and feedback to roadmaps and plans, those will always be there, but generally they are second-order concerns. The first-order concerns have nothing to do with technology, and have everything to do with how to get started, organizationally and operationally, with empowering the enterprise with data, safely.
“My organization still tends to operate in data-silo-specific fashion, how do I empower my security practitioners with enterprise-wide responsibility, and what are the best practices for ensuring this unavoidable matrix of roles and responsibilities works together effectively?”
“How can I best engage with the business groups who need to use sensitive data, so I can secure it without impacting their ability to do their jobs?”
“I don’t want to boil the ocean, so where can I get started?”
“How do I measure success, and what carrots and sticks can I use to hold people accountable to that success?”
These are more fundamental questions that should be asked first, because their answers will drive how various data security technologies will be used, instead of just throwing more technology at the problem and then wondering why it’s not making much difference. In short, understand what it is one is trying to build, before applying hammers to nails.
Warren Bennis, author and management consultant, once said, “Managers do things right, leaders do the right things.” Collectively the data security vendor community may have over-rotated on debates on how to do things right, such as whether this or that technology or encryption algorithm, or deployment model, or whatever is better. But this is beside the point if we’re not clear on whether we’re trying to do the right things. Questions such as how to empower security practitioners to operate across silos, what is the business context in which sensitive data is being used, what is the optimal way to protect that data without disrupting that business context, how to measure and hold stakeholders accountable, should all be answered before putting hands to keyboard on any technology.
In short, these are the “what are the right things” questions. Typically, these questions are addressed by a data security practitioners with enterprise-wide responsibility, usually under CISO sponsorship, that takes ownership of data security requirements holistically, consults with data owners and users alike, and arrives at an optimal set of policies along with best practices for managing and measuring those policies. This “data security competency center”, if you will, then takes long term ownership of the who, what, and why of enterprise data security: the “right things” that should be identified before implementing any technology “doing those things right”.
As we have socialized these best practices with prospects and customers, including the steps summarized in “We Have It Wrong”, the feedback has been tremendous. The notion of establishing an enterprise-wide competency to drive data security more holistically across silos is new to many but makes sense as the most effective way of dealing with this cross-silo complexity. But this prompts the question, what have they been doing thus far!? In almost all cases, they were doing something, including having data protection implemented in varying degrees across various silos. However, in almost all cases, they know there is a better way, they just need guidance on how to get started. Knowing is half the battle.
My sense is the data security market is going through an inflection point not unlike what many technology markets go through when shifting from tools-and-technology towards enterprise-class solutions. Eventually the vendor community realizes the importance of, and customers increasingly demand, best practices for applying technology to solving complex problems in a repeatable way. Protegrity has had such best practices and I do expect we will continue to evolve and eventually formalize them, jointly with other vendors and with consortia such as the EDM Council. These best practices may vary based on vertical (such as healthcare, consumer banking, etc.) as well as by regulatory jurisdiction (consider the European Union’s recent establishment of GDPR, the latest incarnation of its push to ensure the protection its citizens’ sensitive data).
Expect to hear more in coming months, both the best practices themselves as they continue to evolve, and how to best use various technologies to implement those practices. Ultimately the CISO and other data security owners should be able to wield enterprise-wide responsibility for data security in a repeatable way, and address both questions, first by empowering them as leaders to define the right things to do in their organizations, then as managers to help doing them right via the right mix of tools and technologies.
The post Data Security – Doing the Right Things vs. Doing Them Right appeared first on www.protegrity.com.