In Part 1 of this blog series, we introduced the topic of boundaries, how traditional silo-oriented thinking is arguably the biggest barrier to implementing comprehensive data security. In Part 2, we introduced practical guidance on how to overcome those boundaries by understanding your organization’s most critical business initiatives that depend on data. In this third and final part, we will explore how to translate that understanding into action, and quickly establish a data security competency.
First, consider that each of these business imperatives (whether they be customer engagement, data modernization, regulatory compliance, or anything else of a cross-functional nature), likely includes both on-premise and cloud data, transactional and analytical data, small and big data, etc. You must avoid going bottom-up, and engaging with each such “silo” in isolation, and thus trying to find the ideal implementation for each distinct and specialized requirements. While this may make sense in the context of one application, database or data warehouse, across many silos this can drive up costs and also time, and increase risk in the mind of various stakeholders. Whatever goodwill you gain by clearly explaining the benefits of operating data security across silos, you would lose by implementing something that is seemingly too time-consuming, risky and expensive. Instead we advocate not letting the perfect be the enemy of the good-enough. There are two distinct paths you should follow to ensure you are implementing good-enough data security given the purpose and business context of the overall business initiative, in the interest of getting established quickly and then potentially subsequently providing deeper and finer-grained security.
1. Focus on the data assets that are most critical to the success of the overall business initiative.
First, consider initially only those data assets that are most critical to protect, given the nature of the business imperative you are supporting. This way you avoid boiling the ocean, focus only on the data that all stakeholders will agree is most important, thus building goodwill and support for moving on to other assets later. Which data assets to protect will be obvious if you consider which data needs to flow from silo to silo to support the business initiative. For example:
- For digital transformation/customer engagement types of programs:
- Clearly, PII data, in addition to anything falling under PCI regulations, would need protection given how widely distributed such data may otherwise be distributed to marketers and other analysts throughout your organization.
- Also consider certain regulatory jurisdictions like the European Union’s General Data Protection Regulation (GDPR) that are very specific regarding which EU consumer data to protect and what constitutes sufficient protection.
- For data modernization and democratization types of programs, the program owners will usually have a clear idea of what business functions they want to first enable with self-service data access and analytics. Each will follow a common pattern, with data coming from various transactional sources, pushed through a big data lake or other large-scale analytical environment, to various front-end tools for self-service data collaboration, enrichment and reporting.
- Often it is the Sales and Marketing functions that are first empowered with such initiatives. Thus, as with customer engagement projects, customer PII and PCI data, as well as potentially proprietary point-of-sale data and demand generation data would need protection.
- Financial data often follows, including various transactional data, usually divided into cost centers or other budgetary jurisdictions.
- Manufacturing and Supply Chain data may also be included in such initiatives, especially in industries with complex supply chains (such as high-tech manufacturing, aviation, construction, and energy) or with high volumes of products flowing through multiple distribution channels (such as consumer-packaged goods and consumer electronics). Data may include proprietary product codes, bills-of-material, pricing, inventory, and demand forecasting data.
- For regulatory compliance types of programs, the most critical data assets are easiest to identify: the regulations spell it out. For example, healthcare providers implementing electronic health records (EHR) to share with insurers, other providers, and the patients themselves must comply with HIPAA, which spells out the data elements that must be protected.
Once you have identified the most critical data assets, then you can determine how to best protect just that data across the various silos it materializes. At this point, your attention turns to how to achieve the “quick win” and quickly establish credibility with the initiative owners, that you have implemented security that is good enough given the purpose and business context of their overall business initiative.
2. Focus on a protection implementation that achieves good-enough security as quickly as is practical, thus achieving quick wins.
Lighter-weight and sometimes less fine-grained protection, fit-for-purpose for the overall business imperative’s requirements and with full understanding of any risks, is often a good way to start small and achieve some near-term success as a security practitioner. Walking before running!
For this, consider tools like gateway technology, which applies field-level protection to any data that is flowing over a common protocol like HTTP. Good enough security, with these additional benefits:
- Avoid the overhead of more rigorous testing, change management and downtime of installing protection on the app’s box itself. Your project managers can rest easy.
- Reduced risk of performance or functional impacts on the app itself. With all protection-related overhead on distinct services, the app owner can rest easy.
- Prove the “quick win,” demonstrating to your champions that security can be easy, and not as onerous as they might fear. Your business-owner champions can rest easy.
- Ability to rapidly iterate, as the data landscape changes and business requirements change, as they inevitably will, it is much easier to reconfigure gateway-style protection as it is completely transparent from the app owner’s perspective. All stakeholders care about rapid response to rapid change, and can rest easy when they see it!
- Forward compatible to deeper data-at-rest protection if requirements dictate deeper security, i.e. can start small and then evolve. Any stakeholder with deeper requirements can rest easy that it is a very attainable ramp-up, not a significant hurdle, to meet them.
By keeping these two disciplines in mind – focus on the most important data first, and implement its initial protection using as lightweight and quick a method as is practical – will help you achieve quick wins and earn the goodwill of both the overall business-initiative champions, as well as the various app owners whose data you protected more effortlessly than they may have feared.
We close this blog series with a reminder of the nature of data today, and the great opportunity this presents to data practitioners. Today’s critical data projects are inherently cross-silo in nature, as they attempt to drive customer success, drive efficiencies, and comply with regulations in ways that cascade through many parts of your organization. This means transcending the boundaries that have defined your data landscape for the last several decades. The data world really is different now, though not all stakeholders may be fully aware of the implications on their respective jurisdictions. They need to be guided in ways similar to how thinkers and leaders throughout history have challenged long-held assumptions, transcended boundaries and raised awareness of new opportunities and new ways of thinking. This is today’s security practitioners’ opportunity to change their organizations for the better, to lead beyond old boundaries towards new ways of thinking and working that will drive their organization’s success in future decades. Good luck, Neo!
The post Data Security in a Data-Driven World (Part 3): Get the Quick Win! appeared first on www.protegrity.com.