The 80-20 Rule For Security Practitioners
Everyday we learn about yet another egregious data security breach, exposure of customer data or misuse of data. It begs the question why in this 21st century, as a security industry we cannot seem to secure our most valuable data assets when technology has surpassed our expectations in other regards. It’s getting worse: McKinsey in conjunction with the World Economic Forum have estimated that failing cyber security approaches could have an aggregate impact on technology and business innovation of $3 trillion by 2020.
It’s a common underlying misconception that IT staff knows how to secure today’s mission-critical data assets. Firstly, IT practitioners chartered with securing our most data assets may or may not be trained security practitioners and secondly they are relying on the same solutions that have failed in the past, and which continue to fail. And, given ever-increasing data sets, a changing IT environment and a changing threat landscape, it’s hardly safe to assume that IT has an organization’s most valuable data assets secured.
So what needs to happen?
- Organizations need to hone in on securing what really matters – it’s most often just a small subset of all the data most organizations process or handle that needs the most rigorous protection. Rather then trying to boil the ocean and secure everything, organizations need to apply the 80-20 approach and focus on that 20 percent of data that is most critical.
- Data security tools need to be automated. Today’s outdated fragmented toolsets require a considerable ongoing investment in day-to-day management to even come close at being effective. We should be able to harness big data analytics and today’s advanced algorithmic technologies towards pinpointing and then securing an organization’s most valuable assets.
- Encryption is not a panacea for everything. Encryption strength varies and key management is also an important part of encryption. And as we enter the world of IoT, we need to rethink how we secure and manage data through the lifecycle of machines and the data that those machines generate and exchange.
- Finally, business leaders have to find ways to work with IT for a much more strategic approach to securing and managing the data assets which comprise the lifeline of their business. This means talking about IT security in business terms versus focusing on IT terms which may not capture the real value of the data that needs securing.
By Evelyn de Souza
Evelyn de Souza focuses on developing industry blueprints that accelerate secure cloud adoption for business as well as everyday living. She currently serves as the Chair of the newly formed Cloud Security Alliance (CSA) data governance and privacy working group. Evelyn was named to CloudNOW’s Top 10 Women in Cloud Computing for 2014 and SVBJ’s 100 Women of Influence for 2015. Evelyn is the co-creator of Cloud Data Protection Cert, the industry’s first blueprint for making data protection “business-consumable” and is currently working on a data protection heatmap that attempts to streamline the data privacy landscape.