Data is mission critical in the modern digital era. The ability to gain proactive actionable insights from business data can help foster innovation, enhance operating efficiency, support proactive continuous improvement (e.g., predictive analytics), and deliver actionable insights to support business decision making.
The modern data- and cloud-centric digital era has given rise to the important principle of Data Sovereignty. There are two primary perspectives on data sovereignty:
- Protect the PII (personally identifiable information) of a citizen or resident within the country in which a company operates.
- Safeguard an individual's right to control and update/delete their own data.
Regulations galore
Against this backdrop, there are myriad global data protection regulations. The EU's General Data Protection Regulation (GDPR) is widely considered the de facto gold standard. Potential penalties due to a data breach or demonstrable violation or non-compliance range from a minimum of 20 million euros to 4% of a company's worldwide revenue. This monetary loss is also amplified by the brand and reputational impact and diverted executive management focus which can affect business operations. Further, in addition to the above sanctions which may be enacted by data protection authorities, civil suits can also be initiated by affected individuals.
The stakes could not be higher for companies today, as other global regulatory bodies have emulated the European precedent to varying degrees. Additionally, there are sectoral privacy regulations in the United States, such as the Health Insurance Portability and Accountability Act (HIPAA), and state level regulations like the California Consumer Privacy Act (CCPA).
The potential loss of reputation from a privacy breach is a clarion call for business executives and CISOs. In addition, the risks of monetary and operational damage render it mission critical for enterprises to envision and enact the appropriate People, Process, and Technology safeguards to assure data protection and privacy.
The TRIAD Model
During my career as a CISO, I relied on my TRIAD Model to envision, enact, and mobilize Information Security & Privacy strategic planning and roadmap execution activities with foundational pillars as illustrated below.
T – Technology
- Essential to secure the digital enterprise across the Infrastructure, Application and Services dimensions of a layered security architecture. Stay abreast of:
- Current trends such as Zero Trust, Cloud Security, IoT Security, Ransomware, Supply Chain Security, BYOD / Mobile Security, etc.
- Emerging trends such as Artificial Intelligence, Machine Learning, Network Observability, Self-Sovereign Identity, etc.
R – Resilience, risk management, and regulatory compliance
- Cyber resilience is mission critical and enhances business value, as even the best cybersecurity cannot guarantee 100% protection. Resilience protocols and measures must be designed to ensure business continuity and operational service assurance in the event of a breach. It is essential to design and build the capability to recover quickly and in an agile manner while minimizing data loss and downtime. Building a strong incident response plan with play books and calibrating regularly via tabletop exercises with cross functional stakeholders is paramount. Business continuity plans can help mitigate disruptive incidents.
- Risk management is fundamental for protecting business value and ensuring that the cybersecurity roadmap is centered on mitigating key enterprise risks.
- Compliance with regulations, whether broad-based or sectoral in nature, is mandatory to ensure trust with the appropriate authorities and maintain enterprise reputation.
I – Identity
- A cornerstone of a strong security and privacy program. For a treatise on leveraging "Identity as the Digital Perimeter," please see my article: A Question of Identity: The Evolution of Identity & Access Management
A – Access management and control
- Deploy and maintain a strong access control scheme across the tiers of Role, Context, Attributes, and Data to ensure strong data protection and privacy. It is important to right-size permissions to avoid data exposure when circumstances change (e.g., entitlement creep, service provider rotation, etc.)
- Weak access control processes can lead to breaches and data exploitation.
D – Data characterization, governance, and remediation
- Characterization of data automatically (baseline and continuously) is vital for data protection and mitigation of business risk from operational and compliance perspectives.
- Governance processes centered on an information classification policy and ongoing cross-functional collaboration between cross-functional business units (IT, Internal Control, HR, Legal, etc.) is essential. Data protection is a team sport!
Business requirements for strategic pillars A & D
- Answer the "What, Who, Where, and Why" quadrifocal questions for enterprise data.
- Gain real-time visibility to data security posture.
- Facilitate continuous monitoring of data risks and threats.
- Enable automated full-scale data classification scanning.
- Enforce data classification policies.
- Correct and optimize access permissions and privileges.
- Detect and protect against cyber threats.
- Streamline incident response actions via alerting and workflows.
- Characterize user behavior via data usage analytics.
- Leverage anomalous data usage trends for proactive protection.
- Support regulatory compliance activities.
Guiding Principles
The following Guiding Principles are an essential framework to develop and deploy a data protection strategy.
- Illustrate: Identify and visualize data assets.
- Classify: Build out an information data protection and information classification policy. Classify data assets by business value and risk.
- Understand: Understand access controls and permissions on data stores; identify gaps and risks.
- Train: Leverage basic data protection training and functional boot camps to drive home key principles and reinforce policy understanding.
- Optimize: Apply "fit for purpose" permissions and least privilege access controls based on need-to-know and business role leveraging the trifecta of People, Process, and Technology.
- Adapt: Leverage Zero Trust principles to enact adaptive control schemes in real time, balancing the trifecta of Identity, Device Posture, and Session Risk including user behavior analytics, context, and role. Utilize Interoperability and Integration to initiate workflows and remediation actions.
- Plan: Stay abreast of privacy mandates to ensure to continuously improve and apply enhanced data protection and governance rules to proactive Identification, Detection, and Protection (as per the NIST Cybersecurity Framework).
Stay ahead of the curve
The vast amount of enterprise data across both cloud and on-premises portfolios keeps growing very rapidly. This precludes the ability to enact the above guiding principles by leveraging people and business processes alone!
A data characterization and governance platform should be the cornerstone and foundation to power adoption of the guiding principles and to assure enterprise data protection. The following key platform features are essential to power forward the program guiding principles. Please note that these principles are focused on protecting Data at Rest irrespective of storage location—cloud or on-premises!
A debrief on the required capabilities of the above key platform features is as follows.
Data discovery and classification:
Identify and characterize data based on the corporate data classification policy.
Data security posture management:
Illustrate the location, access permissions/gaps, usage profiles, and the actual security posture of the data dynamically.
Data detection and response:
Monitor incremental and evolving data usage and storage location and enable InfoSec & Privacy teams to enact appropriate permission and access controls changes effectively and efficiently.
Data access governance:
Deploy and enforce appropriate data access policies and access permissions per the "Optimize" guiding principle to assure and maintain a robust InfoSec & Privacy posture to minimize/eliminate data breaches and minimize enterprise risk.
AI and machine learning can power and add value to a data governance and characterization platform by helping to:
- Detect anomalies and predict issues before they occur;
- Enable data discovery, correlation, and process automation;
- Streamline operational workflows;
- Automate issue detection and resolution;
- Minimize or avoid incidents and business downtime;
- Facilitate root cause analysis & proactive prevention.
Statista forecasts 75 billion IoT (Internet of Things) devices by 2025, so in practical terms, this means there's going to be an exponential increase in risk due to associated vulnerabilities for IoT devices. This greatly increases the attack surface for enterprises. The security and privacy risk nexus of the IoT is also something CISOs should be concerned about due to a plethora of global privacy regulations.
[RELATED: Cybersecurity Labeling of IoT Devices: Will It Happen in 2023?]
The security and privacy risk nexus of the IoT is especially manifest in connected cars, for which there is a tremendous amount of data that is collected, processed, and stored. This may include but is not limited to sensor data, voice recognition, driver behavior, conversations, locations traversed, and PII.
Thus, it is crucial to protect data collected by cars and other IoT devices especially in the manufacturing arena to protect data, assure privacy, maintain digital trust, and comply with data protection regulations.
The GDPR has seven guiding principles, namely: Lawfulness, Fairness, and Transparency; Purpose Limitation; Data Minimization; Accuracy; Storage Limitations; Integrity and Confidentiality; and Accountability.
These principles should be extended to connected vehicle and IoT privacy. Additionally, privacy by design and default is a core tenet. Also, the GDPR recommends data anonymization to minimize the risk of PII breach and identity theft.
A lot of personal data and preferences collected by connected vehicles may be used for secondary and tertiary marketing purposes, so the principle of consent required by the GDPR should also be considered.
From a functional perspective, Information Security is concerned about data, whereas Privacy is about people. Information Security & Privacy are inextricably intertwined only when the data is about people.
Traditionally, InfoSec lies within the IT organization, and Privacy is housed inside the Legal department. It is mission critical to envision and mobilize a coherent strategy and plan to minimize enterprise risk and assure data protection and privacy.
Thus, it is especially important to build and optimize an integrated information security and privacy program powered by a cross-functional coalition of IT, Security & Privacy, Legal, Human Resources, and other key stakeholders.
From the "tone at the top" perspective, the InfoSec & Privacy business coalition should be supported by a council of multi-disciplinary business executives who can review, provide support, promote funding, and eliminate barriers to adoption of the program strategic plan and roadmap.
Closing
Data sovereignty and privacy protection is now a mission critical business imperative in the modern digital era. Remember to leverage the trifecta of People, Process, and Technology across the enterprise ecosystem.
- People: Use people are the first line of defense via periodic awareness and training.
- Process: Craft and leverage an information classification policy. Map data flows and business processes in tandem with a cross-functional data protection team.
- Technology: Leverage the principles and practices in this article. Protect data in transit via encryption and public-private key certificates as appropriate. Embrace Zero Trust!