Click here to learn more about author David Schlesinger.
Let us be clear, your system users are mostly brilliant workers, having great knowledge and expertise in their lines of endeavor: scientists, accountants, shipping specialists, logistic planners, attorneys, HR and property experts all keep your enterprise running. They are not, however, experts in every other process in the company. You do not expect the corporate attorney to know how to design and implement your next software project. However, you do expect all of these people to be proficient in cyber security.
You expect them to know better than to click on links in spam email, to not download and open attachments and programs from unknown senders, and to create and memorize a complex and unique password that is changed every 90 days or so. In our “do-more-with-less” business climate, these folks are working as hard as they can to “meet the numbers” assigned to them by management. They abhor any activity that slows them down from their primary responsibility, that also determines their raises and prevents layoffs. They all believe the data security, while meritorious, is not their primary responsibility.
So, whose responsibility is it? Where is the Data Security Officer located in the corporate Organizational Chart?
Let’s look.
The legal department advises the company and the correct methods to remain above the law and within contractual compliance. They do an excellent legal job protecting the enterprise from certain external and internal risk. They do not, however, design software systems nor perform data analysis.
Software developers are rewarded for speed and lack of bugs. They depend on the Business and Data Analysts for requirements, and to tell them which if any data is special and requires additional protection. Determining data protection requirements is certainly not their job.
Business managers know what functionality they require, and often believe that developers and cyber security people will protect their data in accordance with corporate policies. Yet data protection in terms of system design is not their prime business: their prime business is taking care of business.
The cyber security folks, often found in the basement offices, are usually not consulted regarding system protection until after the hack and the data are lost. They believe that the Business Analysts, Data Analysts, Corporate Counsel, and the Developers have this well in hand. They concentrate on keeping out hackers, patching all systems, managing VPN operations, assuring that authorizations are valid and cleaning up infected user systems. Regardless, they have little or no visibility into the data used in each corporate application they believe that identifying sensitive data is a business responsibility. Managing the governance for corporate data is, of course, not at all their job.
Do you see a pattern here?
Even though Data Security is a missing box on most organizational charts, there are actually many methods, tools, processes, and policies to protect information. They could be easily implemented if cyber security specialists were to emerge from their cubes down in the basement, and, blinking in the light, be invited to project development planning meetings.
It may be that certain sensitive data should never be allowed to be downloaded to any computer that is not encrypted. That would be a good policy for many corporations. Indeed, which data would this be? Where is it located? Which user entitlements would access it? How does the company keep track of all this? It seems daunting. It need not be. It might seem daunting to identify which data elements are sensitive to which regulations, but this need happen only once. While data values change constantly, metadata definitions, such as “age” or “Purchase Order” remain the same for years, if not decades. Once done and captured in the metadata repository, the job is completed.
Using tools available within the information security industry, all this can be enforced easily and automatically but it is seldom specified. Often the busy user is instructed to install encryption. Often corporate users are very busy and put it off forever. If enforced, they would need to have encryption installed on their system just to gain access to the sensitive system. Being told that to continue their work they need to install a program to protect the information as a non-negotiable requirement will motivate all of them to download and load the encryption program. No exceptions. Security systems can easily make this an automated enforcement and also assure this encryption every time they log into the system. When their computer configuration compliance it is a transparent and automated protection, lost laptops cease to be a major problem.
It is inevitable that hard working employees will introduce malware as part of doing business. A recent test showed that 25% of employees clicked on one or more phishing emails made to look like a real crises that involved them. Even security professionals can inadvertently connect to infected websites. Alas, there is a lot of Internet crime headed our way.
It is unfortunate, but necessary, to realize that the global infrastructure environment allows everyone on the planet to be at the other end of your network. The light at the end of the tunnel however, is a trove of amazing new data security tools, appliances, services, and techniques that lie unknown, unloved, and usually underfunded in your enterprise security budget. What is sometimes missing is the organizational structure to make it somebody’s business to implement data governance based on data security and sensitivity metadata.
Who is going to coordinate all these elements into a comprehensive secure architecture with full metadata knowledge and location of all the sensitive information and the proper protections?
If there is not a box on the corporate organizational chart for a Data Security Officer, then it is up to you – who else?