Understand the “Why” in Your Data Security Woes

By on
Read more about author Nick Vigier.

Companies are drowning in data. This is a swelling trend that businesses have no choice but to act on, and security teams are likely to feel the greatest consequences moving forward. There are myriad shiny solutions and schools of thought that seek to make sense of the data influx, but leaders must first ensure the “why” of their data is properly understood. In other words, unless teams across an organization have a clear roadmap from data ingestion to data application, data security problems are guaranteed to follow. 

Not understanding the “why” of data stems from poor data literacy. This causes a snowball effect that welcomes vulnerabilities and devastating breaches. Once teams understand what their data means, how to access what matters, and how to ultimately streamline key processes, they will have a clearer path to insight-driven decisions and success.

Build a Culture of Data Literacy

According to a recent survey, although 99% of businesses know data is vital, only 26% are confident all employees understand the data they work with and how to effectively use it. Herein lies one of the biggest hurdles for modern security teams and an unacceptable oversight for leaders in the tech space: Data literacy is heavily siloed, and many teams that desperately need those skills are hung out to dry. 

The threat of this oversight can be boiled down to dangerous ignorance. Without understanding what data is being used and its purpose, appropriate risk management is impossible. Toxic combinations of data – among other things – lead to unintentional risk-taking, which leaves the business vulnerable to threats. Whether that threat is related to privacy, loss of intellectual property, or competitive damage, data literacy is a vital piece of the protective puzzle. 

As strategic conversations around data literacy increase, data security must be placed at the top of the list. Cyber resilience depends on teams that truly believe in mature data strategy – it is up to leaders to ensure that discipline is implemented on a cultural and action-driven level. 

Upskill Internally and Bring in Subject Matter Experts

Often, subpar data literacy is a failure of internal education and overdependence on one or two individuals. As a solution, leaders must make a targeted effort to upskill their non-technical workforce into “citizen” data analysts. Data scientists are in short supply, meaning teams that need to trim the fat will deprioritize data expertise. This is especially detrimental to cyber risks – a CISO cannot be the sole bastion of data security, so leaders must ensure some individuals throughout every team are empowered to address relevant data issues as needed.

Additionally, teams do not need a huge number of resources to properly manage data if the organization takes a consistent and methodical approach to its generation, cataloging, storage and access.  If the approach is consistent, then it can eventually be automated reliably to lower risk while increasing access. If these requirements are not met and data is managed manually, then larger teams are needed to manage the artisanal process of securing data.

Instead of looking internally, many leaders fall to the “sunk cost” fallacy and assume that because significant money is being spent on shiny solutions, a positive ROI will eventually follow. There is no “silver bullet” technology or individual that will bring a data story together. Instead, success on this front requires cooperation and trust that each corner has a grasp on their data and what end-game the data is tethered to. 

Luckily, the majority of companies are headed in the right direction. The aforementioned survey showed 65% of organizations have already kicked off a data literacy program to improve understanding across the board, and that number is sure to increase as the value of training grows more apparent. 

Follow the Three-Pillar Path to Data Success

At the highest level, issues with data can often boil down to a failure in storytelling. When data is being collected, teams are not aligned on purpose, leading to chaos and wasted resources. If security teams don’t understand what story is being told, it is impossible to effectively assess risk because the data life cycle is unclear. 

Therefore, leaders should look at three specific pillars – knowledge, observation, and automation – to tackle one-by-one when dealing with data. Knowledge management is the most crucial (and most glossed-over) step. If teams don’t agree on where the data came from, who owns each piece, and where it should be headed, there is no comprehensible route to success and security risks become uncontrollable.

After context is established, observation is enabled. Data can be processed through whatever lenses necessary with the goal of finding patterns and removing unnecessary steps. 

After observation is completed, teams can leverage data to automate manual tasks and alerts that were previously a great resource drain. This is the ultimate goal of data collection, and will give security teams the intel necessary to provide informed, proven resilience strategies. 

Storytelling and Organization = Success

Just like in any discipline, disorganized and inconsistent approaches lead to ineffective results. Without consistent coordination and a common goal, the wrong problem may be solved or incorrect conclusions may be drawn. In security and beyond, it’s crucial that everyone remain on the same page, with a common understanding of what’s being worked on.

Security succeeds through linking datasets, chaining together events, and telling a story. Whether it’s in an investigation or telling the risk story, security teams must use data as a translator for those on the outside – those that make key decisions within a business. Once the right skills are applied across the organization, data becomes the common language, risk is heavily mitigated, and higher goals are ultimately attainable.