effective cybersecurity begins with identifying and ... · effective cybersecurity begins with...
TRANSCRIPT
EFFECTIVE CYBERSECURITY BEGINS WITH IDENTIFYING AND PRIORITIZING CRITICAL DATA ASSETS
Security is big business. Many organizations are spending heavily on information security without measuring its return on investment (ROI), adequately protecting their most valuable data, or even understanding which information is most critical to the bottom line. This budgetary black hole stems from the belief that all information must be protected equally. And despite the high percentage of IT budgets that security commands, incidents are multiplying and the impact to the bottom line is more pronounced.
More money isn’t the answer, nor is more technology. Distributed workers, branch offices, mobile devices, and the evolving Internet of Things (IoT) mean organizations must be smarter about how they secure information. How it is shared and consumed has radically changed. Organizations must truly understand what it is they are protecting, and its value.
Outside expertise can bolster an assessment process to build a business case for information security spending and operationalize a change in mindset that delivers ROI and protects your critical data assets.
No One Is Asking the Right Question
It’s hard for organizations to step back and understand what information is the most valuable when faced with exponential data growth. But protecting every bit of data equally isn’t a viable strategy.
Organizations must narrow their scope so they can marshal their resources effectively to protect what’s most important, rather than spending large amounts of money on security with arbitrary budgets. For decades, technology has been the answer, but now it’s time to ask the question: What is a critical data asset? The financial consequences of not asking this question or prioritizing information are many. The most notable is a rise in security spending, which according to research from SANS Institute, has increasingly cannibalized the overall IT budget. It found some organizations were spending nearly 30 percent of their IT budget on security, but only 22 percent benchmark IT security spending practices1.
Even with these large information security budgets, valuable and sensitive information is still getting compromised. The result is lost revenue due to fines for non-compliance, a loss of competitive advantage, settlements from litigation, and damaged reputations. Research from Gartner found most organizations will continue to misconstrue average IT security expenditures as a guidepost for assessing security posture through 20202.
CONTENTS
Part 1: No One Is Asking the Right Question
Part 2: Compliance Is Not Security
Part 3: It’s Time to Think Differently About Information Security
Part 4: Do You Know What Your Critical Data Assets Are?
Part 5: Get Another Set of Eyes
Part 6: Take Security Beyond Compliance and Checklists
An InteliSecure Whitepaper
intelisecure.com
Compliance Is Not Security
Organizations also tend to rely on privacy legislation and other regulations to guide security spending practices and decide which information is valuable. Although it provides a checklist to meet compliance obligations, this reliance still leaves many critical data assets unprotected. Industries without meaningful regulation are more vulnerable to the threats their data faces.
Regulated organizations such as those in healthcare and finance tend to be slightly ahead of the curve when it comes to protecting sensitive data because it’s mandated that personally identifiable information (PII) such as patient records and credit card numbers be protected.
A hospital with an immature security strategy can still be compliant with the Health Insurance Portability and Accountability Act (HIPAA). However, the patient data it’s protecting may be less valuable than the research data in the lab supporting a patent application. The millions spent gathering that research data may have greater long-term value because it has the potential to attract grant money and generate billions in future revenues. Patient data, on the other hand, is only worth money to the organization in so much as the hospital will incur fines or face litigation in the event of a data breach, or how much someone is willing to pay for it through an illicit marketplace.
But security begins where compliance ends. Most valuable information doesn’t fall under any regulation or legislation. Examples include merger and acquisition strategies, intellectual property, and trade secrets, to name a few. They all have the potential to adversely impact the bottom line should they be compromised. Look at the litigation that erupted from Google’s spirit of openness when it comes to data: Its self-driving car spin off Waymo ended up facing Uber in court to put the brakes on Uber’s self-driving-car research3.
In December 2016, Waymo accused Uber of stealing trade secrets and intellectual property, as well as infringing on patents related to its remote sensing systems. This alleged theft was reportedly facilitated by a departing Waymo engineer who downloaded large amounts of data to an external device. He would go on to work at another startup that was later acquired by Uber, along with the data he took with him. Google no doubt takes information security seriously, but intellectual property and future revenue potential were still jeopardized, and untold amounts of money have been spent on litigation.
Adhering to privacy legislation and other regulations can create additional tasks within existing workflows. Information security sometimes builds barriers to getting things done because techniques tend to restrict access rather than control it. Taken to the extreme, organizations mitigate risk by avoiding a situation completely, which impedes transactions that generate revenue and profits. A merchant can avoid putting PII at risk by not accepting credit card payments, but the inconvenience for customers will push them to shop with competitors. There’s a direct impact to the bottom line.Done correctly, information security is an enabler, not a barrier. It’s a stool held up by three legs: technology, people and processes. If one leg isn’t sturdy enough, the stool collapses. Having a strong technology leg cannot make up for a lack of security policies or skills.
It’s Time to Think Differently About Information Security
Aligning technology with business requirements is a standard best practice, but many organizations don’t take the same approach for security expenditures. That’s why realizing ROI on information security requires a new way of thinking. Organizations must understand their data at a deeper level so they can assign appropriate valuations. The value of data is the foundation of a business case for information security spending. How critical that information is to the organization should determine the effort made to protect it, including technology, processes and people. Developing a business case provides a clear picture of the dollars being spent, which is what allows for ROI measurement, and illustrates how not all information is equal. Some data is essential to business operations, such as intellectual property and patents, while some can be released into the public domain without any negative consequences.
The Google / Uber confrontation illustrates how not all valuable information is regulated. It also demonstrates that organizations must take a more nuanced view of their data, as well as the processes and policies that govern it. But no one is helping CEOs connect the dots, and many aren’t mandating any ROI calculation for their information security spending.
An InteliSecure Case Study
intelisecure.com
Calculating that ROI isn’t all that different from how insurance organizations use predictive models. For example, historical data allows them to forecast how often a major hurricane will hit a certain region and estimate the level of devastation in dollars. This determines the premiums they need to stay solvent. Similarly, getting an ROI on your security spending is about anticipating incidents that haven’t happened yet. You must weigh the cost of the protections you put in place with the financial impact of any breach and its likely frequency.
The insurance example illustrates the change of mindset that’s necessary. Diversifying the teams responsible for information security can help you operationalize the resulting shifts in policy that create a better culture of security throughout the organization. People with backgrounds in criminal justice and the intelligence community can bring in complementary soft skills and perspectives that can tie together technology and human behavior as well as new ways of problem solving.
Do You Know What Your Critical Data Assets Are?
Tapping different viewpoints helps organizations to stop looking at every piece of data as if it were of equal value and answer the most important question of all: What is it they are really trying to protect?
Answering this question will refocus the organization on how information security can be an enabler of business operations. This is done by determining which data constitutes a critical data asset, how it flows through the organization, and linking it to business drivers. Rather than applying security equally to all information, organizations must identify the information that’s likely to be targeted by a threat actor, and learn to worry less about non-critical data assets.
As it stands now, the critical data assets in many organizations are under-protected and the commodity assets are overprotected, unless the organization has a Critical Asset Protection Program (CAPP). Just as an insurer plans for large hurricanes, a CAPP is an assessment process that helps organizations plan for the inevitable threat to their critical data assets. Someone will attack. It’s just a matter of how and when.
A CAPP works on the premise that every organization is likely to have three distinct types of information: that which can be shared freely; that which can be shared with certain audiences in specific ways, often referred to as sensitive information; and that which should remain confidential to the organization and never shared, otherwise referred to as secret or internal information.
This segmentation and prioritization process enables the business to apply appropriate controls to enforce the proper use and sharing of corporate information. It encompasses the communities and channels that handle any information asset. A sales team is a community and an external hard drive is a channel, for example. A resulting process would be a rule that defines the type of sales information that’s allowed on a portable drive and which salespeople can have that data on that storage device. The policy balances risk with the activities necessary for driving revenue.
A CAPP effectively maps the lifecycle of an information asset and how it’s used. It factors in the actual attributes of the asset and the kind of information it holds, such as PII, product development schema and pricing information. By assigning a value to each asset, an organization can calculate the repercussions of losing that data. It even recognizes
DEFINING A CRITICAL DATA ASSET
Many organizations don’t take the time to truly understand the value of their data and spend large amounts of time and money to protect all information equally.
Instead, organizations must define what constitutes a critical data asset for them. A critical data asset is data that if lost, stolen or otherwise compromised would cause significant damage to an organization’s bottom line and/or reputation. Critical data assets vary depending on the organization, industry and sector. Here are some examples:
Intellectual Property: Examples include unfiled patents, manufacturing processes, product designs, and drug formulae.
Research Data: Similarly, research at various stages of completion has the potential to generate future revenue through patents and competitive advantage.
Market Strategy: What products companies are going to market with, as well as when, how and pricing, are valuable to a competitor looking to gain the upper hand.
Geographical Data: Land surveys for the purposes of resource exploration or simply for expansion planning are critical to the organization’s long-term viability.
Personally Identifiable Information (PII): In healthcare, this would be a patient record; in finance, personal banking information; in e-commerce, a customer record.
intelisecure.com
that asset value fluctuates so protection can be adjusted accordingly. The mapping process identifies your critical data assets, determines their value and applies the commensurate, policy-driven protection, thereby enabling a business case for security so ROI can be effectively measured.
Get Another Set of Eyes
A third party can help guide the assessment process required to make the business case for information security.
A key consideration for selecting a partner is their ability to provide a describable process for assessing and mapping the organization’s critical data assets and how they will help operationalize the results. It’s not a cookie cutter approach, however. They should conduct the assessment of the business as if it is a unique entity.
And even though technology is only one leg in the stool, a partner should understand the available technology options and how they can play a role in securing the organization’s most critical data assets. That expertise should be combined with the characteristics of a business consultancy that understands relevant regulatory and industry pressures. Just like adding diversity to the information security team brings in new perspectives around data protection practices, the expertise of a third party can provide a framework that guides the assessment.
Take Security Beyond Compliance and Checklists
A CAPP asks the necessary questions within a framework that delivers actionable answers. It outlines how to effectively combine technology, people and processes to govern and protect data based on its value. A CAPP will undoubtedly raise the bar for information security organization-wide by taking it beyond mere compliance and ticking off boxes in a checklist. It enables business and mitigates risks.
By identifying critical data assets and understanding that not everything must be protected equally, organizations can realize ROI from their spending on information security and plug the budgetary black hole. Just like any other IT investment, it is possible to make the business case for security.
1. Barbara Filkins. United States.SANS Institute.IT Security Spending Trends.February 2016
2. Rob McMillan and Sam Olyaei. United States.Gartner.Identifying the Real Information Security Budget.August 6, 2016.
About InteliSecureFounded in 2002, InteliSecure works with its clients to identify, prioritize, and protect critical intellectual property and other key assets that if stolen, or otherwise exposed, would cause significant financial and reputational damage to their bottom line.
InteliSecure provides a portfolio of Consulting, Technical, Penetration Testing, GRC and Managed Security Services to develop data and threat protection security programs that can adapt and grow with our clients’ needs. From initial strategy and design, to fully managed security programs, InteliSecure’s proprietary Critical Asset Protection Program (CAPP) methodology provides for a more proactive security solution than traditional Managed Security Service Providers. Visit www.intelisecure.com for more information.
3. Biz Carson. United States.Business InsiderThe real fight between Uber and Google over what ‘may be the most lucrative business in history’ is startingMay 2, 2017
© 2017, InteliSecure, Inc.