The digital revolution offers CIOs and their Chief Security Officers an unprecedented opportunity to rearchitect their security infrastructure and embed security at the core of their business.
It offers the chance to break from the increasingly expensive and unwinnable arms race with hackers, cybercriminals and disgruntled former employees, who are the largest cause of data breaches, and begin afresh.
Of course, the data-driven business and technology revolution we are living through poses significant security challenges. The fact that more data is being created, stored and shared means there are more potential vulnerabilities.
And those vulnerabilities keep getting exploited. Major UK data breaches announced in the first four months of 2017 include those at payday loan company Wonga, Sports Direct, mobile network Three, Debenhams and ABTA, the travel agents’ national body. The UK’s record is, of course, no better or worse than that of other countries.
The ubiquitous availability of analytics technologies means cybercriminals can mash together many of these disparate stolen data sets and extract deeply damaging information on individuals and companies that make them more vulnerable to targeted attacks.
No wonder, then, that Experian, the global credit reporting giant describes the period we are living in as the “age of mass data compromise”.
That is the reality that business and technology leaders have to face, and in response governments have stepped up compliance demands. Europe’s General Data Protection Regulation (GDPR), for example, will take effect in May 2018 and the European Commission is updating yet another set of privacy rules to replace the current ePrivacy Directive, set to come into effect at the same time. In the US, the State of California alone, is introducing five new privacy laws this year covering data collection practices.
Commenting on the new regulatory challenges, Pete Hulme, Dimension Data’s Business Technical Lead for Data Centres, says, “Compliance is necessary, but it is not sufficient. Much that is in the regulations seeks to encapsulate best practice, but regulation always lags behind the threats posed by cybercriminals.”
More important, argues Hulme, “Compliance should not be the primary determinant of an organization’s data security strategy. In the digital world change is constant and accelerating, and managing that change and the risks it brings should be a key driver for your security strategy.”
For CIOs and business technology leaders there should be three pillars to a security strategy for the digital era.
The first is to design in and embed security into all new products, services and businesses from the start. Security and data integrity must be an integral part of the solution, and not a last-minute ‘bolt-on’ to a process.
“Security is one of the key factors in solutions design and engineering, and it is becoming the paramount consideration. Generally, it costs between 30 to 60 times more to try to correct security weakness in production than to design it in the first place,” explains Hulme.
One key way of designing in security is a focus on protecting the data at rest and on the move, rather than believing that securing the perimeter of the organization is the primary line of defence.
The pioneers of this approach, the Jericho Forum, call this process “Deperimiterisation”. Analyst group Forrester gave the concept a less abstract label, “Zero Trust”, which in essence argues that as an organization’s boundaries become more porous and fluid, the key to security is to put microperimeters around specific data and assets, so that granular rules can be enforced.
The second pillar of a new digital security strategy is to fundamentally rearchitect and upgrade IT security as part of the general business development and reorganization that digital is forcing on businesses.
For IT leaders, this is particularly important because it moves security spending from being a cost on the business to being an investment in growth. Shifting the cost centre of a security overhaul has the added benefit of making it easier to drive new behaviour across the whole organization. To make digital security the job of everyone, not just the IT department or the dedicated security team.
This approach is essential to the third pillar of digital security – the need for an innovative approach to data capture and governance. This should start with a major data audit and data cleansing operation. Too many firms don’t know the data they hold or why they hold it. They don’t think about the risk associated with capturing inappropriate or excessive data, and they fail to revalidate data.
Addressing these issues requires a thorough overhaul of data governance policies and practice, so that customers have transparency about why their data is being collected and how it is being used. At the same time employees have to be made aware of the importance of only collecting or aggregating appropriate data.
This may require a fundamental change in mindset from the days when collecting all possible data about a client or a process was the norm. It means asking whether collecting this data is necessary and what risks it could pose, both in isolation and when aggregated with other data, and what the customer gets in return.
Doing this can turn the data security challenge posed by digital into genuine business advantage. Enterprises that set and maintain high digital security standards will become preferred partners in the digital ecosystem, rather than risking exclusion from potentially lucrative new markets.
Those that periodically revalidate their customer data, for example, will have up-to-date, valid data. They will have the opportunity to explain their data governance and security strategies to their clients and to offer them new products and services, possibly in return for additional data. In short, they are building trust that the business takes data and data security seriously.
Organizations that fail to adopt this approach leave themselves vulnerable to security breaches, compliance headaches and reputational damage from the inappropriate utilization of data, particularly by marketing teams.
Hulme argues that businesses adopting this model of digital security should also consider new approaches to their procurement of security products and services. “Organizational boundaries are crumbling in the digital world as new partnerships and alliances form. This means executives need a security strategy that encompasses the complete business, from head office to the full supply chain and the wider ecosystem of partners and alliances.”
Delivering on that strategy could include cloud and managed security services. “Whether it is delivering security around new digital offerings or managing threat detection and response, or simply carrying out a strategic security audit, few organizations are big enough to go it alone,” adds Hulme. Managed security services, such as those provided by Dimension Data, offer a way to keep pace with escalating threats, the latest security innovations and to address the ever-growing shortages in key skills.
This article was brought to you by - Dimension Data