Meeting the challenge of protecting data in a changing world [Q&A]

As a report last year showed, the change to working habits over the last few years has gone hand-in-hand with a rise in the theft of data.

We spoke to Cyberhaven CSO, Chris Hodson, to find out how enterprise CISOs can meet this challenge and keep their data safe.

BN: Balancing security has always been an issue, especially with SaaS applications. What are your thoughts on striking the right balance between protecting data and harming productivity?

CH: It's a precarious balance, and it changes all the time. The answer to 'how much security' a company needs should align with its risk tolerance. The problem is companies struggle to gauge how much risk to accept. This should result in security that applies a consistent level of control to all environments, users and data.

If a security control imposes friction, it won't be well-received by staff members who are always busy and looking for the fastest path to get the job done. Security controls need to be applied in a fashion tailored to the importance of an asset. Invariably, this boils down to the sensitivity of the data being stored or processed.

BN: What is the main reason you think data has become so difficult to track and monitor?

CH: Data is harder to track and monitor because it is increasingly difficult to quickly and reliably identify its source, destination and content. If we cannot identify content effectively, we need to consider context. I believe many are failing to apply appropriate levels of security because they don't have the necessary data about data -- metadata, if you will -- to make informed risk decisions.

Until recently, companies have relied on data loss prevention (DLP) solutions to track and monitor information but these tools were not built to map data as it traverses your local networks and cloud ecosystems. DLP was built to prevent confidential files and data from leaving the company perimeter. The overhead and relatively low efficacy of this approach left security leaders feeling exposed.

BN: It seems there's an acronym for virtually every security gap out there. Shouldn't we have solved this problem already?

CH: Unqualified acronyms are hindering the CISO's ability to get buy-in and budget for security programs. Acronyms and arcane terms leave our stakeholders confused and feeling like they cannot ask foundational or clarifying questions about data security. We talk about APTs, nation-state actors, DDoS, polymorphic malware and process injection, as if our business colleagues understand -- but do any of these things matter if we don’t know what the business cares about? I'd assert not.

The needs of CISOs evolve. Take anti-malware, for example. Endpoint protection evolved from signature-based prevention to layered prevention, detection and containment utilizing EDR and malware sandboxes. Tools evolved because the threat landscape changed, and legacy solutions eroded in terms of utility and customer satisfaction. I believe we have reached a similar inflection point with data protection, and CISOs will need a more effective approach.

BN: What can CISOs do to start addressing the challenges of data protection now?

CH: It starts with a thorough understanding of the data -- i.e, how important it is to the business, where it resides, who might need to access it or want to steal it, and what vulnerabilities it has.

CISOs need to operate cross-functionally and work from fundamental knowledge of how their business operates. To deliver the appropriate level of security, I think it's very helpful to take the approach of a four-phase decomposition. First, understand the business process, then evaluate the application stack. Next, get to know 'everything' about your infrastructure and finally, safeguard your data. So what does that really entail?

CISOs have to build up a solid understanding of the key business processes that the company depends on every day. Sit down with the leaders in your company and become more familiar with how they work day to day. Designing security controls appropriate to the assets being protected does not start with a technical conversation. Rather, it's about the critical daily business activities of finance, HR, and manufacturing -- how they handle expenses, onboard employees and deliver products. Put aside issues of technical implementation at this stage.

Next, the CISO can evaluate the stack -- the applications and tech that support each critical business process, such as integrated development environments and open-source code as well as SaaS solutions for process management. Knowing the stack is a prerequisite to strengthening the supply chain and an organization's overall security posture.

The third step is to 'learn' your infrastructure as it is today, because you are using servers and networking equipment somewhere, and it's all a fertile attack surface. Misconfiguration of resources is the root cause of many vulnerabilities. CISOs should know how their applications are architected, how document data flows in and out of the enterprise and which infrastructure components store and process sensitive information.

Sometimes organizations safeguard everything except data -- ironically because that is the end goal here, but it may be the missing piece of the puzzle. You need confirmation that sensitive information is protected both at rest and in transit across the extended enterprise. Companies often have data-flow diagrams and BIAs for production services, but how do your users access sensitive content in corporate environments and cloud applications?

These steps add up to a data-driven approach to security architecture that makes it easier to build and measure security. It allows the CISO to apply security controls that are proportional to the value of the data being handled -- and to produce security metrics that show progress in helpful ways and align with overall business objectives. Then the CISO can be highly effective assessing the business impact of data protection issues, and taking the right steps to ensure business continuity.

Photo Credit: Den Rise/Shutterstock

Comments are closed.

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.