Are You Protecting What Matters Most?
This week has been special as InteliSecure launched our first ever Critical Data Protection Benchmark Survey. As the organization who has been deploying and managing DLP technologies longer than anyone else in the world, we are uniquely positioned to share our insights in an effort to help guide organizations down the path of protecting the most critical information in their organizations. The survey is designed to address some key areas inside of people process and technology for data protection programs in order to help an organization assess their current posture and to offer ideas for solutions to identified gaps. It will also allow you to benchmark your organization against your peers. We’re very proud to release this survey and plan to do it annually in order to help advance the protection of critical data assets globally.
In the spirit of the Critical Data Protection benchmark survey, I wanted to write an article that addresses the key question, are you really protecting the information that matters most? In 2017, Gartner indicated that renewed interest in the EU General Data Protection Regulation (GDPR) will drive 65% of data loss prevention (DLP) buying decisions through 2018. While DLP is certainly not the only technology that makes up data protection strategies, it is an important one, and the one most specifically focused on data protection so it acts as a good bellwether for the rest of the data protection marketplace.
GDPR and other global regulations related to the protection of personal information, of which there are many, are driving the adoption and utilization of data security technologies as intended. Unfortunately, security programs are still largely being driven in a reactive nature to legislation. There are a few problems with that paradigm. First, the legislative process is rarely described as fast or agile. Generally, today’s legislation addresses yesterday’s problem. That does not mean the problems the legislation was intended to address do not still exist today, but it does mean that the situation has likely changed significantly.
Second, legislation is public. Therefore, anything prescriptive inside of a piece of legislation is well known to any moderately sophisticated adversary. Therefore, those adversaries will have countermeasures developed for any measure you are mandated to implement. That’s why I often tell people security begins where compliance ends. Compliance is necessary and generally not a bad thing, but true security is about making yourself a hard target and it is graded on a curve. Attackers have finite resources just like defenders do, and they are generally trying to achieve maximum benefit for minimal cost. As I mentioned in my book about building comprehensive security programs, if you are camping with a friend and a bear attacks you, you don’t have to outrun the bear, you just need to outrun your friend. This concept doesn’t necessarily apply to organizations protecting critical infrastructure or secrets that affect the security of nations, but it certainly applies to those protecting financial instruments or Personally Identifiable Information.
Finally, regulations aren’t enacted by governments to protect companies, they are enacted to protect citizens and national security. Unless your competitive advantage is a significant contributor to your country’s Gross Domestic Product (GDP) and all of your competitors are overseas, the regulation isn’t designed to protect your business. The information that they mandate you protect probably isn’t the most important information to your business, its likely the most important information to your government and your customers. That doesn’t mean you shouldn’t comply, you should. You should do your absolute best to comply with the spirit and the letter of every regulation passed to protect information, but it isn’t enough.
Compliance generally has easily quantifiable penalties and risks so achieving and maintaining compliance therefore often gets funded as a cost of doing business. That doesn’t mean the security program cannot be expanded to include information that is not part of a regulation though. If you were to use compliance for initial funding and budget but then build a governance group or business leadership that could identify the information that is most important to the business, wouldn’t you be making better use of the funds you had allocated to your security program?
Allow me to share an example with you. If you are an insurance company, you likely have Personally Identifiable Information (PII) and Protected Health Information (PHI) that you are required to protect. Most insurance companies may never go beyond that initial scope. However, there is very sensitive information that deals with how the business operates that is not regulated. What about the actuary models that allow the insurer to calculate their risk pool and the impact of adding an individual to that pool in order to ensure they can cover that individual while maintaining a healthy profit margin? What if a competitor had access to those models? Could they not price out services in markets and consciously decide to either undercut your pricing at a lower margin or pull out of markets they don’t want to compete in?
What about a health insurance company? Beyond compliance with the Health Insurance Portability and Accountability Act (HIPAA), what else could be important? What about rates they have negotiated with their networks of doctors? What about pricing and discounting structures they use to sell their plans through employers? What about plans for future products and plans and rates they intend to offer? The possibilities are endless, but the true tragedy in much of it is that organizations often own the tools they need to protect themselves at a much higher level than they are.
I encourage you to take the benchmark and I hope you find it valuable and insightful. Regardless, please ask yourself this question when you reflect on your organization, are you really protecting what matters most to your organization? Is your security program built to defend your business or simply to pass an audit? As the world becomes more connected and grows ever smaller, the answer to that question may have a significant impact on your enterprise value.