This is the third and last in a blog series on defensible security. The first two posts dealt with the details of the Equifax hack, and technology best practices to start building the right program. The third in this series elaborates more on business best practices.
As we covered earlier, defensible security is a security program that can answer the question from stakeholders, “Is the organization doing enough to protect its data and information resources and can we defend our choices in the event of an incident?” And often, what we’ve observed in the industry is that it always comes down to one thing — the systemic and cultural issues that can often stand between IT and non-IT employees, trying to create the right level of security that allows for strong protection and the need to stay productive to achieve business outcomes.
In addition, it’s not necessarily a problem with the chosen security stack, but the lack of defensibility of the program that was put into place. To clarify, we don’t mean defense against “hackers”, but the ability or inability to defend the security investments with customers, board members, and shareholders. This is exactly why more non-IT executives are being held accountable in the event of a data breach.
What are some business best practices to keep in mind for your organization?
Expand Beyond Security Teams
One of the biggest lessons the industry has learned is that decisions about security investments can’t be made in isolation by the security team. We all understand that security is a business issue, so why do many organizations still hold security departments as the only one responsible and accountable for security programs? Companies would benefit from expanding decision-making to include other departments such as legal, human resources, and privacy officers to make sure leaders in all areas of the business are aware of the risks to their department as well as the entire company.
Alignment with Proven Practices and Standards
Another aspect of defensible security is the ability to prove that the organization is in alignment with industry practices and standards. This means using reference models such as NIST cybersecurity framework, ISO/IEC 27001/2 or CIS Critical Security Controls, to guide decisions. It’s also recommended that organizations create an Information Security Charter. This is usually a short document that establishes accountability for protecting all sensitive information and provides directives for executives, namely the CISO, to build and manage the program.
Privacy by Design and Security by Design
With the stakes raised, the pressure is on Privacy leaders and Data Protection Officers to ensure their organizations are correctly managing sensitive data. Yet they are generally expected to do it on shoestring budgets and limited resources. Recent research from CPO Magazine reveals that 46% of their 250+ survey respondents allocate less than 5% of their annual governance, risk and compliance budget to data protection and privacy; another 20% allocate between just 5 to 10%. With security budgets continually increasing, privacy efforts are usually left with very little funding. In that constrained environment, what should privacy officers focus on?
Privacy and Defensible Security
Controlling access to sensitive data goes a long way in protecting it. Privacy and Security teams need to partner to drive a governance framework that accounts for the access, tools, skills and change management needed to make privacy work in their organization. That framework must account for proper data stewardship, including managing permissions, appropriate use, and data quality. The fewer hands touching any given data set, the lower the risk.
Driving execution of data mapping and clean-up. Governing data requires that you know what you have and where it is. With cloud-centric environments and extensive 3rd party data exchanges, this is especially challenging. Privacy teams own the very heavy lift of directing every organizational department that uses sensitive customer and employee data to map what they have and where it goes, to the best of their knowledge; if a data audit reveals problems, a clean-up effort is required. You can imagine the significant resistance to such an involved exercise! Senior executive support is crucial to driving this step.
To learn more about how to build a defensible security program, and how VERA can help, download our free whitepaper, “Building a Defensible Security Program: Align Teams, Address Systemic Risk and Maintain Stakeholder Trust”.