Industry View

Data Security: Whose Job Is It Really?

Forrester believes CISOs must revisit the need to centrally control data security

By Andrew Jaquith, Forrester Research

Page 2

-- Too many vendor point products. In considering solutions for securing data, enterprise CISOs are confronted with the tyranny of choice. Lost a laptop lately? Full-disk encryption will fix that. Employees promiscuously passing around payment card records? A dab of data loss prevention (DLP) will surely do the trick. The surfeit of solutions to narrowly defined technical problems ensures that the wish list only gets longer.

Confronted with these three challenges, some nervous CIOs and CSOs choose to throw the proverbial kitchen sink at the problem: DLP, encryption-everywhere, enterprise key management, network access control (NAC), and employee education. However, this approach will fail because at its roots, the problem of data security stems from four sources: digital information was meant to move; information classification isn't ingrained into work processes; technical solutions aren't standardized; and accountable parties are too far from the controls.

Succeeding at data security means CISOs must define data security down: reset the commonly accepted definitions of what the problem is, who owns it, and what the solutions should be. That means:

Name the exact business content that requires tough security measures. Enterprises don't have "data security" problems or "intellectual property" problems, but they do have legitimate, spontaneous, sweat-inducing worries about the circulation of specific, named data assets such as earnings forecasts, product road maps, system passwords, financial models, and personally identifiable information about customers. Asking each part of the enterprise to name its most important digital assets is the first step. CISOs must push for business unit ownership, rather than taking the easy way out and making decisions on their behalf.
Put accountability where it belongs—with functional areas and business units. Responsibility for classifying information and restricting its flow is ultimately a business challenge, not a technical challenge. How documents, spreadsheets, and emails are used depends on workgroup and business unit preferences. So it is with data security.

That means that inside counsel owns email eDiscovery and retention, product engineering owns CAD drawings, and finance owns accounts and earnings projections. These groups know who should and should not have access and what should happen if their assets are misused. IT security's primary role should be to help source, design, and install the technical controls in place that will enable them to express and enforce their compartmentalization needs—not to be the gatekeeper.
Re-engineer the workplace so thinking isn't required. The most obvious and visible data threats to enterprises are employee-related: the loss of a laptop, disgruntled workers, theft of documents by thumb drive, or abuse of email. IT security's natural instinct is to be the wet blanket; instead, IT should seek to engineer environments that foster efficiency, impose no productivity burdens, and offer security as a side effect. Not all approaches will work everywhere, but honest discussions about the realities of how information is created and consumed will unearth solutions that centralized, tools-reliant approaches won't.