Industry View

Data Security: Whose Job Is It Really?

Forrester believes CISOs must revisit the need to centrally control data security

By Andrew Jaquith, Forrester Research

Page 3

The net effect of these three priorities is to reshape the CISO's data security priorities. Instead of trying fruitlessly to be the enterprise's all-knowing content guardian, censor authority, and compliance guru, the CISO devolves responsibility of these activities to the business. IT security becomes a clearinghouse for data security tools that business groups can use as they see fit.

Data-Centric Security Means Devolution

Devolution means avoiding the trap of shelfware and stalled pilots and putting accountability where it belongs—with the business units. Forrester recommends three key steps CISOs should take to succeed:

Step one: Take ownership for basic data security tools. IT security should take the lead with tools that require no customization, such as laptop whole-disk encryption and terminal services. Both are relatively simple to implement and offer effective protection while not impeding productivity. In addition, IT security should offer data flow monitoring services to all business units.

Step two: Allow business units, not IT security, to drive business data protection initiatives. For tools like database encryption, port/URL blocking, and data loss prevention, IT security's role should be limited to providing expert advice, ensuring consistency by setting standards, and consulting with business units as they deploy solutions.

Step three: Rethink how users work. Accepted best practices for security programs rely heavily on end user education—perhaps too much. IT security should perceive gaps in information handling practices as opportunities to re-engineer the workplace. Rather than stress inordinately the necessity to "educate" employees on the need to think about security, IT security should focus on making controls no-load/no-think and inescapable. In particular, the enterprise should promote strategies that reduce the need for sensitive data on endpoint devices.

Succeeding at data security requires CISOs to abandon plans to control data access in a centralized manner. Devolution of data security responsibilities to business units is the key. ##

Andrew Jaquith is a senior analyst at Forrester Research, where he serves Security & Risk professionals. Andrew will be speaking at Forresters IT Forum, May 19-22, 2009 in Las Vegas.

data security

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors