Data Security: Whose Job Is It Really?

Forrester has a recommendation for CISOs struggling with how to secure corporate data:

Stop trying so hard.

Despite years of investments in technology and processes, protecting enterprise-wide data remains a maddeningly elusive goal for chief information security officers (CISOs). Software-as-a-service (SaaS), Web 2.0 technologies, and consumerized hardware increase the number of escape routes for sensitive information. Regulations, statutes, and contractual expectations drown CISOs in audit requests and ratchet up the pressure to do something about the problem. Hordes of vendors confuse CISOs with innumerable sales pitches.

Instead of beating your head against the wall, devolve responsibility to the business, keeping controls closest to the people who use the data. IT security should be primarily responsible only for deploying data protection technologies that require minimal or no customization.

Data-Centric Security Is More Important Than Ever—But Harder To Achieve

Today’s regulatory climate forces IT security to comply with statutes such as Sarbanes-Oxley and HIPAA, industry-imposed security standards such as the PCI Data Security Standard (DSS), and an unending barrage of audit requests from key customers, banks, and auditors. From Boeing to Petrobras to The TJX Companies, daily newspaper headlines grimly announce the latest toxic data spills, causing increased customer scrutiny.

The pressure on IT security to secure enterprise data in all its forms has reached its breaking point. According to Forrester’s Enterprise And SMB Security Survey, North America And Europe, Q3 2008, a huge majority of IT professionals—85 percent—worry about the loss of intellectual property. But IT security staffs are stretched thin and are increasingly challenged to solve an essentially unbounded problem. Organizations today face:

— Massively increased conduits for information flow. Fifteen years ago, the most common Internet connection was the T1. Today, it is the OC-12—two orders of magnitude more bandwidth. Increasingly, mainstream technologies like virtualization are redrawing the lines between operating systems and the hardware they run on. And the adoption of non-owned IT assets continues apace. The confluence of outsourcing, SaaS, and unmanaged consumer gadgets ensures that IT security’s grip on information has never been more tenuous.

— Consumerization of IT moves data beyond the reach of the CISO. The increased use of Web 2.0 technologies such as blogs, social networking, and consumer-grade instant messaging increases the speed with which information moves outside of the enterprise. [Editor’s note: See also Facebook, Twitter, LinkedIn: Security Pros Warm to Web 2.0.] Worse, the pace of change of consumer gear tempts employees to ditch stodgy corporate hardware and bring their own gear to work—creating even more data worries.

— Too many vendor point products. In considering solutions for securing data, enterprise CISOs are confronted with the tyranny of choice. Lost a laptop lately? Full-disk encryption will fix that. Employees promiscuously passing around payment card records? A dab of data loss prevention (DLP) will surely do the trick. The surfeit of solutions to narrowly defined technical problems ensures that the wish list only gets longer.

Confronted with these three challenges, some nervous CIOs and CSOs choose to throw the proverbial kitchen sink at the problem: DLP, encryption-everywhere, enterprise key management, network access control (NAC), and employee education. However, this approach will fail because at its roots, the problem of data security stems from four sources: digital information was meant to move; information classification isn’t ingrained into work processes; technical solutions aren’t standardized; and accountable parties are too far from the controls.

Succeeding at data security means CISOs must define data security down: reset the commonly accepted definitions of what the problem is, who owns it, and what the solutions should be. That means:

1. Name the exact business content that requires tough security measures. Enterprises don’t have “data security” problems or “intellectual property” problems, but they do have legitimate, spontaneous, sweat-inducing worries about the circulation of specific, named data assets such as earnings forecasts, product road maps, system passwords, financial models, and personally identifiable information about customers. Asking each part of the enterprise to name its most important digital assets is the first step. CISOs must push for business unit ownership, rather than taking the easy way out and making decisions on their behalf.
2. Put accountability where it belongs—with functional areas and business units. Responsibility for classifying information and restricting its flow is ultimately a business challenge, not a technical challenge. How documents, spreadsheets, and emails are used depends on workgroup and business unit preferences. So it is with data security.

   That means that inside counsel owns email eDiscovery and retention, product engineering owns CAD drawings, and finance owns accounts and earnings projections. These groups know who should and should not have access and what should happen if their assets are misused. IT security’s primary role should be to help source, design, and install the technical controls in place that will enable them to express and enforce their compartmentalization needs—not to be the gatekeeper.

3. Re-engineer the workplace so thinking isn’t required. The most obvious and visible data threats to enterprises are employee-related: the loss of a laptop, disgruntled workers, theft of documents by thumb drive, or abuse of email. IT security’s natural instinct is to be the wet blanket; instead, IT should seek to engineer environments that foster efficiency, impose no productivity burdens, and offer security as a side effect. Not all approaches will work everywhere, but honest discussions about the realities of how information is created and consumed will unearth solutions that centralized, tools-reliant approaches won’t.

The net effect of these three priorities is to reshape the CISO’s data security priorities. Instead of trying fruitlessly to be the enterprise’s all-knowing content guardian, censor authority, and compliance guru, the CISO devolves responsibility of these activities to the business. IT security becomes a clearinghouse for data security tools that business groups can use as they see fit.

Data-Centric Security Means Devolution

Devolution means avoiding the trap of shelfware and stalled pilots and putting accountability where it belongs—with the business units. Forrester recommends three key steps CISOs should take to succeed:

Step one: Take ownership for basic data security tools. IT security should take the lead with tools that require no customization, such as laptop whole-disk encryption and terminal services. Both are relatively simple to implement and offer effective protection while not impeding productivity. In addition, IT security should offer data flow monitoring services to all business units.

Step two: Allow business units, not IT security, to drive business data protection initiatives. For tools like database encryption, port/URL blocking, and data loss prevention, IT security’s role should be limited to providing expert advice, ensuring consistency by setting standards, and consulting with business units as they deploy solutions.

Step three: Rethink how users work. Accepted best practices for security programs rely heavily on end user education—perhaps too much. IT security should perceive gaps in information handling practices as opportunities to re-engineer the workplace. Rather than stress inordinately the necessity to “educate” employees on the need to think about security, IT security should focus on making controls no-load/no-think and inescapable. In particular, the enterprise should promote strategies that reduce the need for sensitive data on endpoint devices.

Succeeding at data security requires CISOs to abandon plans to control data access in a centralized manner. Devolution of data security responsibilities to business units is the key. ##

Andrew Jaquith is a senior analyst at Forrester Research, where he serves Security & Risk professionals. Andrew will be speaking at Forresters IT Forum, May 19-22, 2009 in Las Vegas.