Aligning security, compliance and privacy teams is a positive step towards enterprise data security and compliance
The explosion of digital data and rapid rise in connected devices today is generating huge amounts of information. Simultaneously, organisations are facing unprecedented levels of cyberattack, both in terms of volume and sophistication. Modern digital adversaries have more access than ever to advanced tools and tactics, increasing their effectiveness at compromising enterprise networks and accessing sensitive business data.
A significant challenge
This combination of data explosion, a rapidly evolving cyberthreat landscape and increasingly strict data regulation has made managing the digital landscape a challenge for organisations. Almost every corner of a business stores and uses data that requires governance, oversight and security.
Managing this information can feel like exploring uncharted territory as it is made more difficult by the complexity of adhering to regulation mandates such as the EU General Data Protection Regulation (GDPR), while also maintaining customer confidence and delivering uncompromising security.
As enterprise security, privacy and compliance expand due to market forces and digitisation, they are increasingly interconnecting. This convergence of security, risk and privacy teams as well as technology can become a force-multiplier for success as organisations navigate the complexities of information governance today.
Cyber defence – a group effort
Given today’s rapidly expanding cyber threat landscape, the odds are increasingly stacked against the enterprise – particularly since only one cyberattack needs to be successful to wreak havoc. To be prepared in advance for any possibility, key members of the security, privacy and compliance teams must join forces –with additional support from the C-suite – to plan, manage and monitor protection efforts.
This collaboration greatly reduces the likelihood of a damaging breach. These groups can work together to set the organisation’s governance plan in place and then ensure that both security and privacy policies are in line with the regulatory requirements for their industry.
Security, risk, privacy, compliance, legal and law enforcement groups increasingly care about and track the same KPIs anyway. By working together instead of in silo to share more information and foster a more interconnected way of working, the sum of the whole becomes more valuable than its individual parts.
The value of early assessment
Assessing which obligations apply to your organisation can be arduous but it’s a vital process when considering the consequences of non-compliance. On balance, the costs incurred to establish the necessary policies, acquire the relevant applications, and hire the right staff are far outweighed by the huge costs which come from failing to comply.
The value of adequate preparation is even higher for those industries held accountable to the most stringent regulation. In particular, financial services, healthcare and public sector organisations are key targets for cybercriminals due to the ‘sensitive’ data they handle. Companies operating in these sectors must be even more focused on boosting collaboration between security, privacy and compliance teams to ensure the appropriate privacy and security policy-setting and monitoring has taken place.
Organisations can avoid major fines and hits to their bottom line caused by reputation damage and lack of customer trust if they adhere to the data privacy and security regulations that apply to their data. The costs of proactively protecting an organisation against bad actors will very likely save a lot of money in the long run.
Considerations for success
Addressing compliance to regulation frameworks – from the EU GDPR to the Payment Card Industry Data Security Standard (PCI DSS) – is a key first step to shed light on areas of importance that should be highly visible and regulated by internal teams. However, adhering to regulation frameworks does not guarantee complete security.
The fact is that managing and securing digital information across a business today takes a village. No one-size-fits-all technological solution is available to guarantee digital safety and regulatory compliance. Instead, organisations are using and managing a combination of vendor solutions, internally developed or open-sourced tools and third-party security services to keep data from the reach of cybercriminals and achieve compliance.
So what key steps can a joint task force across security, risk and privacy teams take to see success?
1) Know your data
The biggest advantage an organisation can give itself when trying to defend sensitive data is to understand its sensitive data. What types of data are sensitive for this particular organisation? Where is it located? Is the security team alerted when sensitive data changes location? Are systems in place to know if unauthorised users are accessing or storing sensitive data?
By having detailed answers to these types of questions, organisations can reap the rewards of information advantage. If cybersecurity teams can remove silos and work more closely with their counterparts on the data privacy side, a better understanding of data locations and access can be shared across these teams – creating a trusted baseline to operate from when managing both security and risk.
2) Control and continuously monitor your data
With a solid understanding of sensitive business data, security and privacy teams can then purposefully and aggressively control this data. Most organisations have adopted a ‘Defence-in-depth’ strategy which incorporates layers of defence that analyse the perimeter, network streams, and most importantly, takes endpoints and devices into account.
Sadly, the endpoint tends to be involved in nearly every data breach or serious security event. Given recent ineffectiveness of perimeter defence technologies against targeted attacks, endpoint visibility and control is a crucial final layer to prevent data from leaving the environment.
Whilst perimeter prevention technologies have proven less and less successful in recent years, endpoint detection and response is proving to be the primary successful method to discover and hold off active and ongoing breaches. Endpoint detection and response solutions are defined by Gartner as ‘…solutions that record and store endpoint-system-level behaviours, use various data analytics techniques to detect suspicious system behaviour, provide contextual information, block malicious activity, and provide remediation suggestions to restore affected systems.’
These capabilities are vital if a business is to meet the breach discovery and investigation mandates common in most regulation frameworks, with the capability to continuously collect and analyse endpoint data for threats to spot incidents as they occur and before damage can be done.
3) Bring security, privacy and compliance into the boardroom
While boardroom roles historically tended to be more financial in nature, security, privacy and compliance have become just as important from a risk perspective and this should be recognised in boardroom profiles.
The role of championing this effort to the board should be owned internally by as small a group as possible – ideally just one individual. Speak in terms they will understand, as the C-suite is not comprised of security experts. Speak in terms of risk rather than technology.
Where possible, quantify risk – especially when pitching for additional resources like budget and headcount. In general, the average IT budget is 5 per cent of the overall organisational budget and, in turn, around 5 per cent of this is assigned to the information security team. As a result, many IT security teams are under funded, but demonstrable ROI and risk quantification can be a great first step towards securing additional resources.
Getting back on top
Against a backdrop where attackers are increasingly skilled at compromising endpoints, stringent regulatory frameworks are in play and businesses are collecting more data than ever before, organisations can begin to tip the scales back towards balance in the fight against modern adversaries.
By removing silos and encouraging increased collaboration between security, risk and privacy teams, businesses can access their information advantage and more easily navigate the complexities of information governance and data security today.