The decade of the data breach – how to cope

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/technology/security/123459205/decade-data-breach-how-cope

Virtually every Fortune 5000 company, government entity and NGO has had at
least one major data breach during this decade, with many having multiple
‘badges of shame’ to their credit.

Each breach, whether malicious or accidental, brings all sorts of
recriminations and bad press to the organisation and its leadership. Mea
culpas and low-level IT managers falling on their swords has become
commonplace and is now meaningless for the most part as the root cause of
the issue continues to not be addressed: the lack of executive data
leadership.

Data, especially those classes that contain personally identifiable
information (PII), is one of the most valuable assets that every
organisation collects, stewards, exploits and protects.

Without it, there would be no organisation in virtually all cases – and yet
treating data as an asset is typically entirely off the radar of the chief
executive, the board and the senior executive team.

Their only concern seems to be mitigating the risk associated with this
asset class in respect to compliance with applicable laws, statutes and
regulations. The protection of data is always left to the CIO or CISO, who
reside multiple levels down in the organisational hierarchy. This must end
now or consumer trust will be lost forever in fairly short order.

Data leadership must come from the top (CEO and board) and cascade down to
the entire organisation in order to be pervasive and effective. It defines
the strategy for managing and exploiting data over its entire lifecycle
(creation, harvesting and retirement).

A critical component of this management lifecycle is protecting data from
unauthorised access or inadvertent disclosure. If executives could envision
data being just as tangible as cash, bonds or even trade secrets, then
perhaps they would be more imaginative in its protection.

Every organisation, in spite of its best efforts, has a very porous network
of interconnections spanning their entire enterprise. Each of these
connection points is potentially a source for a breach, especially now with
the influence of the BYOD movement. Once breached, these networks cannot
typically detect any nefarious or negligent activity for the most part,
much less PII and other critical data flowing outwards.

It is a perfect storm of risk factors and yet, if top down data leadership
were in place, appropriate resources, sensitivities, monitoring, rewards
and punishments would be in place to detect, mitigate and ultimately
prevent these data breach risks altogether as everyone would know that it
is the number-one priority for the entire organisation.

It would be baked into the culture of the organisation, much less part of
the behavioral ethos within it. This use of leadership and an engaged
culture to steward and protect critical data is much more practical than
any type of ring fence that many are currently advocating.

Awareness and vigilance becomes the mission for everyone to embrace and
embark on each day across the entire organisation. In most cases today,
data breaches go undetected for up to a year before being discovered. By
then the damage has been done. This would not be the case in any
organisation that is committed to the core in respect to its data.

Coping with the threat and aftermath of data breaches requires top-down
executive leadership and an engaged culture focused on nurturing and
protecting data as an asset.

Investing in more security tools, cyber insurance and endless consulting
engagements will not surmount the challenge of the data breach. Embracing
all of the tenants of data leadership is the only solution to this
long-term challenge.

Remember, 2015 is the year of data leadership – and thwarting data breaches
is a good place to start your journey.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!