When you look at data security from a high level, so many things stand out as critically important that’s it’s difficult to determine which are the MOST important. Senior Leadership buy-in, Governance, Risk Management, Asset Management and so on must be in place for a program to work, and the entire program fails if any one of them is missing.
As an analogy; What’s the most important piece of a vehicle? Steering wheel? Engine? Tires? The answer, just as in security, is that ALL of them are necessary, and the only way you can possibly prioritise one over the other is by putting the desired results of your program into the perspective of specific business goals. For most organisations, it’s what does the business need to achieve in the next 6, 12, 60 months, and how can IT and IT security can enable those achievements. If IT security is seen an anything more than an enabler, or worse, not even seen as an enabler, the business goals are that much more difficult to achieve.
However, it is fairly easy to pinpoint 2 aspects of a security program, that if done well, provide a solid platform on which to build the rest of the program at an operational level:
1. Asset Management – Unless you know what you have, there is nothing you can do to protect it. You can’t risk assess it, you can’t vulnerability manage it, you can’t monitor it, and you can’t respond to the bad things that today are nothing short of inevitable.
2. Data Classification – Unless security controls are ‘appropriate’, they are likely too much, or too little. Either one of these can be career-limiting for the person responsible. Security must be scaled from high to low in direct relation to the importance of the data they protect.
Ideally, the overlap between these two aspects is significant; After all, what is data if not the most important asset you have! Everything used to gather data, store data and make data available is secondary to the confidentiality, integrity and availability of that data. IT infrastructure is again, only an enabler, and as such must be built appropriate to its function and importance. Technology is rarely the answer, process is.
If you agree that data in context is information, information in context is knowledge, and knowledge in context is wisdom, then nothing is as important as the data itself. In business terms, ‘wisdom’ is represented by the ever-elusive competitive advantage, and data classification – along with its associated handling – is the means by which advantages become possible.
Too often data classification is seen as something as basic as HIGH, MEDIUM and LOW, or PUBLIC, RESTRICTED and SECRET, but it’s so much more than that. Just because something is SECRET does not necessarily mean it’s more important, or even more valuable. While is is possible to denote levels of things like storage, access control, destruction etc based on these basic classifications, they can rarely cover all requirements of the business. Data classification must therefore include another metric; its importance to the business. For example, the loss of one secret financial record could have far less impact than the loss of several restricted R&D plans.
Luckily there’s a fairly simple way of tracking all of this; asset management! Data is an asset, all security process use the asset database as their primary input, so it stands to reason that asset management and data classification done well can be the difference between a business on the cutting edge and an also-ran. Ignore them at your peril.