In 2019 we witnessed an increase in data security breaches at some of the World’s largest companies. When we look just under the surface of these ‘very public’ announcements, we soon learn that the CSO job is now competing with Bering Sea Crab fishermen as the world’s most dangerous!
This reality has been shaking our heads. I have met over 100 CSO’s in my career and I have to admit that an overwhelming percentage have been leading-edge thinkers and masterful operational leaders. So why the consistent news of major corporation breaches?
1. Is it the people? The world’s top companies recruit the best. Men and women that have operational experience in the trenches, have multiple technology degrees and are strong, pragmatic doers.
2. Is it the products that are currently available? One does not have to look long and hard to calculate the amount of R&D capital being invested in security technology. Whether within Wall Street behemoths or VC backed start-ups, security technology investments have yielded a cacophony of new tools and platforms to deliver the protection our business and governments require.
3. Is it a lack of Executive support? As an aging Data Storage guy, I witnessed many CIO’s, CFO’s and CEO’s turn a blind eye to their inability to recover from a data loss event or data center disaster. Could it be the same in security? The CSO is just not getting the resources and support to do his or her job? Nope. I can say that every CXO discussion that I have had this year started or ended with ‘how can we improve our security position?’
This past week, I had the opportunity to spend time with journalists from all over NA and EMEA. We chatted about Security, IoT and 2020 IT budgets. Towards the end of our session, we started to drill into how the security and compliance/data governance teams were not looking at the risk correctly. In particular, a brilliant and outspoken technology critic argued that past approaches to security and compliance have been analogous to the attempt to solve Cancer, all variants with one silver bullet. The conversation continued to percolate as more joined in with thoughts and observations.
In the end, a very simple and actionable outcome was concluded. Security, Compliance, Governance teams will continue to experience catastrophic failures because the data they are attempting to protect has been delivered to them as a ‘vanilla’ container. As a vanilla container, security, compliance, and governance are asked to protect everything, from PII data and medical records to personal home finance records and the local pizza restaurant’s take-away menu!
Why can’t the data storage team provide their brethren with a complete analytics-driven report identifying all unstructured data by the owner, location, encryption, application creator and Content Risk(PII data – credit cards, SS#’s, email addresses, etc). As a group, we all agreed that Security, Compliance and Governance teams would increase their outcomes by a factor of 100X+ if the data storage teams provided them the needed insights to correctly quarantine the highest risk data.
I know we are inundated with the problems within our healthcare system, but thank god they don’t treat cancer like business treats data. When my best friend was diagnosed with throat cancer, the GP immediately referred to a specialist who immediately and aggressively attacked the cancer type, its location and administered a program proven over 7+ years of clinical experience. I am happy to report my buddy is doing GREAT!
I challenge business to embrace this PROVEN approach and methodology before spending another dollar on security, compliance and data governance. Demand to know what data you have, where it resides, who owns it and what data contains content risky to your business!