We live in an information age, where the answer to almost anything we think of (or can think of) is instantly available to us wherever we are. I am an information security officer and as such my goal is to ensure as best as I can that data that is important to my users is available when required, has integrity, and is only made available to people with a need to know, in line with laws and regulations and the assurances that my company has made to our customers and employees.
Most organizations these days have very complex technology “plumbing” that connects applications and systems and enable business processes. This plumbing consists of many “pipes,” “connections,” and “faucets” (i.e. Technology Components), and “water” passing through this plumbing (i.e. Data).
Although ensuring that the pipes are in good order is important, these days every organization’s plumbing is very complex and relies on pipes owned by third parties, some of which are located in places that we do not control, and with that offer many opportunities for leaks.
My job as an information security professional means that I need to care not only about the infrastructure but also about where the water is and who has access to it. For me, the location of where the water is building up behind a dam and who is drinking it are just as important as the pipes that it passed through to get into the reservoir.
In practical terms, this means that an information security professional needs to know not only where all of the “pipes” (networks), “reservoirs” (data stores) and “faucets” (access points) are and how they are protected and maintained, but also about the type and quality of water in each place. Just focusing on the technology often misses the context of what the organization has collected the information for in the first place.
In this context, personal information would be water that is not immediately drinkable but could be either cleaned (sanitized / scrubbed) or only used for certain purposes. Just like grey water can be used to water your garden, you wouldn’t want to drink it, or have others drink it by mistake!
IT security is just a part of the overall information security picture. It is a very important one, particularly for IT departments, but information security (and to an even greater extent, information privacy) focus on business processes and how data flows through them, whether in electronic or paper form. This helps information security professionals to understand where to spend their limited IT security budgets to protect certain systems and types of devices where the most sensitive data resides or is processed.
Why should information be protected by a million dollar access system when it is on a server, but a dump of that same information into a spreadsheet can be downloaded onto a mobile device which is not owned by the organization and which may have very basic, or no, security controls at all?
I see it as absolutely vital that someone within organizations that I work with is available to have their primary focus on IT security (or there is ready access to good consultants or outsourced services with those skills).
But having a great suite of well configured tools and technical controls is not enough to manage the risks to organizations that are caused by their capture, processing, and usage of sensitive data.
Getting the whole organization to understand what data is collected and why, how it can be used, and that it should be disposed of as soon as the costs of storing and protecting it exceed the business value of retaining it is vital to reducing the damage that could be done in the event of a data breach.
There have been many recent examples of organizations who retained sensitive data long past the point that it was of little value. This same data represented a significant (and avoidable) liability when a breach occurred. IT may be able to control access to a database, but by and large they are not able to impose tighter retention periods, or force tokenization, hashing or other controls on the business without either a regulatory or legal mandate, or a clear explanation of why the additional cost and effort is worthwhile.
So, if you are an IT Security professional, think about whether becoming an information security professional would be a good move, both for you and your organization. And if this isn’t something that appeals to you, at least consider raising the point that someone should be looking at the water while you’re running around fixing the pipes.
My biggest satisfaction has been when I start to hear that business leaders and other executives have started to ask the same questions that I do. “Why are we capturing that data, and what are we going to do with it?” Your customers are waking up and starting to ask similar questions. If you’re going to be able to meet their changing expectations, you should have the answers ready.