I've recently been looking for new ways to explain the virtues of effective digital data protection in the corporate world. The last 12 months were a very challenging year seeing large data breaches continue with an apparent lack of urgency to remediate these problems. In some ways, it feels similar to global scientific efforts to bring renewed attention to global warming and taking positive action to address climate change before it is too late.
I am the Strategic Security Architect for data protection in North America at Micro Focus. The disclaimer is that I'm in the sales organization and my job is to sell our software solutions. To do that for the specific technology I represent, I need to work with customers that have a true need to protect their digital assets.
With the constant flow of news reports about massive data breaches and the accepted understanding that it's not a matter of "if" but "when" a data breach will hit any one organization, you may think that finding a customer with a sense of urgency about protecting their data would be easy. Furthermore, cybersecurity experts have recently revised their guidance and are telling organizations that they likely have already been breached and the only difference between some organizations and others is that some know it and others don't. Unlike cybersecurity and digital data protection, I'm not a climate expert. But I do believe what hundreds of scientists and governments have researched for over 50 years that the earth's climate is warming and we need to take action to prevent catastrophic outcomes.
Data breaches happen for many reasons as do extreme weather conditions and we are perhaps getting a little desensitized seeing yet another lead story on the news or the front page of the business section. But the threats are real, growing and potentially catastrophic for the earth, a corporation or the government. Sadly, I feel that many people are in a state of denial, but I don't believe it's too late to address global warming nor the fate of sensitive customer data.
I work with large corporations in North America and help them protect Personally Identifiable Information (PII) and electronic Protected Health Information (ePHI) for millions of their customers. I prove to them that there is an effective technical approach to protecting sensitive data and the risks are becoming even higher with having sensitive data in the cloud and aggregating it for the purposes of big data analytics. Some corporations have already experienced the devastating impact of a data breach and know that traditional system and infrastructure defenses are not enough to protect against the type of advanced attacks that are most damaging today. However, some corporations continue to gamble on the chances of a data breach and risk the exposure of more and more PII and ePHI.
Most large corporations must legally comply with one or more regional and industry data protection and privacy regulations, however regulations are written in a way that allows corporations to apply their own interpretation to the law as the majority of regulations do not prescribe or mandate proven, but modern data protection techniques. Therefore, corporations do the very minimum to meet regulations and turn a blind eye to the underlying risks of a data breach. The rationalization is that implementing proper data protection solutions is too expensive and could interfere with business functionality.
Yes, preventative action does not come without some significant near-term cost, but what are the longer-term costs and consequences of not doing anything or wasting money implementing ineffective data protection solutions? It creates a false sense of security. There is a quote from John Wooden that one of my customers used recently in her presentation at a cybersecurity summit "If you don't have time to do it right, when will you have time to do it over?". There are numerous examples where corporations were compliant with data protection regulations, but still experienced very damaging data breaches. The damage is broad, senior executives lose their jobs, fines are paid, stock prices drop, brands are irreparably damaged, identities are stolen and financial fraud increases.
Effective data protection solutions such as Format-Preserving Encryption (FPE) can be implemented in a way that does not significantly interfere with business functionality. There will be places and times where and when sensitive data needs to be exposed, but that should only be for legitimate business purposes and far less frequent than occurs today. From a different point of view, data-centric approaches can actually enable organizations to securely accelerate business transformation with the latest cloud and big data analytics capabilities.
These risk, cost and regulatory factors that influence the world of cybersecurity, privacy and data protection sound a lot like the today's heated (pardon the pun) discussions about global climate change. Luckily, the fate of the earth is not in my hands, but I do share a similar sense of responsibility with those hundreds of climate change scientists, working hard to convince people that there are things they can do to better protect their interests, whether it be the earth's climate or their customer data.