Welcome back to our blog on building a data security practice for your organization. As we mentioned in the introduction, Building and Managing a Data Security Practice, this blog is to help Micro Focus customers and partners combat data theft by securing sensitive data. And establish multiple processes focused on implementing data security within an organization.
Before we start talking about a data security practice, let’s talk about the motivation for establishing such a practice. According to the Verizon 2018 Data Breach Incident Report, over 24,500 information security incidents cataloged resulted in over 2,200 actual data breaches, or about nine percent. Look at this statistic another way: if your organization identifies one hundred security incidents against it, nine of those attacks walked away with your organization’s data.
Want something even more somber? According to this same report, most assets were compromised in minutes, discovered in weeks, and contained in months. What organizations do to promote information security is clearly unable to keep up with or mitigate most threats.
Which is where the data security practice comes in. Essentially, we are looking for something that guarantees information security even after a breach. This requires protecting the data itself. Generating peace of mind that insures crooks make off with paste, not the crown jewels, so to speak.
So how do we define a data security practice? Let’s split that term into two: data security and practice. Defining each in turn makes defining the whole easier.
Data security is defined as protecting data by storing meaningless substitutes for the original value, be it via encryption or tokenization technology. This is where the jewels versus paste analogy comes in: we replace the original data with substitutes that have at best a random correspondence to the original value. Yet by applying decryption or detokenization to these substitutes, we can regenerate the original value.
And practice has multiple definitions, both of which apply: we think of practice as a custom or habit, of course. Yet in this case, we also must include the additional definition of repetition: systemic exercises for the increasing proficiency.
Thus a data security practice, from an organizational standpoint, is the exercise of applying the principal of data security via methodical processes to remediate information security risks and vulnerabilities. Central to this practice is a concept called application level data security, where protecting sensitive data before storage outside of an application (be it in a database, file system, or other storage container) is the primary method of implementing information security.
And this concept differentiates data security from all other information security practices. Organizations adopting a data security practice shift some of the burden of security from IT to engineering: under a data security practice, developers themselves are responsible for protecting production data so that attackers obtain nothing of value after a successful data breach. Developers may no longer rely on external mechanisms to enforce security: instead, developers must assume that at some point during the system's lifetime, those mechanisms will be compromised.
So now that we know what a data security practice is, why should we implement one? Given that data security is not free, what is the financial benefit from such a practice?
That’s the topic of our next post on the business value of protecting data. Meanwhile, what are your comments and thoughts on this topic? Have you worked for an organization that had a data security practice? What is your experience implementing one? Please let us know by commenting below. We’d love to hear from you.