Breach fight needs the boardroom, not the IT department
Data breaches are marching in lockstep with the proliferation of emerging data technologies. It appears that progress in the digital age seems to be coming hand in hand with data security risks.
This should not be surprising. As companies go digital, so too will crime and fraud. Both crime as well as fraud, are business process breaches after all.
When data breaches happen, they erode massive economic value. Ignoring data security in the boardroom this day and age, is nothing short of dereliction.
Recent data breach events in September 2017 in the U.S., involving the stock value drop of Sonic as well as Equifax are evidence of the negative impact of data breaches on the economic value of businesses. Clearly, they have become incidents of board-level importance.
A good place to start is to review and repurpose any available risk models within the business, such as the enterprise risk management (ERM) framework. This is a fundamental approach for risk management and can be adequately extended to focus on "data security," specifically.
While various consulting firms and vendors, perform benchmarking exercises to serve their markets, ISO 20071 is a specification for an information security management system (ISMS). It is a top-down, risk-based approach and is technology-neutral. An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes. Regardless of which function performs the audits and enforcements, it is important to ensure that economic value is not compromised.
Traditionally, companies have been using firewalls for “securing the perimeter.” This security model is clearly proving to be inadequate, not only when that perimeter is breached but also when a much-needed digital-age business model collaboration is rigidly hindered.
In the digital age, with business processes extending well into the devices in the involved persons hands, and with the adoption of mobile and cloud technologies, the perimeter has become increasingly difficult to enforce. Business processes now extend beyond the boundaries of a fixed "perimeter," which dramatically compromises a businesses ability manage its processes without the involved risks. There is a need now, to revisit this strategy and upgrade appropriately.
BeyondCorp is an example of this upgrade. It is an enterprise security model that was developed and used by Google that has shifted access controls from the network perimeter to individual devices and users.
While it is easy to be resigned to the fact that data security breaches come with the "digital age territory," so to speak, this certainly need not be the case.
There is no doubt that companies can adopt to new technologies, like big data analytics, mobile and cloud without compromising their data security.
Business processes, including those that prevent data security breaches, are well within the control of almost every business. All that needs to be done, is to address the "human element." And this is best addressed in the boardrooms and certainly not in IT back offices.