Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

All Data Is Not Valued Equally

Digital Information

When Devising a Security Strategy that will Work for Your Organization or Industry, you Must Start with the Concept of Value…

Digital Information

When Devising a Security Strategy that will Work for Your Organization or Industry, you Must Start with the Concept of Value…

Securing an enterprise’s data can be an overwhelming task and sometimes it’s easy to lose sight of the forest through the trees. We get so caught up in the sheer volume of information and trying to ensure that every possible threat is mitigated that we often set ourselves up for failure. In my opinion, one of the biggest inhibitors to securing an organization’s most critical information is treating all data as if it had the same value.

We have witnessed some very public and embarrassing examples of late in the government sector that highlight that all data is not the same. These situations have also shown the damage that can be caused when an organization’s most sensitive information is made public through a failure of security or process. Last week’s sentencing of Pfc. Bradley Manning was the latest, but certainly not the only, case of high- profile damage resulting from a leak of classified information. The Edward Snowden case continues to dominate the headlines and has turned a case of an insider threat into an international incident, pitting two of the world’s global powers against one another. And in another well-documented case, former Central Intelligence Agency officer John Kiriakou is now serving a sentence of 30-months for sharing classified information with a reporter. This list will continue to grow.

What do these examples tell us? Mainly that somewhere along the line there was a security breakdown in either systems or protocol that allowed the most sensitive of material to be shared outside the organization. And while no organization wants to suffer a breach or loss of information, the reality is, it’s going to happen. With that in mind, anyone charged with security should continuously be asking themselves, what information do we have that would A) be most attractive for a hacker to steal? and B) would cause the greatest harm to the business if it were compromised? These two questions form the basis of what we call “predictive security” and should be at the core of every organization’s security strategy.

Understanding that enterprise organizations can be complex and that it may be impossible for a single security officer to have the required insight into all the process to effectively answer these questions speaks to the need for process. Security, in order to be successful, must be a top down proposition. Just as the executive team puts business plans in place for growing the business and achieving market share, they must also play an active role in determining security strategy. While I don’t advocate that technical decisions be made in the C-suite, I do advise them to determine what constitutes the biggest threats to the organization and then empower the security experts to take the necessary steps to combat them.

Data ProtectionIn order to be successful in security, the process must be part of an organizational approach. As I referenced in a previous SecurityWeek column, everyone is a security manager: If I have learned anything over two-plus decades in this industry, it’s that you can’t leave security as the sole domain of just a few and expect to be successful. As threats and vulnerabilities continue to evolve, it is incumbent upon organizations to empower all of their employees to take an active role in their own network security. There are still too many who mistakenly view security as a point-in-time activity rather than a process, leading to a breakdown in the level of vigilance needed in order to create an effective security culture.

The intent of this message is that while technical decisions are the responsibility of the security team, employee behavior, identifying risky procedures and activities, and creating an environment that takes security seriously, is the responsibility of everyone. As the examples above highlight, security is not simply a piece of technology that can be plugged into the network, but a commitment and process that must be instilled into the corporate culture.

When devising a security strategy that will work for your particular organization or industry, you must start with the concept of value. While it would be nice to be able to secure every bit of data or information on your network, practically speaking, that is a nearly impossible task. By focusing your attention and budget largely on the information that holds intrinsic value to your organization you can build a security protocol to protect it.

Security can sometimes be a series of tradeoffs to ensure you protect the most vital of assets or “high-value” target and that you are properly balancing risk versus business operations. A good analogy would be travel. Why are you subjected to much greater scrutiny and security when you travel by air as opposed to train or bus? Because of the risk involved and the perceived value of the threat. Think of this example when it comes to your own strategy – Corporate IP is the equivalent to airport security whereas office supply lists and holiday card distribution resides in the bus terminal.

Advertisement. Scroll to continue reading.

Related Reading: What is YOUR Cool Data? DIY Business Impact Analysis

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...