I began a new journey. I accepted a role as Strategic Marketing Director at Privacera, an early-stage startup that has reframed how organizations find, discover, govern, and protect their sensitive data—an issue important to CIOs and all of those they support. While in conversation with Privacera leadership, I happened to discover a recent, unpublished #CIOChat that helped me decide to join the Privacera team.
For those that are new to me, I facilitate the weekly #CIOChat on Twitter and LinkedIn. As an engaged influencer across the CIO landscape, I help bring visibility and insight to this important position within organizations. We discuss the topics keeping CIOs up at night and home in on strategies that facilitate agility, compliance, and security throughout their organizations. Today’s CIOs are laser-focused on data and security—aligning with Privacera’s mission is a natural next step for me.
CIOs Weigh In: What Is Responsible Data Access and Accountability?
In my most recent #CIOChat, I asked CIOs what is needed to protect and govern the sensitive data their organizations create. I asked some high-priority questions. Such as, do you know all of the potential business outcomes tied to data risk management? What do your data access privileges look like currently? What are your thoughts on data discovery and the perimeter approach? How do you achieve compliance with shifting regulatory environments on a global scale?
Isaac Sacolick, former Businessweek CIO, said at the outset of data security and governance strategy development, organizations need to do several things:
- Discover and label their sensitive data (find where the data is and determine its sensitivity)
- Identify data owners (even if they are not ready to handle their responsibilities)
- Limit usage for components such as business intelligence (BI) and apps until the data is protected
Jason James, former NetHealth CIO, said the main challenge he has seen revolves around “articulating the importance of protecting data and the responsibilities of people getting actively involved in data governance—a term too few understand.”
Martin Davis, CIO of Mevotech, agrees and suggests “people are key to protecting the sensitive data that organizations create. Security may start with perimeter security, access control, encrypting data storage, and network traffic, but it concludes with segmenting sensitive data and providing extra layers of security around it. These are the basics as far as I am concerned.”
The Cardinal First Step: Sensitive Data Discovery
It goes without saying that the discovery of sensitive data is an important starting point for companies and many CIOs agree. Martin said, “the first step is discovering your sensitive data, where it is, and how it is used. You can’t govern what you don’t know.” Carrie Shumaker, CIO University of Michigan Dearborn agreed, “the first thing in protecting sensitive data is to find it.” IT Director, Adam Martin, puts it simply, “you can’t protect what you do not know about.”
Deb Gildersleeve, CIO of FIRST, took a slightly different position and relayed, “this is a little chicken and egg. You must start with where you are putting the data and how you access it and then establish the data governance and privacy policies. But ideally, you discover the data before putting the system in place. We all have tech debt, but we can stop making it worse.”
Sensitive data discovery requires consensus within an organization. Constellation Research’s DIon Hinchcliffe outlined how CIOs can take their companies through this process and why it is necessary: “The first step in data security is establishing the mandate with buy-in across the organization, then it is about marshaling sufficient resources. The next step is the governance, privacy, and security policies that can then be developed and enforced adequately. Supporting this is maintaining an accurate data ownership picture. This is crucial for effective data security. Yet, it’s now growing even more difficult quickly with cloud, SaaS, and Shadow IT sprawl. Ultimately, automated sensitive data discovery is the only answer.”
Thinking Beyond the Notion of Perimeter
Traditionally, data access and governance were considered best managed inside a secured perimeter. However, many CIOs are rethinking this approach, and rightly so. Former CIO Wayne Sadin adds, “it is important to start with hygiene, awareness, and drumming up C-Suite support. The biggest thing is realizing we are not protecting crown jewels. I particularly dislike the notion of a perimeter because it implies inside equals safe and outside equals dangerous. Yet the bad actors inside the organization are an increasing threat.”
Getting more specific, Gildersleeve says, “CIOs need to discover sensitive data, build guardrails/governance around who can access this data based on how it’s classified, and then limit overall access. Classification drives labeling. Once you have data classification then you can talk about whether you need to tokenize and why, or anonymize and why, or encrypt and why.”
Hinchcliffe concluded by saying, “today data must be protected with the full assets of the organization. There is no perimeter. You can’t trust much of anything anymore, even inside a perimeter. It seems a bit sad given the huge promise of the Internet to connect everyone. But the problem is it connects everyone.”
Moving Towards Zero Trust Data Protection (ZTDP)
The zero trust security model is commonly known in the cybersecurity ecosystem, but a new and very timely term is evolving for the data sphere. Zero Trust Data Protection (ZTDP) is an approach to data protection based on the zero trust security model. Achieving ZTDP requires an effective data security and governance solution that can implement the zero trust model within the data environment.
I asked CIOs what things most need to be rethought in the current data risk environment. Their answers relayed the need for a zero-trust approach. For example, Davis referred to an old Ford slogan, “Security Needs to be Job One. It cannot be an afterthought or add-on. Security needs to be designed into the company in every aspect from people to access control.”
Gildersleeve relayed, “the way we all work is different, so we must rethink the ease of access. Most organizations have taken on some level of risk to make systems easier and more accessible, but this has completely opened new ways of attacking. We need to move to a zero-trust posture. That’s where CISOs have wanted us to be all along so I hope they are up to the task.”
Meanwhile, Hinchcliffe provided a deep dive, “a lot must be rethought. And with advances in thinking like zero trust, much must be redone. Which is an ocean you can only boil a bite at a time, to mix metaphors. The CISO needs lots of support from the CIO here. Clearly, the future is about enabling innovation, and approaching access to data in a safe way is critical. Unleashing data sounds great until you think about the security and compliance implications. CISOs need to create guardrails so that teams can move quickly but safely. The idea that teams can be an expert on development, security, and operations isn’t realistic. For this reason, DevSecOps is more about culture change and driving communication across teams. Additionally, in all of these areas automation plays a huge role. You can be more secure and move faster by automating manual processes.”
Should CIOs or CISOs View Protecting Data as a Part of Their Job?
In previous conversations with CIOs, I often found very mixed answers to the question, “do you think protecting data is part of your current role?” During this chat, I again asked them to provide a perspective on this topic. Davis started the conversation by saying, “CIOs should, if not they are missing the point.” Gildersleeve, however, says, “from my experience, CIOs see it as their job to raise it as a risk, but the expectation is that the protection occurs in the management of the systems themselves.”
Sadin emphatically claims that “CIOs and compliance execs are always responsible for ensuring that things work and are secure regardless of technology and process partner relationships. As a CIO and as a board member, I sure as heck do! But titles mean little compared with one’s manager’s expectations and one’s written job responsibilities. Be sure these are crystal clear.” With this, James concludes by saying, “the ultimate prize for threat actors is the data, so CIOs/CISOs must protect data. They should be held accountable because someone must be responsible. In the end, someone takes the fall for the breach and it could be the CIO/CISO/CEO or all. This seems that way these days. This happened, for example, at Target—when the CEO, CIO, and CISO all left after a breach.”
A spectrum of roles exists in terms of how CIOs think they need to address data security and its governance. Whether a clearly defined responsibility, the raising of risks, to a more collaborative approach, the jury appears to be out. From my perspective, however, CIOs have a central role in data management and in protecting their enterprises whether or not their CISOs do. And everything should start with the discovery of sensitive data in the wild. This is definitely a place where innovation can be game-changing. We all need to protect sensitive data wherever it goes in the enterprise and whether it is at rest or in motion.
Privacera is the leading data security governance provider based on open standards. Fortune 100 and 500 enterprises rely on our Unified Data Security Platform to deliver faster time to insights while reducing risk and improving their security posture. To learn more you can watch this on-demand webinar on the emergence of data security governance.