CISOs today are not only one of the busiest but also the most worried lot among the C-suite executives of any organisation that deals with customer data. The issues of data privacy, data security and data integrity are now almost non-negotiable. However, on the other side the attacks aren’t slowing down either. In such a scenario where there is a heightened awareness and need for data security and privacy, what should a CISO do to manage the organisational digital risk?
Rahul Neel Mani, Editor, DynamicCISO.com spoke to Mike Adler VP, Product and Engineering, NetWitness Suite, RSA on a variety of issues including the impact of GDPR in the age of digital transformation and how to contain the risk of data over exposure.
Below are the excerpts:
DynamicCISO (DCISO): GDPR, after coming into effect, has rattled many organisations. There’s no one silver bullet that can safeguard data and also an organisation’s interest. As a security professional, how do you analyse the situation?
Mike Adler (MA): As I see it, GDPR is a governmental reaction to the carelessness of the industry. Many companies, both for their customers and employees, have learnt to gather data, and extract the value and insights from it through analytics. This data and its insights can be used both for both good and bad purposes. It means the data is valuable for the folks who probably don’t have best of intention. GDPR was the reaction from the government(s) to raise awareness that this incredibly valuable data shall be protected. What we have seen so far is implementation of GDPR at a policy-level but the industry is yet to see the enforcement of it. We will soon start seeing its enforcement and over time it may hopefully normalise too. But for any large organisation, dealing with large datasets, the exercise to be GDPR compliant can be both very costly and complex. Like any risk exercise, GDPR is also about understanding the risks involved in data privacy and protection. If you see, it’s another type of risk management framework/exercise but at a gigantic scale. As we move forward, things will get clearer, more standards will be established and besides just the laws, we will see winning approaches emerging from it. As any technology or regulatory curve, over time GDPR will also get streamlined.
The question that will emerge from this will be: Can there be a global standard for data protection?
DCISO: It’s true that new opportunity brings new risk. What’s more important for a business? Is it to grab the new opportunity, or to address it while keeping the risks in mind?
MA: Wisdom says it is important to address risks when businesses are scouting new opportunities for growth. A classic business education model teaches us about upside risks, downside risks etc. In today’s economy, companies are bound to grab opportunities to grow and progress. But that can’t be done recklessly. It has to be a risk-based approach that covers all the broader set of impacts/risks including the risks for consumers, and employees. Understanding these broader set of risks, while exploring opportunities, heightens the efforts to protect against those risks. As we become more digital, the risks change across the board. During the non-digital days, the mortgage companies in the US had humongous amount of physical data locked in boxes and warehouses. Someone had to break into those warehouses to steal the data. The chances of that type of incident happening and not being caught were very rare. Today, the loans are processed digitally and the data is stored in electronic form. Getting access to that data is easy as compared to stealing the physical data. It varies from organisation to organisation how they store data. Is it happening in the form of one big file? Is it stored in a distributed way to make it harder to breach or steal? It is up to the organisation how to mitigate those risks. So, while it is important to grab new business opportunities but managing the risks associated with it is equally important. Therefore, businesses should apply risk management framework to any new business opportunity.
DCISO: The elements like resilience, accountability, and flexibility are vital to deal with the digital risk management. But it is not as easy as we speak. How would a CISO deal with it?
MA: My advice to the CISOs is to consolidate the variety of approaches that they are applying to manage the digital risk. Some of the most successful CISOs are looking at simplifying their approach. Instead of having 30-40 different tools and make them all resilient and transactional, it is better to consolidate them on a smaller platform. A growing number of CISOs globally are now looking at platform technologies to build resiliency rather than application of point products to point solution. For example, companies can look at managing data security using RSA NetWitness Platform. Similarly, for identity management, CISOs should look at a single platform. RSA’s recommends to approach technology as a platform than to look at multiple point solutions. Even before evaluating technology, it is important to gain visibility of the data assets that one is trying to manage. It is important to have an absolute visibility of the endpoints and devices that are gathering data within an enterprise. On top of it comes the need for appropriate monitoring tools to have a complete visibility. Having done that, the right set of analytics and AI tools need to be deployed to identify potential threats and risks which could range from cybersecurity risks, business risks or even identity risks or a combination of all. So, to sum up, a platform approach that provides visibility, insight and action is the one that should be brought into use to manage the modern-day digital risks.
DCISO: In the present times, when things are dynamically changing, it’s difficult to anticipate threats that are going to hit in the near future. What do you suggest the CISOs to be prepared for the unforeseen scenarios?
MA: In the age of digital transformation, cybersecurity boils down to a set of strategies and technologies that allow both detection of threats and protection from them at various layers while exploring business opportunities. Whether it is about the interaction with customers, or interaction of employees with the data, one has to think of putting layers of security. The key here is for the CISO to look into the depth of these aspects. It is important for a CISO to keep an eye on every step of the data collection process and the data access process to contain risk. It is both a risk management and a cybersecurity exercise. With this depth and layering of different technologies, you can design a holistic architecture for cybersecurity.
DCISO: A bunch of new technologies (also classified as emerging technologies) like Cloud, AI, IoT are now on the horizon of every enterprise. They are being adopted at various layers to perform different business functions. How can be the risks emerging out of these technologies be mitigated?
MA: There are three key things that come to my mind.
In majority of organisations, there is a tendency to over-expose data. When organisations are rolling out consumer-centric services, CISOs and technology teams should ensure that the data they are using/exposing is appropriate to be consumed by the end-users/employees and is the least that is required.
Next, it is vital to look at the security of the data itself. From data accumulation to its encryption to its storage, every aspect has to be looked into. From a risk perspective, it is important to look at the data access aspect too. Typically, the breach starts with compromised data control points. Securing those central nodes is an important task. The third key aspect is to ensure that whenever the accessed by the authorised people, it should be anonymised and should hide identities of individuals as much as possible.
If security teams keep these three key tenets in mind, the risk surface reduces drastically and makes the overall security posture stronger and successful.