The provision of an adequate data security backbone and a robust enterprise-wide security culture have become central concerns for CISOs as a result of the pandemic, with new business demands, changing working environments, and the current and future operational constraints of the 2020s now taking hold. As data volumes continue to grow, maintaining the confidentiality, integrity and availability (CIA) of data has become a priority concern for all security leaders. Managing an ever-evolving data footprint demands a solid data protection posture that requires investment in appropriate data classification tools. Supporting this, should be employee education programs that on board and inform staff around key data management and classification processes. But in all of this, automation is the third critical ingredient for success.
A combined technology and people-centric approach is essential
Now more than ever, strong data usage and protection facilities are required to give employees appropriate and safe access to information and to inform and educate them sufficiently around sensitive data and confidentiality. The provision of automated protection facilities as a central tenet of security posture that will help define, measure and mark the status of data, and to maintain this within secure and authorised repositories, will be paramount.
By combining people, process and technology, CISOs can deliver on all key data protection and control requirements; not only in ensuring understanding and appropriate management of data, but in delivering the breadth of security coverage required on a local and remote basis and ensuring its suitability for all stakeholders.
Combining good data protection technology with human expertise and processes provides considerable benefits that include:
- The ability to integrate the rigor of technology-based automation alongside the contextual knowledge, usage and control requirements of data creators.
- The use of technology-based automation to assimilate knowledge about data and apply rule-based controls that fit the current and expected future needs of the organisation without imposing additional operational overheads.
- The delivery of a combined security approach that includes the user in the classification decision-making, improving awareness and enhancing overall security posture.
Use cases for AI and ML in cyber security
Stakeholder contribution towards data protection
No two organisations’ data usage requirements are the same. It is the creators and users of data that bring the in-depth knowledge and insights that facilitate classification for future access and use. They also provide the bedrock of knowledge that informs automated protection and access control rules.
Beyond providing initial insights into the data they generate, it is critical that stakeholders understand the data protection policies of their organisation, so that the correct levels of control can be applied at source.
For CISOs, it is important that data policies across the business are fully understood, to ensure a consistent approach to classifying data and controlling date use.
Post-pandemic data protection
At a foundational level, enterprise-level data protection must extend to ensuring an in-depth knowledge of what data is held and where, and accordingly what differing levels of security controls are needed to keep the various data categories safe.
From a data protection perspective, businesses must first of all acknowledge that not all data is equal. With that in mind, different controls are required to ensure that differing types of data are not lost or accessed by unauthorised parties. Beyond the high-level requirement to protect confidential, business critical and sensitive data, businesses must then also apply differing data protection rules applicable to other data categories – Personally Identifiable Information (PII), for example – which is gathered, used and stored by all businesses.
Maintaining a focus on business context and the ability to meet regulation will be critical in 2021, as well as ensuring enterprise-wide understanding around data and risk. Further, prioritisation must be given to delivering smart data protection facilities to make the right decisions on data access and availability – to deliver technology-based efficiency and automation to adequately support the ever-increasing data volumes of remote workforces.
Lockdown one year on: what did we learn about remote working?
A year after Prime Minister Boris Johnson started advising working from home where possible, Alex Dalglish, future workplace consultant at SoftwareONE discusses what we’ve learned about remote working. Read here
Automating data classification for optimised security
Businesses that adapt best to the post-pandemic era will use automation, data-driven digital access technologies and cloud to effect improved operations and efficiencies.
With the remote workforce here to stay, more data will be generated outside of the more traditional, secure work environment than ever before, and enabling safe user and data access will be key. The sheer volumes involved will make it ever more difficult to protect sensitive information and will drive an urgent need for more inclusive and automated forms of data protection.
Automation will make a significant contribution to improved operational efficiencies post-pandemic, as well as delivering agile, automated operations with safe user and data access at the centre of their strategies. Data classification tools will protect data by applying appropriate security labels, together with helping educate users on how to treat different types of data with differing levels of classification according to the relative sensitivity applied to that document.
What working from home means for CISOs
The importance of a strong security culture and employee education programmes
We have seen how automation plays a key role in establishing a firm foundation for an organisation’s security culture, but given employees play such a vital role in ensuring that business maintains a strong data privacy posture, the ability to work with stakeholders and users to understand data protection requirements and policies is key. Security and data protection education must be conducted company-wide and must exist at a level that is workable and sustainable.
Regular security awareness training and a company-wide inclusive security culture within the business will ensure that data security becomes a part of everyday working practice, embedded into all actions and the very heart of the business.
A robust data protection protocol is critical for all organisations, and will particularly be the case as we move beyond Covid-19 into the new normal. Delivering optimal operational efficiencies, data management and data classification provision under post-pandemic budget constraints will be an ongoing business-critical challenge. To do nothing, however, will set up an organisation to fail, and we have already seen large fines incurred for those that have not given data security enough of a priority. Data leaders must therefore be selective and identify the combination of technologies, processes and people investments that will deliver the greatest security controls.
Developing and building out a combined technology and user-centric, people-based approach to data protection will be critical. Through a solid security culture and training and the integrated use of technology and automation, data leaders can deliver the most fitting security culture for their organisation. Beyond this, success will be contingent on the ability of CISOs to work with stakeholders and users to understand their data protection requirements and to deliver appropriate policies thereafter as a central component of overarching data protection strategies.