Last year I was fortunate to attend several all-day Chief Security Officer (CISO) roundtables on data protection with some of the top CISOs from Fortune 500 and beyond. Imagine being the CISO of a huge company like Honeywell with over 100,000 employees made up of hundreds of loosely coupled acquisitions worldwide, or Thales, a $17B organization and itself an industry leader in security. Imagine being the CISO of one of the major international banks like JP Morgan. As the CISO, what would be most on your mind? What would be keeping you up at night? Here are the 5 recurring themes I heard.
1. SUPPLY CHAIN SECURITY / THIRD-PARTY SECURITY
By and large the main problem expressed at these data protection forums was that while a CISO can ensure that their own organization's data is protected, the biggest hole in data protection is when you willingly share data with one of your 1000s of suppliers and their security is not as strong, or they then share your data with a supplier of theirs down the chain, and so forth.
Many are focused on the idea of trying to enforce security requirements on their partners at a contractual level, but finding it very difficult to enforce security in practice as business moves too fast and often a partner will be onboarded (or already onboarded) without the right security audits.
Other related problems include not knowing where/what all the data is and especially the pathways where data can make its way into the hands of partners.
Some CISOs raised the idea of encryption / rights management as an emerging technology meant to solve supply chain security, but many were not aware of it, or were skeptical of implementing it in practice. We started going down the path of right management being the ultimate solution but only once a digital rights management (DRM) industry standard was put in place, but that may still be decades off.
2. POLITICAL OBSTACLES TO GETTING ANY SECURITY OR DATA PROGRAM IN PLACE
Most transformational security initiatives like classification require buy-in among many groups including security, data governance, compliance, legal, as well as line of business owners. As understanding of data protection evolves there’s a question of who actually owns this because it is really hard to solve when there are many teams involved and each has their own lens and agenda.
In fact, one trend seemed to be CISOs and security teams actually pushing back on owning GDPR compliance and other data privacy compliance, pushing it onto data management and compliance groups instead as those compliance initiatives can be too much of a distraction for them and many didn’t feel the risk of being penalized was high enough to detract them from their other security roadmaps.
3. DATA IDENTITY, DATA MANAGEMENT
Though not explicitly stated as a direct problem, indirectly the topic comes up over and over that to put any sort of proper data protection in place it is necessary to understand the identity of new and existing data and the pathways where data goes in your company and supply chain. The people in the room mainly thought of data classification as the solution to this problem, but the idea of “data identification” - understanding the detailed nature of any data within your organization, beyond applying simple labels like "Confidential" or "Restricted" - was somewhat new to them. Detailed metadata such as "Does this file contain PII? PFI? PHI? Of what nature?" would greatly help determine how then to best protect that data.
It was also mentioned in various cases that security was not necessarily leading data management, but rather that this is a data governance / records management function within the organization. For example at Aviva they have ~300 data scientists working to identify loosely structured personal data in their data at rest (like names, addresses, etc) to improve the efficiency and cost of their operations who currently have to do this manually when they do things like generating insurance quotes. Again this points to the importance of internal cooperation between the CISO and other key players like the Chief Data Officer (CDO).
But before most Fortune 500 companies can even think of identifying data with this level of granularity, they have to be aware of all their dark data. Imagine you make several major acquisitions every year, and each unit you acquire has petabytes of stored data that is completely unlabeled. What risks lie within this vast expanse of unknown data? Many solutions exist to scan and identify data at rest, but they have major performance constraints. And many CISOs would almost prefer not to discover this data and just let sleeping dogs lie.
4. TOO MUCH MANUAL ANALYSIS WORK, NOT ENOUGH SECURITY TALENT
Fortune 500 CISOs expressed a general concern over security talent being scarce and difficult to hire, and that too often their teams ended up doing lots of manual work scanning potential adverse events. There was a hope that machine learning (ML) could help automate some of the manual work so that they could utilize security analysts on higher value work. ML was thought to be a potential to help with this in the future.
5. LACK OF ESTABLISHED BEST PRACTICES FOR DATA PROTECTION
Though not expressed directly as a frustration, it was clear that data protection is an emerging field without clear solutions and best practices. CISOs spoke more about anecdotes and tactical solutions to specific problems rather than any sort of unifying framework or process to holistically handling data protection. Each was quite interested in learning from the others experience.