It’s easy to overlook a basic fact about business in the digital age. Thieves, crooks and hackers aren’t as interested in devices and systems as the data that resides within them. Whether they’re looking to breach a database or pull off a ransomware scheme, data is what’s typically in their crosshairs.
“All paths lead to protecting data and embracing effective risk management. The focus must move beyond technology and tools, which simply enable a task. The objective is to build a strategic framework that maximizes protection,” says Todd Bialick, a partner at consulting firm PricewaterhouseCoopers.
Adding to the complexity is the California Consumer Privacy Act (CCPA), which, beginning January 1, 2020, sets far more stringent standards for companies doing business in California. “It has introduced a broad array of new requirements and penalties for violations and data breaches,” says Paola Zeni, senior director of global privacy at Palo Alto Networks.
How can an organization juggle regulatory compliance and internal requirements for managing data? How can it approach data classification and protection in a cost-effective way? While there are no easy answers—and every organization is certainly different—it’s possible to build a better cybersecurity framework by approaching the task with five steps in mind.
Step 1. Figure out collaboration. A major challenge for organizations is building effective security across internal teams and groups—and ensuring that the IT systems in place align with cybersecurity efforts. Too often, departments duplicate efforts or address security in conflicting ways.
Businesses in highly regulated industries are particularly vulnerable. “It’s critical for the security department, legal department and compliance group to be totally synced and operating as a single group,” says Adam Shnider, executive vice president of Cyber Assurance Services at advisory firm Coalfire.
In his view, there are two primary ways to approach the challenge. One is to establish a group focused on security compliance and privacy and consolidate those assigned to different tasks within a single task force or group. This helps identify overlaps and gaps. A second approach is to establish virtual panes, sometimes referred to as Tiger Teams, that manage tasks and drive a security framework and performance systems deep into the organization. Oftentimes, it’s wise to start with a centralized approach and, as the program matures, seed tasks deeper through collaboration.
Step 2: Identify your critical data. All data is not created equal. Treating it the same and taking a blunt force approach to cybersecurity guarantees that you won’t match resources with risks—and you will probably wind up overspending on regulatory compliance and security protections.
This unbalanced approach isn’t just inefficient, it opens the door to problems. “You have to tie the risk back to the business,” Shnider explains. “It’s all about understanding outcomes and what the impact of lost, stolen, compromised, and deleted data is—and how it impacts the organization.”
This means understanding regulatory issues and potential penalties for standards such as GDPR, CCPA, HIPPA, and others. It means understanding the risk of lost or stolen data and its value in the hands of hackers and attackers. “Data classification is at the heart of cybersecurity. You can’t design and implement effective protections if you’re guessing at how to best protect assets,” says Bialick.
Step 3: Know your real risks. If you’re a retailer your cyber-risk profile is very different than if you’re a health care organization or an aerospace manufacturer. But there is a common theme: Identifying the business fallout from a potential breach.
Three things serve as the foundation for strong compliance and data oversight: identifying the value of different data to the business; understanding risks related to where data is stored and how it is transported; and knowing how it is used within an ecosystem.
Throughout the risk evaluation process, the focus must involve internal, external and regulatory and compliance risks. It’s not just about your own systems, it’s also about understanding how data is used by third-party vendors and others. For example, a vendor may subcontract with another vendor but lack essential compliance standards and security protections. This may require audit controls and specific monitoring and having validation requirements set up.
In the case of CCPA, the penalties for non-compliance can be significant, Zeni notes. A major violation could result in fines of $2,500 to $7,500 per each violation as well as action from the California attorney general’s office. Class action lawsuits and bad press could also result. “It’s an issue you don’t want to ignore.”
Step 4: Formulate a plan. Don’t get caught up in hype and headlines, says Bialick. “Companies must develop processes for handling the end-to-end use of data across a lifecycle.”
The goal isn’t to react to the endless litany of threats and risks but to build a more holistic cybersecurity model that’s deeply linked to compliance and controls. Moreover, the framework must include the flexibility to address changes in external regulations as well as industry requirements and internal requirements.
This may involve completely rethinking and rewiring security controls, including moving away from a reactive point solution model and toward a more sophisticated zero trust model that takes a datacentric view. It may also require adding staff that an organization doesn’t currently have.
“The focus must be on streamlining, simplifying and automating processes within a central dashboard,” according to Shnider. Revisiting the topic regularly is important. “You have to continually ask whether you are devoting adequate resources and budget to the task and whether you are abdicating any part of your control framework,” Zeni adds.
Step 5: Establish robust controls. Spreadsheets and manual processes and balances leave plenty of room for failure. “It’s essential to have a single source of truth,” Shnider points out. Automation is critical. “There is no way to inspect everything manually, scale resources up and down, and ensure that you’re meeting compliance requirements.”
Once you know exactly where and when data is at risk—what Shnider refers to as “the business problem to understand”—it’s possible to deploy the right technologies in the right places. Tech solutions may include encryption, endpoint monitoring, data loss prevention and more. It may require different authentication methods along with AI tools that can spot anomalies and pinpoint events that fall outside authorized parameters.
At the end of the day, Shnider says there are three key areas to focus on when designing a security framework around regulation and compliance. First, it’s critical to build a collaborative enterprise-wide program rather than focus on one-off tools and technologies. Second, regulations exist to promote assurance in the market and the use of an effective framework can build greater trust among customers and across an ecosystem. Finally, “Even after you build a program you have to continually review processes and technologies in order to have maximum visibility into your risks.”
To be sure, well-thought-out compliance isn’t easy, but it is necessary. As Bialick notes, “Every organization must frame risk in terms of what is important and how it can impact the business. When organizations succeed, they’re in a position to focus on the things that really matter.”