​Five tips to address cybersecurity in data you don't own or control

By Paul Proctor, VP distinguished analyst at Gartner

In digital business, every enterprise is a link in a global chain. Data flows through and is stored in locations and third parties outside of the organisation's ownership and beyond their control.

Gartner believes by 2021, 50 percent of data will be outside of the physical control of enterprise IT, up from 10 percent today. This requires enterprise risk and security teams to alter their cybersecurity strategy to protect their organisation.

The traditional contribution of the enterprise risk and security team was to protect corporate data within traditional silos. As the volumes of data increase exponentially, risk management is facing a very different landscape of data management responsibility, especially in terms of speed and control of new data sources.

The adoption of cloud and mobile technologies has enabled enterprises to innovate, improve processes and redirect IT investment. The Internet of Things (IoT) is another domain in which the enterprise has yet another class of highly dispersed data that may not be within the enterprise's physical control, or owned by them. In addition, technology procurement and deployment is increasingly taking place outside the control of IT.

To a degree, traditional risk management is now becoming insufficient because data security governance and policy have not been augmented to follow the data into the cloud and to travel with the mobile workforce. Corporate policies and controls may have stayed within traditional silos, while data hasn’t. This has resulted in increased exposure to cybersecurity risks and organisations may find themselves playing a catch-up game.

To add more complexity and challenges, law and regulatory conventions are lagging behind. In the absence of established case law and regulations, enterprises must be self-reliant and become more rigorous about their own data governance and policies.

Following are five techniques to tackle the complexity and challenges of controlling cybersecurity on data you don’t own or control.

1) Map data ownership and flow outside your perimeter

With a lot of data now outside of your control, it’s important to allocate responsibility for security planning and operations in IaaS, PaaS and SaaS environments, and develop effective security strategies for existing and planned utilisation of public clouds.

In the future, mapping data flows will be a primary prerequisite for forward-thinking IT risk and security professionals, who will work with the accountable owners of the data to facilitate better decisions regarding appropriate protection.

Comprehensively mapping all data flows and identifying all data is arguably an impossible task. Start with the most mission-critical business processes first, and then the supporting data flows to support desired business outcomes.

2) Assess risk – catalogue contractual terms and service-level agreements

After you’ve created a data map and identified relevant third parties, apply data and security governance. This starts with the service-level agreements (SLAs) and contract terms related to security that have been agreed upon by your service providers.

Catalogue and assess risk against elements such as: availability; backup and recoverability; data sharing with third parties; retention and compliance requirements; data access; remedies for failure to perform; and other factors. Don’t treat this data governance and policy exercise as "set and forget it." Enforcement requires continuous monitoring and policy updates.

3) Make risk-based decisions

Enterprise applications can be numerous and complex in terms of their architecture style and deployment model. To govern all of them with the same rigorous controls is not a realistic goal. Leverage the data flow mapping information and treat your applications and their associated data with a value weighting system. Mission-critical data assets have the highest value and give you the best ROI in a data governance and protection investment. Tackle your most important applications that support your most important business outcomes and that have the most sensitive data at risk.

4) Leverage new technologies

It’s important to have visibility and a confident level of control over the highly distributed, complex, dynamic and partially owned digital assets that are significant to digital enterprise success. Automation is important in enabling enterprises to efficiently and effectively wrap their virtual hands around these increasingly larger and more mobile digital assets. New control tools are playing a growing role in enabling IT leaders to push some level of policy control down to their unowned assets, and monitoring how enterprise data is being used.

A wide variety of single points of control are being introduced to manage the configuration, provisioning, security, governance and control of enterprise information assets within highly distributed and externally located postmodern systems. These various forms of new technology provide useful levels of reliable and centralised control over distributed and ambiguous environments.

5) Procure legal and regulatory development expertise

Rapid and widespread changes in information technology have resulted in growing ambiguity in the application of existing law and regulations. Conflicts and disputes in digital business require new interpretations of these requirements.

Digital businesses are evolving much faster than legislators and regulators can adjust or create new agreements and rules. This misalignment causes legal risks and inadvertent violations can be costly to organisations.

While regulations and laws continue to evolve in these ambiguous areas, risk teams need to be more vigilant than ever to constantly educate themselves, as well as closely partner with legal, compliance, IT and citizen developers on managing the risks linked to new technology adoption.

About the author

Paul Proctor is a VP distinguished analyst at Gartner, leading CIO research for technology risk, cybersecurity and the business value of IT. Mr Proctor will be speaking on various cybersecurity trends and issues at Gartner Symposium/ITxpo 2016 on the Gold Coast, 24-27 October.

Join the CSO newsletter!

Error: Please check your email address.

Tags Gartnerdata securityrisk managementroiSaaS & Cloud computingSLAsIT managementPaaS toolscyber security

More about Gartner

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Paul Proctor

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place