In digital business, every enterprise is a link in a global chain. Data flows through and is stored in locations and third parties outside of the organisation's ownership and beyond their control.
Gartner believes by 2021, 50 percent of data will be outside of the physical control of enterprise IT, up from 10 percent today. This requires enterprise risk and security teams to alter their cybersecurity strategy to protect their organisation.
The traditional contribution of the enterprise risk and security team was to protect corporate data within traditional silos. As the volumes of data increase exponentially, risk management is facing a very different landscape of data management responsibility, especially in terms of speed and control of new data sources.
The adoption of cloud and mobile technologies has enabled enterprises to innovate, improve processes and redirect IT investment. The Internet of Things (IoT) is another domain in which the enterprise has yet another class of highly dispersed data that may not be within the enterprise's physical control, or owned by them. In addition, technology procurement and deployment is increasingly taking place outside the control of IT.
To a degree, traditional risk management is now becoming insufficient because data security governance and policy have not been augmented to follow the data into the cloud and to travel with the mobile workforce. Corporate policies and controls may have stayed within traditional silos, while data hasn’t. This has resulted in increased exposure to cybersecurity risks and organisations may find themselves playing a catch-up game.
To add more complexity and challenges, law and regulatory conventions are lagging behind. In the absence of established case law and regulations, enterprises must be self-reliant and become more rigorous about their own data governance and policies.
Following are five techniques to tackle the complexity and challenges of controlling cybersecurity on data you don’t own or control.
1) Map data ownership and flow outside your perimeter
With a lot of data now outside of your control, it’s important to allocate responsibility for security planning and operations in IaaS, PaaS and SaaS environments, and develop effective security strategies for existing and planned utilisation of public clouds.
In the future, mapping data flows will be a primary prerequisite for forward-thinking IT risk and security professionals, who will work with the accountable owners of the data to facilitate better decisions regarding appropriate protection.
Comprehensively mapping all data flows and identifying all data is arguably an impossible task. Start with the most mission-critical business processes first, and then the supporting data flows to support desired business outcomes.
2) Assess risk – catalogue contractual terms and service-level agreements
After you’ve created a data map and identified relevant third parties, apply data and security governance. This starts with the service-level agreements (SLAs) and contract terms related to security that have been agreed upon by your service providers.
Catalogue and assess risk against elements such as: availability; backup and recoverability; data sharing with third parties; retention and compliance requirements; data access; remedies for failure to perform; and other factors. Don’t treat this data governance and policy exercise as "set and forget it." Enforcement requires continuous monitoring and policy updates.
3) Make risk-based decisions
Enterprise applications can be numerous and complex in terms of their architecture style and deployment model. To govern all of them with the same rigorous controls is not a realistic goal. Leverage the data flow mapping information and treat your applications and their associated data with a value weighting system. Mission-critical data assets have the highest value and give you the best ROI in a data governance and protection investment. Tackle your most important applications that support your most important business outcomes and that have the most sensitive data at risk.
4) Leverage new technologies
It’s important to have visibility and a confident level of control over the highly distributed, complex, dynamic and partially owned digital assets that are significant to digital enterprise success. Automation is important in enabling enterprises to efficiently and effectively wrap their virtual hands around these increasingly larger and more mobile digital assets. New control tools are playing a growing role in enabling IT leaders to push some level of policy control down to their unowned assets, and monitoring how enterprise data is being used.
A wide variety of single points of control are being introduced to manage the configuration, provisioning, security, governance and control of enterprise information assets within highly distributed and externally located postmodern systems. These various forms of new technology provide useful levels of reliable and centralised control over distributed and ambiguous environments.
5) Procure legal and regulatory development expertise
Rapid and widespread changes in information technology have resulted in growing ambiguity in the application of existing law and regulations. Conflicts and disputes in digital business require new interpretations of these requirements.
Digital businesses are evolving much faster than legislators and regulators can adjust or create new agreements and rules. This misalignment causes legal risks and inadvertent violations can be costly to organisations.
While regulations and laws continue to evolve in these ambiguous areas, risk teams need to be more vigilant than ever to constantly educate themselves, as well as closely partner with legal, compliance, IT and citizen developers on managing the risks linked to new technology adoption.
About the author
Paul Proctor is a VP distinguished analyst at Gartner, leading CIO research for technology risk, cybersecurity and the business value of IT. Mr Proctor will be speaking on various cybersecurity trends and issues at Gartner Symposium/ITxpo 2016 on the Gold Coast, 24-27 October.