Attention, corporate enterprise: your data has left the building.
It might be on servers that you own. It’s probably in a cloud. Somewhere. Perhaps there are various clouds, numerous cloud apps and multiple cloud vendors involved. Then there are the outside third parties touching your data, like your suppliers and partners.
Mobile? That train has so left the station. Internet of Things? A slow train that’s still off in the distance but gaining steam day by day.
So yes, your corporate data really is out there. Now all you have to do is keep it safe. Everywhere. All the time. By the way, make sure your security efforts don’t interrupt the flow of business.
“The amount of data we’re creating is too big and too fast. How do you change a flat tire when the car is still running? That’s the big challenge,” said Serge Bertini, vice-president and general manager for Canada at Hewlett Packard Enterprise (HPE).
Bertini posed that question to a dozen senior IT executives on Tuesday at a CanadianCIO roundtable event in Toronto called Use Cases for Data Security. HPE sponsored the intimate gathering, a rare opportunity for some of Canada’s top tech managers to share both their pain points and their strategy hacks in an honest way with industry peers.
Participants were promised a degree of anonymity so they’d be encouraged to tell it like it is; thankfully, they did.
Outside the walls
According to a guest from a major Canadian bank, one mounting frustration is the loss of control over data security. “Within the bank walls, data is secure. But once it leaves the bank walls? The bank can’t enforce ownership (of data security) anymore.”
Although you may have your own house in order, there’s no guarantee that data security is a priority for your cloud providers, app vendors or other outside partners.
“In our industry, we deal with a lot of small suppliers who are not tech savvy. So getting them on board with any kind of security standard is a huge problem,” said another exec at the table. As an official from the real estate sector put it, “How do you protect the weakest link in your chain when it’s some guys in white delivery vans in Kingston?”
There are also worries about security running amok when so many things that used to be done or run internally – like apps, development and IT support – are now outsourced to external IT contractors and cloud-based service providers.
“They’re not going to protect your data. It’s not their responsibility,” said a person from the investment sector.
Event moderator Jim Love, CIO of IT World Canada, put another query to his table mates: If you run a SaaS app but don’t own the security keys or the source code, how do you keep your data secure on it?
It’s enough to keep a CISO or CIO awake at night. Yet like knights of the IT roundtable, everyone offered helpful suggestions and solutions. Some were technical: AI, automation, blockchain, tokenization, behaviour analysis software, predictive analytics, hardware security modules (HSMs), security information and event management (SIEM), privilege management systems.
And encryption, of course. Instead of encrypting all of a person’s data, Bertini said it might make sense to only encrypt the data that identifies them. The data can easily be shared and analyzed for business value and insights – but if it’s lost or stolen, the identity of its owner/user remains anonymous. If no identity is associated with the data, the privacy risk is mitigated.
“Your team can do the (data) warehousing and understand this person’s behaviour and patterns. But at the same time it’s still an anonymous situation,” Bertini explained.
Security training needs to be continuous
Other ideas were more tactical (ah, yes, the human part of infosec) than technical. Bertini advocated building a strongly embedded security culture that becomes a daily, reflexive habit. It should be the first thing considered in everything within the enterprise, he said, from verifying new code during development to patching systems and opening emails.
“It’s like starting with some good hygiene. When we’re kids, we learn to brush our teeth regularly. We should do the same thing with our data,” Bertini said.
That can only be helped by a move to make security training more continuous and ubiquitous, as witnessed by one guest at his own organization. “There’s a migration of the security awareness program. Instead of there being 30 questions once a year, they’re moving to it being three questions every three weeks. So it’s ongoing, perpetual education.”
The bottom line, as characterized by one of two banking executives in attendance, is that “security is not just IT’s job. It’s everybody’s job.”
Remember Bertini’s eloquent tooth brushing analogy? Like toothpaste, IT squeezed mobile tech out of the proverbial tube. Since we can’t force it back in there, we’ll just have to deal with the security issues that came oozing out as well.