Gartner’s Research Director for Data Loss Prevention (DLP) Brian Reed recently presented at the company’s annual Security and Risk Management Summit, held in Sydney. He discussed misconceptions and surrounding data protection a delivered a forward-looking strategic approach to data security for 2016 and beyond which includes endpoint DLP, network DLP, and data discovery and classification.
“Where is your data? The answer is cloud, mobile, data centres, servers, databases – all kinds of different places. It’s ubiquitous, it’s everywhere”, says Reed. “Data is also constantly moving and changing – it’s not static”.
Against this backdrop, Reed says the traditional approach taken to protecting data no longer works and not all data is equal or should be treated equally.
“Data has different value. Most organisations really end up lacking a true, risk-based focus on what data truly matters to them”.
Reed says it’s critical that IT security professionals work more closely with the business owners of data to understand which data has higher value and what concerns they have.
“Inconsistent data security controls exist based upon where data resides. By human nature, if we accept that not all data is created equal and accept that it’s residing in a lot of different places, that leads us to the conclusion that there’s going to be inconsistent data security control out there,” he says.
This is, in large part due to a lack of focus on “people-centred security” says Reed. He says getting data owners involved and actively creating a dialog with them is critical.
One of the issues is that many people have a flawed view of how data security works.
“The ‘put your data in a safe’ mentality is flawed. It’s a matter of using the right tool at the right time for the right type of data,” he says.
When looking at how data security governance is managed in many organisations, Gartner’s data suggests the vast majority of companies’ security governance function is dominated by IT and security professionals. Reed says this needs to change with line of business needing to take responsibility for data ownership and security.
“One of the biggest difficulties we hear from information security and IT organisations is getting the line of business to take ownership and acceptance that the data belongs to them”.
However, Gartner’s research suggests the balance between line of business and technical people involved in data security governance is changing. But it will require an active dialog in order for business data owners to become more engaged in data security.
As this dialog progresses and evolves, Reed says it will provide the business with an opportunity to use data security as a business enabler and differentiator rather than a blocker.
Data Loss Prevention
Not surprisingly, as the Research Director for DLP, Reed had something to say about the role of DLP.
“Regulatory compliance and intellectual property protection are going to be the two main use-cases that drive data loss prevention adoption typing back to business requirements,” he says.
One of the pieces of data Reed presented pertained to the use of discovery software being used by companies to detect when unsanctioned cloud services are being used to hold sensitive corporate data.
Reed says “17% of people surveyed are using cloud application discovery technology”.
However, with the increased use of cloud service brokers, Reed expects the number of companies deploying these solutions themselves will decrease, as they effectively outsource the activity. More companies will rely on third parties to support their DLP efforts rather than trying to do it themselves.
A key is understanding how data is actually being used. While data may start its life in one place, it might be exported, transported and imported into another application where it is used and potentially moved again.
By looking at specific use-cases, Reed says businesses will be able to better match the enterprise’s needs for data protection and security while enabling innovation and better business outcomes.