Data management is a top priority for many information security professionals. Yet determining which information needs to be protected sometimes can be difficult. Asim Fareeduddin, Vice President of IT Security and Regulatory Controls Assurance at RELX Group, provided tips to help information security professionals identify and manage critical data assets within their respective organizations during his keynote presentation to Argyle’s CISO membership at the 2018 Information Security Leadership Forum in Atlanta on April 5.
In his presentation, “Managing Critical Data Assets Using a Risk-Based Approach,” Fareeduddin described how information security professionals can leverage risk assessments to evaluate their everyday data security efforts.
In many instances, information security professionals are overwhelmed with structured and unstructured data. But with the right data management systems and processes in place, these professionals can determine which data to protect and how to properly safeguard this information. “Sometimes, we forget the basics and what we are trying to protect,” Fareeduddin noted. “We need to determine what data assets we have and how to protect them.”
Information security professionals must devote time and resources to data management and analysis. By doing so, information security professionals can classify data based on its importance to a business. Plus, information security professionals can establish data inventories to collect and monitor comprehensive data sets over an extended period of time.
“Before you need to figure out how you’re going to protect something, you need to figure out what you need to protect,” Fareeduddin stated. “You need to have a comprehensive data inventory.”
Data classification can play a key role in how information security professionals safeguard a company’s sensitive data against a wide range of cyber threats. For example, if information security professionals fail to classify data, they risk exposing critical business information to cybercriminals. And if hackers use this information to launch cyberattacks, a company could suffer downtime, outages and other problems that cause revenue loss and brand reputation damage.
Comparatively, information security professionals who classify data can avoid “sinkholes” that result in significant data loss. “We have a data sinkhole, and all of our data is going to get sucked down into that hole unless we protect [this information],” Fareeduddin pointed out. “We need to classify our data internally.”
Information security professionals should understand where a company’s data resides. These professionals must identify data security vendors that can help a business secure its sensitive information, how these vendors safeguard a company’s critical information and other pertinent data security information. That way, information security professionals will know exactly where a company’s critical data is stored at all times.
Although many companies are leveraging cloud storage options, information security professionals should find out how a cloud services provider safeguards a company’s data. Information security professionals then can determine which types of business information can be stored in the cloud and plan accordingly.
RELX deployed a collaborative approach to manage its critical data assets by eliminating departmental silos, which enabled employees in multiple departments to work together to secure the company’s sensitive information. “We knew we had all of this information, and we had to figure out a way to safeguard it,” Fareeduddin stated. “But you sometimes have problems where departments are siloed … and nobody is talking to each other.”
Ultimately, information security professionals must learn about a company’s data, categorize this information and build policies around it. This approach enables information security professionals to establish data security priorities and ensure a company’s sensitive data is fully protected – without exception.
Information security professionals also should perform continuous data security monitoring and auditing. As the cyber threat landscape evolves, cybercriminals likely will launch sophisticated attacks to target sensitive business data in the years to come. However, if information security professionals remain diligent in their efforts to update their data management policies, they may be better equipped than ever before to keep pace with a rapidly changing cyber threat landscape.
Risk assessments can deliver long-lasting benefits for information security professionals, too. By deploying risk assessments, information security professionals can analyze the cyber threats that a company faces. As such, information security professionals can use risk assessments to quickly address myriad cyber threats and update a company’s data management policies as needed.
“We need to figure out what [data] controls to apply, how to apply them and what type of framework we are going to use,” Fareeduddin noted. “We need to use a risk assessment to figure that out.”