There is no better way to celebrate Data Privacy Day than by bringing together the two people in the organization who most influence data privacy strategies: the Chief Information Security Officer (CISO) and the Chief Data Officer (CDO). After all, data privacy and security is the foundation for digital transformation initiatives that can improve customer service, add competitive advantage, and increase profitability with projects like building new business models, digitizing records, or securely building AI solutions. Across industries and projects, data drives digital transformation, and securing it is paramount to the success.
Major trends, including public cloud migration, the rise in Software as a Service (SaaS) application delivery, the increasing cost of data breaches, proliferating privacy regulations, and the importance of data analytics all rely on data security as an increasingly critical component of their success. While most cybersecurity programs rightfully focus on risk reduction, CISOs and information security leaders are beginning to realize a new opportunity to unlock the business potential of data. With the emergence of the Chief Data Officer (CDO) at many organizations, there is an increasing understanding about the benefits of commercializing or monetizing business data, much of which is sensitive. In this new era of digital transformation, the CISO and information security organization can become an important enabling resource when implementing security analytics programs and sharing this information for initiatives led by the CDO.
With a focus on monetizing data, technologies such as machine learning, artificial intelligence, big data, and analytics create the ability to share data, yielding potential benefits such as discovering drugs that cure diseases, eliminating financial fraud, and unlocking business insights that transform industries. But, hospitals, financial institutions, and other organizations are correctly prohibited by privacy regulations from sharing this potentially powerful data because it is sensitive and private. However, advances in encryption, trusted execution environments (TEEs) and analytics now make it possible to protect privacy while sharing private data, unlocking and advancing new learning and data-driven business opportunities. Privacy preserving analytics can be applied in cases where multiple parties have private data that needs to be combined and analyzed without exposing the underlying data or machine learning models to the other parties.
Protecting private data and reducing business risk should be the primary objectives of digital security transformation programs. The first step in this process is to document business risks using a process that identifies threats, assigns a probability of the threat happening, and estimates the impact of the risk if it does happen. Documented risks can then be prioritized based on the probability they might occur and their estimated impact.
After the business risk assessment is complete, an organization should classify its data according to the business risk before determining security controls and policies needed to protect that data. Data classification in an organization often involves four levels – public, internal, confidential, and restricted data. Once data is classified to a certain level, the organization can determine access controls and policies required to keep the data safe.
The next step in this process is actually creating the policies and security controls for accessing data as determined by the established data classification levels. For example, personally identifiable information (PII) is likely classified as “restricted” data. This data, in most cases, would need to be encrypted throughout its data lifecycle, labeled as PII, accessible only to the applications and users that require access, and never transmitted outside the organization through email. Preventative security controls could include technologies such as encryption or tokenization of PII. Detection-based technologies can monitor for unauthorized access to the data or encryption keys leading to remediation of the threat, which might be automatically revoking an encryption key. Predictive technologies can also analyze audit logs and risk assessment to determine gaps in policies or controls.
Businesses are re-inventing themselves through digital transformation initiatives. It is important for information security organizations to become more strategic to the business by aligning to business goals and enabling the business to leverage and benefit from security and private data. Major trends including migration to public cloud, the expansion of Software as a Service (SaaS) application delivery, the increasing cost of data breaches, proliferating privacy regulations, and the importance of data analytics require that data security be at the top of every CISO’s priority list.
CISOs should begin by leading a transformation of their data security program that puts in place a strategic approach to mitigating risk and aligning with business objectives. Then, information security organizations should implement data security controls designed to prevent, detect, respond to, and predict threats. As organizations place a higher priority on monetizing data analytics and sharing, CISOs should look for opportunities to help CDOs remove regulatory, privacy and security obstacles using technologies such as privacy preserving analytics in order to advance the organization through leveraging data.