Rethinking security: Protect your organization in the new world of work

by Ashish Patel

As breaches dominate the headlines, it’s more important than ever for organizations to pursue a data-driven security strategy.

Has your organization had a major data breach?

If not—congratulations. Data breaches have been on the rise for years, and 2015 was a banner year for cyber criminals. More than 700 major breaches were reported, and in a recent survey of IT professionals, more than 90 percent say they suffer security incidents several times a year.¹ With numbers like that, it’s no surprise that security is a big concern for enterprise organizations, as many pump millions into security assessments and massive network improvements.

This approach isn’t necessarily wrong, or even bad. Certainly, it’s important to assess your security posture and where you might be lacking in order to better protect yourself. However, I believe there’s a better way to approach organizational data security—and it starts with your data.

While security assessments are important, they provide an inadequate amount of information for creating a security strategy.

Assessing risk, not security

Rather than basing their strategy on the findings of their security assessment, organizations should also conduct a risk assessment that takes a more holistic view of the entire enterprise before deciding on a security posture. While security assessments are important, they provide an inadequate amount of information for creating this security strategy.

Assessments can help explain why a breach occurred, and areas where you may be lacking—valuable information, indeed. However, they don’t adequately assess the risk involved with a data breach. For example, a data breach that obtains the financial and personal information of your entire customer base would be much more impactful than a data breach resulting from corporate espionage, perhaps attempting to steal plans for a new product.

A risk assessment allows organizations to classify their information—both critical and not. It should include a quantitative analysis of this data, which places a value on this information and what would happen if that data is breached. In this light, a risk assessment should be seen as complimentary to a security assessment.

By conducting a risk assessment, an organization can understand both where they might be vulnerable and what information is most valuable, allowing them to choose the security solution that best suits their needs.

Protecting what’s important

Such an approach has a number of benefits. First, it lets organizations tailor their security solution to their unique needs, without spending more than they have to. Most vendors offer a one-size-fits-all package (or tiered packages, with more features available the more you’re willing to spend) that provides equal protection across your entire network. But by conducting a risk assessment, an organization can understand both where they might be vulnerable and what information is most valuable, allowing them to choose the security solution that best suits their needs.

This leads into my second point: A risk assessment is the best means with which to protect your critical business information. Without knowing what information is valuable and what is not, IT admins have to defend the entire network equally all the time, a very tall task indeed. By identifying the value of information, organizations can shift resources to the defense of more important data, so that even if they do become the victim of a data breach, their critical information remains safe.

Finally, this approach is significantly more holistic in scope than a security assessment. This is critical for an enterprise-level organization, which can be made up of tens or even hundreds of thousands of people, each of them territorial and concerned primarily with the work that they do, rather than the functioning of the overall business.

Because of this, I recommend to organizations that they bring in an outside partner to conduct the risk assessment, rather than doing it themselves. Individual departments generally don’t have the infrastructure capable of quantifying risk, and organizational efforts can often get bogged down in internal politics. An objective, outside view is necessary to understand the big picture, and how to best protect your organization from external threats through a data-driven security strategy.

Pursue a data-driven security strategy

Learn more about how to protect your critical business information and reduce your exposure to threats.

Learn more about data security

Ashish Patel, Principal Consultant, Enterprise Consulting Services for Ricoh USA, Inc., optimizes business critical services and programs for global customers, with a focus on business process agility, governance, risk and compliance. Patel’s experience includes management and technology consulting, strategic planning, business development, and full lifecycle management of large business process and technology transformation projects across a range of industries. Patel holds a Master of Science in Electrical Engineering from UCLA, as well as a Master of Science in Information Engineering and Management from Southern Methodist University.

¹ HIPAA Journal: "Only Half of Companies Have a Computer Security Incident Response Team" December 21, 2015. http://www.hipaajournal.com/only-half-of-companies-have-a-computer-security-incident-response-team-8225/