Protect your organization with data-driven security strategy.
Read time: 2 minutes
As breaches dominate the headlines, it’s more important than ever for organizations to pursue a data-driven security strategy.
Has your organization had a major data breach?
If not—congratulations. Data breaches have been on the rise for years, and 2015 was a banner year for cyber criminals. More than 700 major breaches were reported, and in a recent survey of IT professionals, more than 90 percent say they suffer security incidents several times a year.1 With numbers like that, it’s no surprise that security is a big concern for enterprise organizations, as many pump millions into security assessments and massive network improvements.
This approach isn’t necessarily wrong, or even bad. Certainly, it’s important to assess your security posture and where you might be lacking in order to better protect yourself. However, I believe there’s a better way to approach organizational data security—and it starts with your data.
Assessing risk, not security
Rather than basing their strategy on the findings of their security assessment, organizations should also conduct a risk assessment that takes a more holistic view of the entire enterprise before deciding on a security posture. While security assessments are important, they provide an inadequate amount of information for creating this security strategy.
Assessments can help explain why a breach occurred, and areas where you may be lacking—valuable information, indeed. However, they don’t adequately assess the risk involved with a data breach. For example, a data breach that obtains the financial and personal information of your entire customer base would be much more impactful than a data breach resulting from corporate espionage, perhaps attempting to steal plans for a new product.
A risk assessment allows organizations to classify their information—both critical and not. It should include a quantitative analysis of this data, which places a value on this information and what would happen if that data is breached. In this light, a risk assessment should be seen as complimentary to a security assessment.
Protecting what’s important
Such an approach has a number of benefits. First, it lets organizations tailor their security solution to their unique needs, without spending more than they have to. Most vendors offer a one-size-fits-all package (or tiered packages, with more features available the more you’re willing to spend) that provides equal protection across your entire network. But by conducting a risk assessment, an organization can understand both where they might be vulnerable and what information is most valuable, allowing them to choose the security solution that best suits their needs.
This leads into my second point: A risk assessment is the best means with which to protect your critical business information. Without knowing what information is valuable and what is not, IT admins have to defend the entire network equally all the time, a very tall task indeed. By identifying the value of information, organizations can shift resources to the defense of more important data, so that even if they do become the victim of a data breach, their critical information remains safe.
Finally, this approach is significantly more holistic in scope than a security assessment. This is critical for an enterprise-level organization, which can be made up of tens or even hundreds of thousands of people, each of them territorial and concerned primarily with the work that they do, rather than the functioning of the overall business.
Because of this, I recommend to organizations that they bring in an outside partner to conduct the risk assessment, rather than doing it themselves. Individual departments generally don’t have the infrastructure capable of quantifying risk, and organizational efforts can often get bogged down in internal politics. An objective, outside view is necessary to understand the big picture, and how to best protect your organization from external threats through a data-driven security strategy.
- 1HIPAA Journal: "Only Half of Companies Have a Computer Security Incident Response Team" December 21, 2015. http://www.hipaajournal.com/only-half-of-companies-have-a-computer-security-incident-response-team-8225/
Recommended for you
Why bring in an outside partner for a security audit
The benefits of an external security assessment, why you should consider it a necessary part of our data security strategy and who should complete it.
9 low-tech security threats that put company data at risk
Digital data breaches get more visibility in the press, but physical data breaches have the potential to be even worse.
How to protect against ransomware attack
Learn from Ricoh how do you protect against malicious ransomware. Protecting against a ransomware attack is like fire prevention, don't let the danger take hold.