Download

Data-Centric Security: Combine Process, Technology

Security vendors and industry pundits are yelling: “It’s the data, stupid!” as they push enterprises to focus on DLP, database security and data breach notification. But CISOs are shouting right back: “Where’s the money? And can someone explain how to get end users and business leaders to give a … ?”

“Executives would like to believe that we are on par with others in our industry group, but this is not so,” says one respondent to our InformationWeek Analytics Data-Centric Security survey of 309 business technology professionals. “I take pride in my job, and I keep pounding the table for an independent evaluation. I know of holes. I fear that it will take a serious breach of PII before we move forward with more robust security measures in all of our IT areas.” Adds another: “We have cash flow problems. And there are political problems  when risk assessments unearth issues with outside vendors who we thought were properly managing data.”

We define a data-centric strategy as focusing on protecting both structured and unstructured data when it’s in use by customers or employees (data in use), as it rests on network file systems (data at rest), and as it traverses the LAN or leaves the corporate boundary (data in motion). In our survey, respondents are generally confident in their technical staffs’ ability to implement a data-centric security model, but their efforts are constrained by a scarcity of funds and a lack of management sponsorship and organizational will. Despite these perennial problems, more enterprises are using a data-centric model than we expected; just 10% are wholly dismissive of the approach.

Sometimes companies set out to focus on data, sometimes it’s a side effect of the growing popularity of DLP technology. Despite the newness and still high cost of these systems, 42% of respondents have either already  deployed or plan to within the year. In our experience, those organizations that use DLP systems seem much more mature in terms of implementing the policies, auxiliary technologies and enforcement mechanisms to realize data-centric security. In our practice and reflected in our survey results and research, mature adopters of a data-centric security model share some characteristics: They assign a data owner who is nontechnical, and upper management provides that person with full decision-making authority. Read that again: We said nontechnical data owner with full decision-making authority. They align their security priorities with business requirements by focusing on who and what get access to data. And they choose security technologies based on quantified risk.

In this report, we’ll explore the link between adoption of DLP and data-centric security and reveal what other technology is just as important, detail best practices to become more focused on data, and discuss when IT can help most by keeping its hands off. (860110)

Survey Name: InformationWeek Analytics Data-Centric Security Survey
Survey Date: November 2009
Region: North America
Number of Respondents: 309