On the one hand, CDOs are excited about this mass influx of new data and the insights the company can gain from it, while CISOs, who must ensure that these newly mined assets don't become sources of risk, have the unfortunate task of saying, "Not so fast." And to be clear, both points of view are legitimate. Companies stand to gain keen insight by analyzing and sharing the wealth of cloud data they create, but doing so without the proper protections puts the company at a higher risk of data breaches and associated regulatory fines.
So the question is, how can organizations extract the most significant return on investment (ROI) from data while maintaining best-in-class protection standards?
Finding the CDO-CISO "Happy Medium"
The key to keeping both CDOs and CISOs happy requires building data-centric security controls into the analytics pipeline to protect the data during creation, transport, storage, and processing. Doing so allows organizations to make the most of data while ensuring its protection internally and when shared outside of the organization. Here are five ways to use data to its fullest extent while protecting it, regardless of use.
Identify Data Value
Every piece of data entering a cloud environment should be accounted for and given a value upon creation. Doing so helps prioritize its importance to the organization and guides methods for data management. Customer-buying insight, intellectual property and proprietary information are examples of data that should be prioritized over, for instance, officewide policy memos or annual vacation schedules.
Assign Risk Scores
Sometimes data does not offer critical insight, but it is incredibly sensitive — customer Social Security numbers, credit card numbers, and other personal identifiable information (PII), for example. All data should be assigned a risk score that determines the extent to which it will be protected. It is important to remember that determining risk levels is not always an exercise that is at the organization's discretion — privacy regulations, such as GDPR, CPRA, and HIPAA, outline which datasets should be considered most sensitive.
Implement Appropriate Protection Methods
Data protection is not a one-size-fits-all proposition — many factors determine protection methods. Data value and risk scores are two key determinants, but how and where data is being used must also be considered. As we have discussed, unstructured data — such as raw transaction logs, images, and text documents — entering the data analytics pipeline requires less intricate protection than refined and structured data exiting the pipeline. The protection method is even more important when engaging in data-sharing activities in which data values can be analyzed without revealing PII connected to the data.
Determine Access Control Policies
Many organizations embrace a zero-trust approach to security, which, as the name suggests, means trusting no one inside or outside of the network. A key element of such an approach requires access control policies that dictate who can and cannot access specific data in specific formats, with a fail-safe strategy for which the default posture is to deny access. Strict access control can drastically reduce the risk of exposure, especially as data becomes more valuable through the analytics pipeline and in data-sharing activities.
Monitor Data Throughout Its Life Cycle
Data, in any form, represents risk. Organizations that vigilantly monitor data can recognize anomalies early on and proactively move forward with mitigation tactics to prevent data exposure altogether or, at a minimum, limit the damage.
The CDO will tell you that the promise of cloud computing is seemingly limitless, but the CISO will counter by reminding you that the risk of data exposure is equally infinite. In today's data-driven business environment, the CDO-CISO dynamic is the key to harnessing data's value. By implementing data analytics techniques that incorporate best-in-class protection methods, organizations can keep both sides of the aisle satisfied.