With Cloud, CDO and CISO Concerns Are Equally Important
Navigated properly, a melding of these complementary perspectives can help keep an organization more secure.
Cloud data consolidation is widespread, as evidenced by the rapid growth of well-known cloud data warehouses like Redshift and Snowflake. Of course, the pivot to support remote working environments over the past year has accelerated this trend. With cloud migration comes valuable cloud data, a resource that, according to Forrester’s Jennifer Belissent, is a moderate priority for 61% of organizations and is a critical or high priority for 25%. The demand for cloud data insights not only magnifies the role of the chief data officer (CDO) but also makes it essential for the CDO to collaborate with the chief information security officer (CISO) to ensure data remains secure through the analytics pipeline. There is plenty of responsibility for each, and an organization’s success lies in the balance between the two.
On the one hand, CDOs are excited about this mass influx of new data and the insights the company can gain from it, while CISOs, who must ensure that these newly mined assets don’t become sources of risk, have the unfortunate task of saying, “Not so fast.” And to be clear, both points of view are legitimate. Companies stand to gain keen insight by analyzing and sharing the wealth of cloud data they create, but doing so without the proper protections puts the company at a higher risk of data breaches and associated regulatory fines.
So the question is, how can organizations extract the most significant return on investment (ROI) from data while maintaining best-in-class protection standards?
Finding the CDO-CISO “Happy Medium”
The key to keeping both CDOs and CISOs happy requires building data-centric security controls into the analytics pipeline to protect the data during creation, transport, storage, and processing. Doing so allows organizations to make the most of data while ensuring its protection internally and when shared outside of the organization. Here are five ways to use data to its fullest extent while protecting it, regardless of use.
Identify Data Value
Every piece of data entering a cloud environment should be accounted for and given a value upon creation. Doing so helps prioritize its importance to the organization and guides methods for data management. Customer-buying insight, intellectual property and proprietary information are examples of data that should be prioritized over, for instance, officewide policy memos or annual vacation schedules.
Assign Risk Scores
Sometimes data does not offer critical insight, but it is incredibly sensitive — customer Social Security numbers, credit card numbers, and other personal identifiable information (PII), for example. All data should be assigned a risk score that determines the extent to which it will be protected. It is important to remember that determining risk levels is not always an exercise that is at the organization’s discretion — privacy regulations, such as GDPR, CPRA, and HIPAA, outline which datasets should be considered most sensitive.
Implement Appropriate Protection Methods
Data protection is not a one-size-fits-all proposition — many factors determine protection methods. Data value and risk scores are two key determinants, but how and where data is being used must also be considered. As we have discussed, unstructured data — such as raw transaction logs, images, and text documents — entering the data analytics pipeline requires less intricate protection than refined and structured data exiting the pipeline. The protection method is even more important when engaging in data-sharing activities in which data values can be analyzed without revealing PII connected to the data.
Determine Access Control Policies
Many organizations embrace a zero-trust approach to security, which, as the name suggests, means trusting no one inside or outside of the network. A key element of such an approach requires access control policies that dictate who can and cannot access specific data in specific formats, with a fail-safe strategy for which the default posture is to deny access. Strict access control can drastically reduce the risk of exposure, especially as data becomes more valuable through the analytics pipeline and in data-sharing activities.
Monitor Data Throughout Its Life Cycle
Data, in any form, represents risk. Organizations that vigilantly monitor data can recognize anomalies early on and proactively move forward with mitigation tactics to prevent data exposure altogether or, at a minimum, limit the damage.
The CDO will tell you that the promise of cloud computing is seemingly limitless, but the CISO will counter by reminding you that the risk of data exposure is equally infinite. In today’s data-driven business environment, the CDO-CISO dynamic is the key to harnessing data’s value. By implementing data analytics techniques that incorporate best-in-class protection methods, organizations can keep both sides of the aisle satisfied.
Ameesh Divatia is Co-Founder & CEO of Baffle, Inc., which provides encryption as a service. He has a proven track record of turning technologies that are difficult to build into successful businesses, selling three companies for more than $425 million combined in the service … View Full Bio