Data-driven decision-making around data security – Is this a myth?
Every CISO would agree that true data-driven decision-making around security would greatly enhance their organization’s security posture. This can be enabled by clear and concise information around –
· What data is present? Who created it? Who is using it and how?
· What are the highest risk areas (by vendor, system, process) to focus on?
· Are risks concentrated in particular areas of the organization?
· Controls and Gaps: What controls are in place to mitigate risks? How are gaps in controls tested?
. Are there differences in controls across systems with similar risks?
. Are there gaps between policy and actual implementation?
· Are changes to risk profiles tracked and understood?
While this seems simple, many organizations lack ready access to such information. From our experience, companies often structure their security programs and controls without the hard data that should be guiding their decision-making. Additionally, when organizations are trying to adopt data-driven decision-making around security, they are drowned with a lot of meaningless information about their data.
Both these themes come across clearly in a recent CISO benchmark survey conducted by Cisco (20 Cybersecurity Considerations for 2020). Organizations were increasing spending on proactively identifying data-related risks and focusing more on prevention rather than reactive responses. This means focusing on the basic and foundational elements like building a data inventory, identifying and quantifying assets with the highest and lowest risks, etc. Also, 16% of organizations received 100,000 or more daily alerts – this has increased from 11% in 2017. However, the increase in the alerts has not reduced the rate of legitimate incidents (consistent at 26% year-over-year). The increased alerts might possibly be including more false positives (i.e. getting drowned in data but this data is not actionable and accurate).
A similar warning was sounded by New York’s Department of Financial Services (DFS) around the next level of risk mitigation companies utilize – namely insurance against cyber risk. In a recently issued Cyber Risk Framework (Feb 2021), the DFS said many insurers who provide insurance against cyber risk do not have a rigorous and data-driven approach to cyber risk. The DFS also said experts are concerned that insurers are not yet able to accurately measure cyber risk.
It is clear many companies do not have the data to make informed decisions about data-related risks. Unfortunately, for data-related issues, there is only a poor understanding of the who, what, where, and how. But there is no magic button that can be pressed to address this. Organizations have to first recognize that this is an issue and take a hard look at their current processes. Only a few organizations even attempt the next step of trying to build a comprehensive Data Map. An even smaller fraction actually ends up with a comprehensive Data Map that stays current. Without true data-driven decision-making around security, it would be like throwing darts with our eyes closed - our ability to hit the target would be greatly diminished.